Hacking Predictors Means Hacking Cars: Using Sensitivity Analysis to Identify Trajectory Prediction Vulnerabilities for Autonomous Driving Security
0
🔮
Sign in to get full access
Overview
- This paper examines the susceptibility of two popular trajectory prediction models, Trajectron++ and AgentFormer, to adversarial attacks.
- The researchers conduct a sensitivity analysis to understand which inputs are most influential for the models' predictions.
- They then demonstrate how an undetectable perturbation to the image map input can induce large errors in the models' predictions, despite the models being more sensitive to perturbations in the state history.
- The paper also shows how these attacks can impact downstream planning and control, causing a vehicle to suddenly stop from moderate driving speeds.
Plain English Explanation
The researchers in this paper looked at how to trick two AI models that are used to predict the future movement of vehicles and pedestrians. These models are an important part of self-driving car systems, helping the car plan its next actions.
The researchers found that the models were most sensitive to changes in the most recent position and speed of the vehicle or person being tracked. This means that small changes to these inputs could cause the models to make big mistakes in their predictions.
However, the researchers also discovered something interesting. Even though the models were more sensitive to changes in the position and speed data, an undetectable change to the map data that the models use could also cause large errors in their predictions. This shows that these AI models for trajectory prediction are vulnerable to attacks that target the map data, not just the vehicle or pedestrian data.
The researchers then showed how these attacks on the trajectory prediction models could impact the planning and control of a self-driving car, causing it to suddenly stop from normal driving speeds. This demonstrates how these types of attacks could be a real problem for the safety and reliability of self-driving car systems.
Technical Explanation
The researchers conducted a sensitivity analysis on the Trajectron++ and AgentFormer trajectory prediction models to understand which inputs were most influential for their predictions. They found that almost all of the perturbation sensitivities for both models were concentrated within the most recent position and velocity states.
However, the researchers also demonstrated that an undetectable perturbation to the image map input, generated using the Fast Gradient Sign Method, could induce large prediction error increases in both models. This revealed that these trajectory predictors are susceptible to image-based attacks, despite their dominant sensitivity to state history perturbations.
Using an optimization-based planner and example perturbations crafted from their sensitivity analysis, the researchers showed how these attacks could cause a vehicle to come to a sudden stop from moderate driving speeds. This highlights the potential impact these types of adversarial attacks could have on the safety and reliability of autonomous vehicle systems.
Critical Analysis
The researchers provide a thorough analysis of the sensitivity of two popular trajectory prediction models to various input perturbations. Their findings suggest that these models, while heavily reliant on state history, are also vulnerable to more subtle attacks targeting the image map input.
However, the paper does not explore the generalizability of these findings to other trajectory prediction models or autonomous driving systems. The experiments were conducted on a specific dataset and scenario, and it's unclear how the results might translate to real-world driving conditions or other model architectures.
Additionally, the paper does not delve into potential mitigation strategies or defenses against these types of attacks. Further research would be needed to understand how these trajectory prediction models could be made more robust to adversarial perturbations, both in the state history and image map inputs.
Conclusion
This paper highlights the susceptibility of two widely used trajectory prediction models to adversarial attacks. The researchers demonstrated that while these models are most sensitive to perturbations in the vehicle or pedestrian state history, they can also be fooled by more subtle changes to the environmental map data.
These findings have important implications for the safety and reliability of autonomous driving systems, which rely heavily on accurate trajectory prediction to plan and execute safe maneuvers. The paper underscores the need for continued research into the robustness and security of these AI-based components, as well as the development of effective countermeasures against adversarial attacks.
As autonomous vehicle technology continues to advance, it will be crucial for researchers and developers to address these vulnerabilities to ensure the safe and trustworthy deployment of self-driving cars on public roads.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
🔮
0
Hacking Predictors Means Hacking Cars: Using Sensitivity Analysis to Identify Trajectory Prediction Vulnerabilities for Autonomous Driving Security
Marsalis Gibson, David Babazadeh, Claire Tomlin, Shankar Sastry
Adversarial attacks on learning-based multi-modal trajectory predictors have already been demonstrated. However, there are still open questions about the effects of perturbations on inputs other than state histories, and how these attacks impact downstream planning and control. In this paper, we conduct a sensitivity analysis on two trajectory prediction models, Trajectron++ and AgentFormer. The analysis reveals that between all inputs, almost all of the perturbation sensitivities for both models lie only within the most recent position and velocity states. We additionally demonstrate that, despite dominant sensitivity on state history perturbations, an undetectable image map perturbation made with the Fast Gradient Sign Method can induce large prediction error increases in both models, revealing that these trajectory predictors are, in fact, susceptible to image-based attacks. Using an optimization-based planner and example perturbations crafted from sensitivity results, we show how these attacks can cause a vehicle to come to a sudden stop from moderate driving speeds.
Read more5/22/2024
0
A survey on robustness in trajectory prediction for autonomous vehicles
Jeroen Hagenus, Frederik Baymler Mathiesen, Julian F. Schumann, Arkady Zgonnikov
Autonomous vehicles rely on accurate trajectory prediction to inform decision-making processes related to navigation and collision avoidance. However, current trajectory prediction models show signs of overfitting, which may lead to unsafe or suboptimal behavior. To address these challenges, this paper presents a comprehensive framework that categorizes and assesses the definitions and strategies used in the literature on evaluating and improving the robustness of trajectory prediction models. This involves a detailed exploration of various approaches, including data slicing methods, perturbation techniques, model architecture changes, and post-training adjustments. In the literature, we see many promising methods for increasing robustness, which are necessary for safe and reliable autonomous driving.
Read more4/23/2024
0
A First Physical-World Trajectory Prediction Attack via LiDAR-induced Deceptions in Autonomous Driving
Yang Lou, Yi Zhu, Qun Song, Rui Tan, Chunming Qiao, Wei-Bin Lee, Jianping Wang
Trajectory prediction forecasts nearby agents' moves based on their historical trajectories. Accurate trajectory prediction is crucial for autonomous vehicles. Existing attacks compromise the prediction model of a victim AV by directly manipulating the historical trajectory of an attacker AV, which has limited real-world applicability. This paper, for the first time, explores an indirect attack approach that induces prediction errors via attacks against the perception module of a victim AV. Although it has been shown that physically realizable attacks against LiDAR-based perception are possible by placing a few objects at strategic locations, it is still an open challenge to find an object location from the vast search space in order to launch effective attacks against prediction under varying victim AV velocities. Through analysis, we observe that a prediction model is prone to an attack focusing on a single point in the scene. Consequently, we propose a novel two-stage attack framework to realize the single-point attack. The first stage of prediction-side attack efficiently identifies, guided by the distribution of detection results under object-based attacks against perception, the state perturbations for the prediction model that are effective and velocity-insensitive. In the second stage of location matching, we match the feasible object locations with the found state perturbations. Our evaluation using a public autonomous driving dataset shows that our attack causes a collision rate of up to 63% and various hazardous responses of the victim AV. The effectiveness of our attack is also demonstrated on a real testbed car. To the best of our knowledge, this study is the first security analysis spanning from LiDAR-based perception to prediction in autonomous driving, leading to a realistic attack on prediction. To counteract the proposed attack, potential defenses are discussed.
Read more6/18/2024
0
SA-Attack: Speed-adaptive stealthy adversarial attack on trajectory prediction
Huilin Yin, Jiaxiang Li, Pengju Zhen, Jun Yan
Trajectory prediction is critical for the safe planning and navigation of automated vehicles. The trajectory prediction models based on the neural networks are vulnerable to adversarial attacks. Previous attack methods have achieved high attack success rates but overlook the adaptability to realistic scenarios and the concealment of the deceits. To address this problem, we propose a speed-adaptive stealthy adversarial attack method named SA-Attack. This method searches the sensitive region of trajectory prediction models and generates the adversarial trajectories by using the vehicle-following method and incorporating information about forthcoming trajectories. Our method has the ability to adapt to different speed scenarios by reconstructing the trajectory from scratch. Fusing future trajectory trends and curvature constraints can guarantee the smoothness of adversarial trajectories, further ensuring the stealthiness of attacks. The empirical study on the datasets of nuScenes and Apolloscape demonstrates the attack performance of our proposed method. Finally, we also demonstrate the adaptability and stealthiness of SA-Attack for different speed scenarios. Our code is available at the repository: https://github.com/eclipse-bot/SA-Attack.
Read more4/22/2024