Adversarial Attacks against LiDAR Semantic Segmentation in Autonomous Driving

Today, most autonomous vehicles (AVs) rely on LiDAR (Light Detection and Ranging) perception to acquire accurate information about their immediate surroundings. In LiDAR-based perception systems, semantic segmentation plays a critical role as it can divide LiDAR point clouds into meaningful regions according to human perception and provide AVs with semantic understanding of the driving environments. However, an implicit assumption for existing semantic segmentation models is that they are performed in a reliable and secure environment, which may not be true in practice. In this paper, we investigate adversarial attacks against LiDAR semantic segmentation in autonomous driving. Specifically, we propose a novel adversarial attack framework based on which the attacker can easily fool LiDAR semantic segmentation by placing some simple objects (e.g., cardboard and road signs) at some locations in the physical space. We conduct extensive real-world experiments to evaluate the performance of our proposed attack framework. The experimental results show that our attack can achieve more than 90% success rate in real-world driving environments. To the best of our knowledge, this is the first study on physically realizable adversarial attacks against LiDAR point cloud semantic segmentation with real-world evaluations.

[1]  Beatriz Marcotegui,et al.  Point cloud segmentation towards urban ground modeling , 2009, 2009 Joint Urban Remote Sensing Event.

[2]  Bo Yang,et al.  RandLA-Net: Efficient Semantic Segmentation of Large-Scale Point Clouds , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[3]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[4]  Cyrill Stachniss,et al.  SemanticKITTI: A Dataset for Semantic Scene Understanding of LiDAR Sequences , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[5]  Lorenzo Cavallaro,et al.  Intriguing Properties of Adversarial ML Attacks in the Problem Space , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[6]  Thomas Bräunl,et al.  Implementation of semantic segmentation for road and lane detection on an autonomous ground vehicle with LIDAR , 2017, 2017 IEEE International Conference on Multisensor Fusion and Integration for Intelligent Systems (MFI).

[7]  Chenglin Miao,et al.  Can We Use Arbitrary Objects to Attack LiDAR Perception in Autonomous Driving? , 2021, CCS.

[8]  Shuochao Yao,et al.  Misinformation Detection and Adversarial Attack Cost Analysis in Directional Social Networks , 2020, 2020 29th International Conference on Computer Communications and Networks (ICCCN).

[9]  Andreas Geiger,et al.  Are we ready for autonomous driving? The KITTI vision benchmark suite , 2012, 2012 IEEE Conference on Computer Vision and Pattern Recognition.

[10]  Tamjid Al Rahat,et al.  Poster: Attack the Dedicated Short-Range Communication for Connected Vehicles , 2019 .

[11]  Leonidas J. Guibas,et al.  PointNet: Deep Learning on Point Sets for 3D Classification and Segmentation , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[12]  Kui Ren,et al.  PointCloud Saliency Maps , 2018, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[13]  Reshmi Mitra,et al.  Black-box Adversarial Attacks in Autonomous Vehicle Technology , 2020, 2020 IEEE Applied Imagery Pattern Recognition Workshop (AIPR).

[14]  Peng Cheng,et al.  Challenges of Privacy-Preserving Machine Learning in IoT , 2019, Proceedings of the First International Workshop on Challenges in Artificial Intelligence and Machine Learning for Internet of Things.

[15]  Jiong Yang,et al.  PointPillars: Fast Encoders for Object Detection From Point Clouds , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[16]  Ruigang Yang,et al.  Adversarial Objects Against LiDAR-Based Autonomous Driving Systems , 2019, ArXiv.

[17]  Jian Liu,et al.  Enabling Fast and Universal Audio Adversarial Attack Using Generative Model , 2020, AAAI.

[18]  Shuang Yang,et al.  QEBA: Query-Efficient Boundary-Based Blackbox Attack , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[19]  Fan Ye,et al.  Smartphone-Based Real Time Vehicle Tracking in Indoor Parking Structures , 2017, IEEE Transactions on Mobile Computing.

[20]  Fengyuan Xu,et al.  Occlumency: Privacy-preserving Remote Deep-learning Inference Using SGX , 2019, MobiCom.

[21]  Xiaogang Wang,et al.  PointRCNN: 3D Object Proposal Generation and Detection From Point Cloud , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[22]  Qian Zhang,et al.  ECGadv: Generating Adversarial Electrocardiogram to Misguide Arrhythmia Classification System , 2019, AAAI.

[23]  Guoai Xu,et al.  Spoofing Speaker Verification System by Adversarial Examples Leveraging the Generalized Speaker Difference , 2021, Secur. Commun. Networks.

[24]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[25]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[26]  Chong Xiang,et al.  Generating 3D Adversarial Point Clouds , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[27]  Qi Alfred Chen,et al.  Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures , 2020, USENIX Security Symposium.

[28]  Leonidas J. Guibas,et al.  PointNet++: Deep Hierarchical Feature Learning on Point Sets in a Metric Space , 2017, NIPS.

[29]  Jun Han,et al.  Spying with your robot vacuum cleaner: eavesdropping via lidar sensors , 2020, SenSys.

[30]  Akshay Uttama Nambi,et al.  InSight , 2020, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[31]  Venkata N. Padmanabhan,et al.  Driving Lane Detection on Smartphones using Deep Neural Networks , 2020, ACM Trans. Sens. Networks.

[32]  Sebastian Scherer,et al.  Real-Time Semantic Mapping for Autonomous Off-Road Navigation , 2017, FSR.

[33]  Ananthram Swami,et al.  The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Gang Wang,et al.  All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems , 2018, USENIX Security Symposium.

[35]  Kevin Fu,et al.  Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving , 2019, CCS.

[36]  Tao Wei,et al.  Fooling Detection Alone is Not Enough: Adversarial Attack against Multiple Object Tracking , 2020, ICLR.

[37]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[38]  Pin-Yu Chen,et al.  Adversarial T-Shirt! Evading Person Detectors in a Physical World , 2019, ECCV.

[39]  Andrew Markham,et al.  A Survey on Deep Learning for Localization and Mapping: Towards the Age of Spatial Machine Intelligence , 2020, ArXiv.

[40]  Xiaodong Lin,et al.  The Security of Autonomous Driving: Threats, Defenses, and Future Directions , 2020, Proceedings of the IEEE.

[41]  Ping Guo,et al.  Stars Can Tell: A Robust Method to Defend against GPS Spoofing Attacks using Off-the-shelf Chipset , 2021, USENIX Security Symposium.

[42]  Desheng Zhang,et al.  Urban Map Inference by Pervasive Vehicular Sensing Systems with Complementary Mobility , 2021, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[43]  Shuguang Cui,et al.  PointASNL: Robust Point Clouds Processing Using Nonlocal Neural Networks With Adaptive Sampling , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[44]  Marco Gruteser,et al.  Automatic Unusual Driving Event Identification for Dependable Self-Driving , 2018, SenSys.

[45]  R. Storn,et al.  On the usage of differential evolution for function optimization , 1996, Proceedings of North American Fuzzy Information Processing.

[46]  Tao Chen,et al.  Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems , 2020, NDSS.

[47]  Guoliang Xing,et al.  SafeWatch: A Wearable Hand Motion Tracking System for Improving Driving Safety , 2017, 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI).

[48]  Yujie Li,et al.  Adaptive Square Attack: Fooling Autonomous Cars With Adversarial Traffic Signs , 2021, IEEE Internet of Things Journal.

[49]  Daniel Vogel,et al.  Augmented Reality-based Mimicry Attacks on Behaviour-Based Smartphone Authentication , 2018, MobiSys.

[50]  Ben Y. Zhao,et al.  Adversarial Localization against Wireless Cameras , 2018, HotMobile.

[51]  Jun Luo,et al.  Enhancing Intrinsic Adversarial Robustness via Feature Pyramid Decoder , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[52]  Rainer Storn,et al.  Differential Evolution – A Simple and Efficient Heuristic for global Optimization over Continuous Spaces , 1997, J. Glob. Optim..

[53]  Philip David,et al.  PolarNet: An Improved Grid Representation for Online LiDAR Point Clouds Semantic Segmentation , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[54]  Rong Zheng,et al.  Informative Path Planning for Mobile Sensing with Reinforcement Learning , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[55]  Yuan Tian,et al.  Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries , 2020, USENIX Security Symposium.

[56]  Hae Young Noh,et al.  Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing Using Different Sensor Types , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[57]  Leonidas J. Guibas,et al.  Frustum PointNets for 3D Object Detection from RGB-D Data , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[58]  Ersin Yumer,et al.  Exploring Adversarial Robustness of Multi-Sensor Perception Systems in Self Driving , 2021, CoRL.

[59]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[60]  Xinge Zhu,et al.  Cylindrical and Asymmetrical 3D Convolution Networks for LiDAR Segmentation , 2020, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[61]  Zhang Yu,et al.  Multi-Modality Fusion Perception and Computing in Autonomous Driving , 2020 .

[62]  José García Rodríguez,et al.  A Review on Deep Learning Techniques Applied to Semantic Segmentation , 2017, ArXiv.

[63]  Autonomous Reckless Driving Detection Using Deep Learning on Embedded GPUs , 2020, 2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS).

[64]  Jingang Tan,et al.  3DCFS: Fast and Robust Joint 3D Semantic-Instance Segmentation via Coupled Feature Selection , 2020, 2020 IEEE International Conference on Robotics and Automation (ICRA).

[65]  Zhenyu Yan,et al.  Moving target defense for embedded deep visual sensing against adversarial examples , 2019, SenSys.

[66]  Raquel Urtasun,et al.  Physically Realizable Adversarial Examples for LiDAR Object Detection , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[67]  Mengyin Fu,et al.  A path planning algorithm based on fusing lane and obstacle map , 2014, 17th International IEEE Conference on Intelligent Transportation Systems (ITSC).

[68]  Richard P. Martin,et al.  Towards safer texting while driving through stop time prediction , 2016, CarSys '16.

[69]  Qian Zhang,et al.  Drive Safe Inspector: A Wearable-Based Fine-Grained Technique for Driver Hand Position Detection , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[70]  Ruigang Yang,et al.  Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[71]  Thomas Brox,et al.  Universal Adversarial Perturbations Against Semantic Image Segmentation , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[72]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[73]  Alan L. Yuille,et al.  Adversarial Examples for Semantic Segmentation and Object Detection , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[74]  Jörg Stückler,et al.  Joint Object Pose Estimation and Shape Reconstruction in Urban Street Scenes Using 3D Shape Priors , 2016, GCPR.

[75]  Kurt Keutzer,et al.  SqueezeSeg: Convolutional Neural Nets with Recurrent CRF for Real-Time Road-Object Segmentation from 3D LiDAR Point Cloud , 2017, 2018 IEEE International Conference on Robotics and Automation (ICRA).

[76]  Matthew Wicker,et al.  Robustness of 3D Deep Learning in an Adversarial Setting , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[77]  Yuan He,et al.  iGuard: A real-time anti-theft system for smartphones , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[78]  HengartnerUrs,et al.  Mimicry Attacks on Smartphone Keystroke Authentication , 2020 .

[79]  Bo Li,et al.  Performing Co-membership Attacks Against Deep Generative Models , 2018, 2019 IEEE International Conference on Data Mining (ICDM).