Adversarial Attacks and Defense Technologies on Autonomous Vehicles: A Review

[1] S. Qiu, Q. Liu, S. Zhou, and C. Wu, “Review of artificial intelligence adversarial attack and defense technologies,” Applied Sciences, vol. 9, no. 5, Mar. 2019. https://doi.org/10.3390/app905090910.3390/app9050909 Search in Google Scholar

[2] A. Manfreda, K. Ljubi, and A. Groznik, “Autonomous vehicles in the smart city era: An empirical study of adoption factors important for millennials,” International Journal of Information Management, vol. 58, Art no. 102050, 2021. https://doi.org/10.1016/j.ijinfomgt.2019.10205010.1016/j.ijinfomgt.2019.102050 Search in Google Scholar

[3] Y. Li, X. Xu, J. Xiao, S. Li, and H. T. Shen, “Adaptive square attack: Fooling autonomous cars with adversarial traffic signs,” IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6337–6347, Apr. 2021. https://doi.org/10.1109/JIOT.2020.301614510.1109/JIOT.2020.3016145 Search in Google Scholar

[4] B. Jason, “What is deep learning?,” Machine Learning Mastery, 2019. [Online]. Available: https://machinelearningmastery.com/what-is-deep-learning/. Accessed Apr. 05, 2021. Search in Google Scholar

[5] H. Xu et al., “Adversarial attacks and defenses in images, graphs and text: A review,” International Journal of Automation and Computing, vol. 17, pp. 151–178, Mar. 2020. https://doi.org/10.1007/s11633-019-1211-x10.1007/s11633-019-1211-x Search in Google Scholar

[6] A. Gupta, A. Anpalagan, L. Guan, and A. S. Khwaja, “Deep learning for object detection and scene perception in self-driving cars: Survey, challenges, and open issues,” Array, vol. 10, Art no. 100057, Jul. 2021. https://doi.org/10.1016/j.array.2021.10005710.1016/j.array.2021.100057 Search in Google Scholar

[7] N. Morgulis, A. Kreines, S. Mendelowitz, and Y. Weisglass, “Fooling a real car with adversarial traffic signs,” ArXiv, Art no. 1907.00374, 2019. Search in Google Scholar

[8] J. Gao, M. R. A. Khandaker, F. Tariq, K.-K. Wong, and R. T. Khan, “Deep neural network based resource allocation for V2X communications,” in 2019 IEEE 90th Vehicular Technology Conference (VTC2019-Fall), Honolulu, HI, USA, Sep. 2019, pp. 1–5. https://doi.org/10.1109/VTCFall.2019.889144610.1109/VTCFall.2019.8891446 Search in Google Scholar

[9] Y. Tian, K. Pei, S. S. Jana, and B. Ray, “Deeptest: Automated testing of deep-neural-network-driven autonomous cars,” in 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), May 2018, pp. 303–314. https://doi.org/10.1145/3180155.318022010.1145/3180155.3180220 Search in Google Scholar

[10] P. J. Leiss, “The functional components of autonomous vehicles – Expert article,” Robson Forensic, Sep. 2018. [Online]. Available: https://www.robsonforensic.com/articles/autonomous-vehicles-sensors-expert/ Search in Google Scholar

[11] G. Sun, Y. Su, C. Qin, W. Xu, X. Lu, and A. Ceglowski, “Complete defense framework to protect deep neural networks against adversarial examples,” Mathematical Problems in Engineering, vol. 2020, Art no. 8319249, May 2020. https://doi.org/10.1155/2020/831924910.1155/2020/8319249 Search in Google Scholar

[12] A. Chakraborty, M. Alam, V. Dey, A. Chattopadhyay, and D. Mukhopadhyay, “Adversarial attacks and defences: A survey,” ArXiv, Art no. 1810.00069, 2018. Search in Google Scholar

[13] X. Liu et al., “Privacy and security issues in deep learning: A survey,” IEEE Access, vol. 9, pp. 4566–4593, 2021. https://doi.org/10.1109/ACCESS.2020.304507810.1109/ACCESS.2020.3045078 Search in Google Scholar

[14] I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” ArXiv, Art no.1412.6572, 2015. Search in Google Scholar

[15] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” ArXiv, Art no. 1706.06083, 2018. Search in Google Scholar

[16] K. Ren, T. Zheng, Z. Qin, and X. Liu, “Adversarial attacks and defenses in deep learning,” Engineering, vol. 6, no. 3, pp. 346–360, 2020. https://doi.org/10.1016/j.eng.2019.12.01210.1016/j.eng.2019.12.012 Search in Google Scholar

[17] M. Rigaki and S. García, “A survey of privacy attacks in machine learning,” ArXiv, Art no. 2007.07646, 2020. Search in Google Scholar

[18] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, May 2016, pp. 582–597. https://doi.org/10.1109/SP.2016.4110.1109/SP.2016.41 Search in Google Scholar

[19] P. Samangouei, M. Kabkab, and R. Chellappa, “Defense-GAN: Protecting classifiers against adversarial attacks using generative models,” ArXiv, Art no. 1805.06605, 2018. Search in Google Scholar

[20] F. Liao, M. Liang, Y. Dong, T. Pang, J. Zhu, and X. Hu, “Defense against adversarial attacks using high-level representation guided denoiser,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, June 2018, pp. 1778–1787. https://doi.org/10.1109/CVPR.2018.0019110.1109/CVPR.2018.00191 Search in Google Scholar

[21] T. Bai, J. Luo, J. Zhao, B. Wen, and Q. Wang, “Recent advances in adversarial training for adversarial robustness,” ArXiv, Art no. 2102.01356, 2021. Search in Google Scholar

[22] F. Tramèr, A. Kurakin, N. Papernot, D. Boneh, and P. McDaniel, “Ensemble adversarial training: Attacks and defenses,” ArXiv, Art no. 1705.07204, 2018. Search in Google Scholar

[23] N. Papernot, P. Mcdaniel, I. Goodfellow, S. Jha, Z. Y. Celik, and A. Swami, “Practical black-box attacks against machine learning,” in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Apr. 2017, pp. 506–519. https://doi.org/10.1145/3052973.305300910.1145/3052973.3053009 Search in Google Scholar

[24] E. Raff, J. Sylvester, S. Forsyth, and M. McLean, “Barrage of random transforms for adversarially robust defense,” in 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, CA, USA, June 2019, pp. 6521–6530. https://doi.org/10.1109/CVPR.2019.0066910.1109/CVPR.2019.00669 Search in Google Scholar

[25] Y. Huang and Y. Chen, “Autonomous driving with deep learning: A survey of state-of-art technologies,” ArXiv, Art no. 2006.06091, 2020. Search in Google Scholar

[26] K. Ren, Q. Wang, C. Wang, Z. Qin, and X. Lin, “The security of autonomous driving: Threats, defenses, and future directions,” Proceedings of the IEEE, vol. 108, no. 2, pp. 357–372, Nov. 2020. https://doi.org/10.1109/JPROC.2019.294877510.1109/JPROC.2019.2948775 Search in Google Scholar

[27] “Future of driving,” Tesla. [Online]. Available: https://www.tesla.com/autopilot. Accessed on: Jun. 04, 2021. Search in Google Scholar

[28] A. Osman Ors, “The role of machine learning in autonomous vehicles,” Endeavor Business Media, LLC, 2020. [Online]. Available: https://www.electronicdesign.com/markets/automotive/article/21147200/nxp-semiconductors-the-role-of-machine-learning-in-autonomous-vehicles. Accessed on: Jun. 04, 2021. Search in Google Scholar

[29] C. Sitawarin, A. Bhagoji, A. Mosenia, M. Chiang, and P. Mittal, “DARTS: Deceiving autonomous cars with toxic signs,” ArXiv, Art no. 1802.06430, 2018. Search in Google Scholar

[30] A. Madry and Z. Kolter, “Adversarial robustness – theory and practice,” 2018. [Online]. Available: https://adversarial-ml-tutorial.org/. Accessed on: Oct. 04, 2021. Search in Google Scholar

[31] J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, “Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition,” Neural Networks, vol. 32, pp. 323–332, 2012. https://doi.org/10.1016/j.neunet.2012.02.01610.1016/j.neunet.2012.02.01622394690 Search in Google Scholar

[32] S. Houben, J. Stallkamp, J. Salmen, M. Schlipsing, and C. Igel, “Detection of traffic signs in real-world images: The German traffic sign detection benchmark,” in The 2013 International Joint Conference on Neural Networks (IJCNN), Dallas, TX, USA, Aug. 2013, pp. 1–8. https://doi.org/10.1109/IJCNN.2013.670680710.1109/IJCNN.2013.6706807 Search in Google Scholar

[33] S. Tietz and K. Nassiri Nazif, “Attacking autonomous driving machine learning algorithms with adversarial examples,” Standford University, 2019. [Online]. Available: http://cs230.stanford.edu/projects_spring_2019/reports/18681219.pdf Search in Google Scholar

[34] C. Xiao, B. Li, J. Zhu, W. He, M. Liu, and D. Song, “Generating adversarial examples with adversarial networks,” in Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, IJCAI-18, 2018, pp. 3905–3911. https://doi.org/10.24963/ijcai.2018/54310.24963/ijcai.2018/543 Search in Google Scholar

[35] M. Andriushchenko, F. Croce, N. Flammarion, and M. Hein, “Square attack: A query-efficient black-box adversarial attack via random search,” in Computer Vision – ECCV 2020, LNCS, vol. 12368, 2020, pp. 484–501. https://doi.org/10.1007/978-3-030-58592-1_2910.1007/978-3-030-58592-1_29 Search in Google Scholar

[36] N.-D. Nguyen, T. Do, T. D. Ngo, and D.-D. Le, “An evaluation of deep learning methods for small object detection,” Journal of Electrical and Computer Engineering, vol. 2020, Art no. 3189691, Apr. 2020. https://doi.org/10.1155/2020/318969110.1155/2020/3189691 Search in Google Scholar

[37] K. Eykholt et al., “Note on attacking object detectors with adversarial stickers,” ArXiv, Art no. 1712.08062, 2017. Search in Google Scholar

[38] S.-T. Chen, C. Cornelius, J. Martin, and D. H. (Polo) Chau, “ShapeShifter: Robust physical adversarial attack on faster R-CNN object detector,” in Machine Learning and Knowledge Discovery in Databases, LNCS, vol. 11051, 2019, pp. 52–68. https://doi.org/10.1007/978-3-030-10925-7_410.1007/978-3-030-10925-7_4 Search in Google Scholar

[39] N. Carlini and D. A. Wagner, “Towards evaluating the robustness of neural networks,” in 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, May 2017, pp. 39–57. https://doi.org/10.1109/SP.2017.4910.1109/SP.2017.49 Search in Google Scholar

[40] A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, “Synthesizing robust adversarial examples,” in Proceedings of the 35th International Conference on Machine Learning, Jul. 2018, vol. 80, pp. 284–293. [Online]. Available: http://proceedings.mlr.press/v80/athalye18b.html Search in Google Scholar

[41] T.-Y. Lin et al., “Microsoft COCO: Common Objects in Context,” in Computer Vision – ECCV 2014. Lecture Notes in Computer Science, vol 8693, 2014, pp. 740–755. https://doi.org/10.1007/978-3-319-10602-1_4810.1007/978-3-319-10602-1_48 Search in Google Scholar

[42] K. Eykholt et al., “Robust physical-world attacks on deep learning visual classification,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, Jun. 2018, pp. 1625–1634. https://doi.org/10.1109/CVPR.2018.0017510.1109/CVPR.2018.00175 Search in Google Scholar

[43] A. Møgelmose, M. M. Trivedi, and T. B. Moeslund, “Vision-based traffic sign detection and analysis for intelligent driver assistance systems: Perspectives and survey,” IEEE Transactions on Intelligent Transportation Systems, vol. 13, pp. 1484–1497, Oct. 2012. https://doi.org/10.1109/TITS.2012.220942110.1109/TITS.2012.2209421 Search in Google Scholar

[44] K. Eykholt et al., “Physical adversarial examples for object detectors,” in Proceedings of the 12th USENIX Conference on Offensive Technologies, USA, 2018, p. 1. Search in Google Scholar

[45] G. Lovisotto, H. C. M. Turner, I. Sluganovic, M. Strohmeier, and I. Martinovic, “SLAP: Improving physical adversarial examples with short-lived adversarial perturbations,” ArXiv, Art no. 2007.04137, 2021. Search in Google Scholar

[46] X. Xu, J. Zhang, Y. Li, Y. Wang, Y. Yang, and H. T. Shen, “Adversarial attack against urban scene segmentation for autonomous vehicles,” IEEE Transactions on Industrial Informatics, vol. 17, no. 6, pp. 4117–4126, Jun. 2021. https://doi.org/10.1109/TII.2020.302464310.1109/TII.2020.3024643 Search in Google Scholar

[47] A. Boloor, X. He, C. Gill, Y. Vorobeychik, and X. Zhang, “Simple physical adversarial examples against end-to-end autonomous driving models,” in 2019 IEEE International Conference on Embedded Software and Systems (ICESS), Las Vegas, NV, USA, Jun. 2019, pp. 1–7. https://doi.org/10.1109/ICESS.2019.878251410.1109/ICESS.2019.8782514 Search in Google Scholar

[48] H. Zhou et al., “DeepBillboard: Systematic physical-world testing of autonomous driving systems,” in 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), Oct. 2020, pp. 347–358. https://doi.org/10.1145/3377811.338042210.1145/3377811.3380422 Search in Google Scholar

[49] H. Wu and W. Ruan, “Adversarial driving: Attacking end-to-end autonomous driving systems,” ArXiv, Art no. 2103.09151, 2021. Search in Google Scholar

[50] Y. Deng, X. Zheng, T. Zhang, C. Chen, G. Lou, and M. Kim, “An analysis of adversarial attacks and defenses on autonomous driving models,” in 2020 IEEE International Conference on Pervasive Computing and Communications (PerCom), Austin, TX, USA, Mar. 2020, pp. 1–10. https://doi.org/10.1109/PerCom45495.2020.912738910.1109/PerCom45495.2020.9127389 Search in Google Scholar

[51] O. Poursaeed, I. Katsman, B. Gao, and S. Belongie, “Generative adversarial perturbations,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, Jun. 2018, pp. 4422–4431. https://doi.org/10.1109/CVPR.2018.0046510.1109/CVPR.2018.00465 Search in Google Scholar

[52] M. Wan, M. Han, L. Li, Z. Li, and S. He, “Effects of and defenses against adversarial attacks on a traffic light classification CNN,” in Proceedings of the 2020 ACM Southeast Conference, New York, NY, USA, 2020, pp. 94–99. https://doi.org/10.1145/3374135.338528810.1145/3374135.3385288 Search in Google Scholar

[53] A. M. Aung, Y. Fadila, R. Gondokaryono, and L. Gonzalez, “Building robust deep neural networks for road sign detection,” ArXiv, Art no. 1712.09327, 2017. Search in Google Scholar

[54] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The limitations of deep learning in adversarial settings,” in 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany, Mar. 2016, pp. 372–387. https://doi.org/10.1109/EuroSP.2016.3610.1109/EuroSP.2016.36 Search in Google Scholar

[55] F. Wu, L. Xiao, W. Yang, and J. Zhu, “Defense against adversarial attacks in traffic sign images identification based on 5G,” EURASIP Journal on Wireless Communications and Networking, vol. 2020, Art no. 173, Sep. 2020. https://doi.org/10.1186/s13638-020-01775-510.1186/s13638-020-01775-5 Search in Google Scholar

[56] H. Gan and C. Liu, “An autoencoder based approach to defend against adversarial attacks for autonomous vehicles,” in 2020 International Conference on Connected and Autonomous Driving (MetroCAD), Feb. 2020, pp. 43–44. https://doi.org/10.1109/MetroCAD48866.2020.0001510.1109/MetroCAD48866.2020.00015 Search in Google Scholar

[57] Q. Sun, A. A. Rao, X. Z. Yao, B. Yu, and S. Hu, “Counteracting adversarial attacks in autonomous driving,” in 2020 IEEE/ACM International Conference On Computer Aided Design (ICCAD), Art no. 83, Nov. 2020, pp. 1–7. https://doi.org/10.1145/3400302.341575810.1145/3400302.3415758 Search in Google Scholar

[58] J. Lu, H. Sibai, E. Fabry, and D. A. Forsyth, “No need to worry about adversarial examples in object detection in autonomous vehicles,” ArXiv, Art no. 1707.03501, 2017. Search in Google Scholar

[59] Md. T. Hossan et al., “A new vehicle localization scheme based on combined optical camera communication and photogrammetry,” Mobile Information Systems, vol. 2018, Art no. 8501898, Apr. 2018. https://doi.org/10.1155/2018/850189810.1155/2018/8501898 Search in Google Scholar

[60] H. Lee, S. Song, and S. Jo, “3D reconstruction using a sparse laser scanner and a single camera for outdoor autonomous vehicle,” in 2016 IEEE 19th International Conference on Intelligent Transportation Systems (ITSC), Rio de Janeiro, Brazil, Nov. 2016, pp. 629–634. https://doi.org/10.1109/ITSC.2016.779561910.1109/ITSC.2016.7795619 Search in Google Scholar

[61] R. Martin-Brualla, N. Radwan, M. S. M. Sajjadi, J. T. Barron, A. Dosovitskiy, and D. Duckworth, “NeRF in the wild: Neural radiance fields for unconstrained photo collections,” in 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Nashville, TN, USA, June 2021, pp. 7206–7215. https://doi.org/10.1109/CVPR46437.2021.0071310.1109/CVPR46437.2021.00713 Search in Google Scholar

[62] C. Sitawarin, A. Bhagoji, A. Mosenia, P. Mittal, and M. Chiang, “Rogue signs: Deceiving traffic sign recognition with malicious ads and logos,” ArXiv, Art no. 1801.02780, 2018. Search in Google Scholar

[63] M. Cordts et al., “The cityscapes dataset for semantic urban scene understanding,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA, June 2016, pp. 3213–3223. https://doi.org/10.1109/CVPR.2016.35010.1109/CVPR.2016.350 Search in Google Scholar

[64] “Udacity self-driving car driving data,” udacity, 2016. [Online]. Available: https://github.com/udacity/self-driving-car Search in Google Scholar

[65] Y. Zhou, L. Liu, L. Shao, and M. Mellor, “DAVE: A unified framework for fast vehicle detection and annotation,” ArXiv, Art no. 1607.04564, 2016. Search in Google Scholar

[66] A. Geiger, P. Lenz, C. Stiller, and R. Urtasun, “Vision meets robotics: The KITTI dataset,” The International Journal of Robotics Research, vol. 32, no. 11, pp. 1231–1237, Aug. 2013. https://doi.org/10.1177/027836491349129710.1177/0278364913491297 Search in Google Scholar

[67] A. Mahendran and A. Vedaldi, “Understanding deep image representations by inverting them,” in 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, USA, June 2015, pp. 5188–5196. https://doi.org/10.1109/CVPR.2015.729915510.1109/CVPR.2015.7299155 Search in Google Scholar

[68] D. Temel, G. Kwon, M. Prabhushankar, and G. Al-Regib, “CURE-TSR: Challenging unreal and real environments for traffic sign recognition,” ArXiv, Art no. 1712.02463, 2017. Search in Google Scholar

[69] P. Bielik, P. Tsankov, A. Krause, and M. Vechev, “Reliability assessment of traffic sign classifiers,” Federal Office for Information Security, Jul. 2020. Accessed: Apr. 07, 2021. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/Empirical_robustness_testing_of_AI_systems_for_traffic_sign_recognition.pdf?__blob=publicationFile&v=2 Search in Google Scholar

[70] M. Shu, Y. Shen, M. C. Lin, and T. Goldstein, “Adversarial differentiable data augmentation for autonomous systems,” in 2021 IEEE International Conference on Robotics and Automation (ICRA), Xi’an, China, 2021, pp. 14069–14075. https://doi.org/10.1109/ICRA48506.2021.956120510.1109/ICRA48506.2021.9561205 Search in Google Scholar

[71] A. S. Mohammed, A. Amamou, F. K. Ayevide, S. Kelouwani, K. Agbossou, and N. Zioui, “The perception system of intelligent ground vehicles in all weather conditions: A systematic literature review,” Sensors, vol. 20, no. 22, Art no. 6532, pp. 1–34, Nov. 2020. https://doi.org/10.3390/s2022653210.3390/s20226532769711033203155 Search in Google Scholar

[72] N. M. Gurel, X. Qi, L. Rimanic, C. Zhang, and B. Li, “Knowledge enhanced machine learning pipeline against diverse adversarial attacks,” ArXiv, Art no. 2106.06235, 2021. Search in Google Scholar

[73] T. Zhang, Y. Deng, G. Lou, X. Zheng, J. Jin, and Q.-L. Han, “Deep learning-based autonomous driving systems: A survey of attacks and defenses,” IEEE Transactions on Industrial Informatics, vol. 17, no. 12, pp. 7897–7912, Dec. 2021. https://doi.org/10.1109/TII.2021.307140510.1109/TII.2021.3071405 Search in Google Scholar

[74] A. Laugros, A. Caplier, and M. Ospici, “Are adversarial robustness and common perturbation robustness independent attributes ?” in 2019 IEEE/CVF International Conference on Computer Vision Workshop (ICCVW), Seoul, Korea (South), Oct. 2019, pp. 1045–1054. https://doi.org/10.1109/ICCVW.2019.0013410.1109/ICCVW.2019.00134 Search in Google Scholar

[75] B. R. Kiran et al., “Deep reinforcement learning for autonomous driving: A survey,” ArXiv, Art no. 2002.00444, 2020. Search in Google Scholar

[76] L. Eliot, “Federated machine learning for AI self-driving cars,” 2018. [Online]. Available: https://www.aitrends.com/ai-insider/federated-machine-learning-for-ai-self-driving-cars/. Accessed on: Apr. 14, 2021. Search in Google Scholar

[77] A. M. Elbir and S. Coleri, “Federated learning for vehicular networks,” ArXiv, Art no. 2006.01412, 2020. Search in Google Scholar