Stop-and-Go: Exploring Backdoor Attacks on Deep Reinforcement Learning-Based Traffic Congestion Control Systems

Recent work has shown that the introduction of autonomous vehicles (AVs) in traffic could help reduce traffic jams. Deep reinforcement learning methods demonstrate good performance in complex control problems, including autonomous vehicle control, and have been used in state-of-the-art AV controllers. However, deep neural networks (DNNs) render automated driving vulnerable to machine learning-based attacks. In this work, we explore the backdooring/trojanning of DRL-based AV controllers. We develop a trigger design methodology that is based on well-established principles of traffic physics. The malicious actions include vehicle deceleration and acceleration to cause stop-and-go traffic waves to emerge (congestion attacks) or AV acceleration resulting in the AV crashing into the vehicle in front (insurance attack). We test our attack on single-lane and two-lane circuits. Our experimental results show that the backdoored model does not compromise normal operation performance, with the maximum decrease in cumulative rewards being 1%. Still, it can be maliciously activated to cause a crash or congestion when the corresponding triggers appear.

[1]  Bernard W. Silverman,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[2]  P. J. Green,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[3]  Hugh F. Durrant-Whyte,et al.  A solution to the simultaneous localization and map building (SLAM) problem , 2001, IEEE Trans. Robotics Autom..

[4]  Feiping Nie,et al.  Learning a Mahalanobis distance metric for data clustering and classification , 2008, Pattern Recognit..

[5]  Y. Sugiyama,et al.  Traffic jams without bottlenecks—experimental evidence for the physical mechanism of the formation of a jam , 2008 .

[6]  Henry X. Liu,et al.  A stochastic model of traffic flow: Theoretical foundations , 2011 .

[7]  Martin Treiber,et al.  Traffic Flow Dynamics: Data, Models and Simulation , 2012 .

[8]  Daniel Krajzewicz,et al.  Recent Development and Applications of SUMO - Simulation of Urban MObility , 2012 .

[9]  Henry X. Liu,et al.  A stochastic model of traffic flow: Gaussian approximation and estimation , 2013 .

[10]  Qiang Miao,et al.  Online Anomaly Detection for Hard Disk Drives Based on Mahalanobis Distance , 2013, IEEE Transactions on Reliability.

[11]  Gábor Lugosi,et al.  Concentration Inequalities - A Nonasymptotic Theory of Independence , 2013, Concentration Inequalities.

[12]  Gihwan Cho,et al.  Detecting an Anomalous Traffic Attack Area based on Entropy Distribution and Mahalanobis Distance , 2014 .

[13]  Shai Ben-David,et al.  Understanding Machine Learning: From Theory to Algorithms , 2014 .

[14]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[15]  Jianfeng Zheng,et al.  A probabilistic stationary speed–density relation based on Newell’s simplified car-following model , 2014 .

[16]  Horst Bischof,et al.  Mahalanobis Distance Learning for Person Re-identification , 2014, Person Re-Identification.

[17]  Marc G. Bellemare,et al.  The Arcade Learning Environment: An Evaluation Platform for General Agents , 2012, J. Artif. Intell. Res..

[18]  Yuval Tassa,et al.  Continuous control with deep reinforcement learning , 2015, ICLR.

[19]  Alireza Talebpour,et al.  Influence of connected and autonomous vehicles on traffic flow stability and throughput , 2016 .

[20]  Arslan Munir,et al.  Vulnerability of Deep Reinforcement Learning to Policy Induction Attacks , 2017, MLDM.

[21]  Ming-Yu Liu,et al.  Tactics of Adversarial Attack on Deep Reinforcement Learning Agents , 2017, IJCAI.

[22]  Alexandre M. Bayen,et al.  Flow: Architecture and Benchmarking for Reinforcement Learning in Traffic Control , 2017, ArXiv.

[23]  Maria Laura Delle Monache,et al.  Dissipation of stop-and-go waves via control of autonomous vehicles: Field experiments , 2017, ArXiv.

[24]  Brendan Dolan-Gavitt,et al.  BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain , 2017, ArXiv.

[25]  Ankur Srivastava,et al.  Neural Trojans , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[26]  Eugene Vinitsky,et al.  Flow: A Modular Learning Framework for Autonomy in Traffic. , 2017 .

[27]  Etienne Perot,et al.  Deep Reinforcement Learning framework for Autonomous Driving , 2017, Autonomous Vehicles and Machines.

[28]  Sandy H. Huang,et al.  Adversarial Attacks on Neural Network Policies , 2017, ICLR.

[29]  Dawn Xiaodong Song,et al.  Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning , 2017, ArXiv.

[30]  Wen-Chuan Lee,et al.  Trojaning Attack on Neural Networks , 2018, NDSS.

[31]  Ardalan Vahidi,et al.  Energy saving potentials of connected and automated vehicles , 2018, Transportation Research Part C: Emerging Technologies.

[32]  Seong Joon Oh,et al.  Sequential Attacks on Agents for Long-Term Adversarial Goals , 2018, ArXiv.

[33]  Junfeng Yang,et al.  Efficient Repair of Polluted Machine Learning Systems via Causal Unlearning , 2018, AsiaCCS.

[34]  Yingjie Lao,et al.  BACKDOOR ATTACKS ON NEURAL NETWORK OPERATIONS , 2018, 2018 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[35]  Jerry Li,et al.  Spectral Signatures in Backdoor Attacks , 2018, NeurIPS.

[36]  Brendan Dolan-Gavitt,et al.  Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks , 2018, RAID.

[37]  Alexandre M. Bayen,et al.  Flow: Deep Reinforcement Learning for Control in SUMO , 2018 .

[38]  Zhiqiang Lin,et al.  A Security Concern About Deep Learning Models , 2018, SciSec.

[39]  Fangfang Zheng,et al.  Stochastic Lagrangian modeling of traffic dynamics , 2018 .

[40]  Kibok Lee,et al.  A Simple Unified Framework for Detecting Out-of-Distribution Samples and Adversarial Attacks , 2018, NeurIPS.

[41]  Fangfang Zheng,et al.  Traffic state estimation using stochastic Lagrangian dynamics , 2018, Transportation Research Part B: Methodological.

[42]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[43]  Wenchao Li,et al.  TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents , 2019, ArXiv.

[44]  Benjamin Edwards,et al.  Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering , 2018, SafeAI@AAAI.

[45]  Damith Chinthana Ranasinghe,et al.  STRIP: a defence against trojan attacks on deep neural networks , 2019, ACSAC.

[46]  Li Li,et al.  Urban traffic signal control with connected and automated vehicles: A survey , 2019, Transportation Research Part C: Emerging Technologies.

[47]  Ben Y. Zhao,et al.  Latent Backdoor Attacks on Deep Neural Networks , 2019, CCS.

[48]  Xiangyu Zhang,et al.  ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation , 2019, CCS.

[49]  Deepthi Mary Dilip,et al.  Learning Traffic Flow Dynamics Using Random Fields , 2018, IEEE Access.

[50]  Xiaobo Liu,et al.  Analyzing the impact of automated vehicles on uncertainty and stability of the mixed traffic flow , 2020 .

[51]  H. Pirsiavash,et al.  Hidden Trigger Backdoor Attacks , 2019, AAAI.

[52]  S. E. Jabari,et al.  Traffic flow with multiple quenched disorders. , 2020, Physical review. E.

[53]  Konrad Rieck,et al.  Backdooring and Poisoning Neural Networks with Image-Scaling Attacks , 2020, 2020 IEEE Security and Privacy Workshops (SPW).

[54]  Reza Shokri,et al.  Bypassing Backdoor Detection Algorithms in Deep Learning , 2019, 2020 IEEE European Symposium on Security and Privacy (EuroS&P).

[55]  Yang Zhang,et al.  Dynamic Backdoor Attacks Against Machine Learning Models , 2020, 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P).

[56]  Bilal Thonnam Thodi,et al.  Noticeability Versus Impact in Traffic Signal Tampering , 2020, IEEE Access.

[57]  Sencun Zhu,et al.  Backdoor Embedding in Convolutional Neural Network Models via Invisible Perturbation , 2018, CODASPY.

[58]  Michail Maniatakos,et al.  Backdoor Suppression in Neural Networks using Input Fuzzing and Majority Voting , 2020, IEEE Design & Test.

[59]  Walter J. Scheirer,et al.  Backdooring Convolutional Neural Networks via Targeted Weight Perturbations , 2018, 2020 IEEE International Joint Conference on Biometrics (IJCB).

[60]  Ramesh Karri,et al.  NNoculation: Broad Spectrum and Targeted Treatment of Backdoored DNNs , 2020, ArXiv.

[61]  Vitaly Shmatikov,et al.  Blind Backdoors in Deep Learning Models , 2020, USENIX Security Symposium.

[62]  S. E. Jabari,et al.  Power laws and phase transitions in heterogenous car following with reaction times. , 2021, Physical review. E.

[63]  Nikita Borisov,et al.  Detecting AI Trojans Using Meta Neural Analysis , 2019, 2021 IEEE Symposium on Security and Privacy (SP).

[64]  Ramesh Karri,et al.  Bias Busters: Robustifying DL-based Lithographic Hotspot Detectors Against Backdooring Attacks , 2020, ArXiv.