Skip to main content
SpringerLink
Log in

Gradient-Free Adversarial Attacks on 3D Point Clouds from LiDAR Sensors

  • Chapter
  • First Online:
Machine Learning and Optimization Techniques for Automotive Cyber-Physical Systems

Abstract

Light Detection and Ranging (LiDAR) plays a key role in the perception stacks of modern advanced driver assistance and autonomous driving systems. Neural networks are the state-of-the-art technique to classify 3D points from LiDAR sensors. However, neural networks have shown to be susceptible to adversarial attacks. In this article, we formalize these adversarial attacks on LiDAR semantic segmentation as generic multi-objective optimization and solve the resulting minimization problem with an Evolutionary Algorithms. Therefore, we can treat the neural network as a black box and do not rely on any intrinsic knowledge as estimating the gradients, etc. We present two ways to encode the problem for Evolutionary Algorithms. Our experiments with the real-world KITTI dataset and a state-of-the-art semantic segmentation neural network for LiDAR data show that Evolutionary Algorithms are suitable for solving the optimization problem. Further, our results confirm that targeting the attack by constraining the volume for manipulated LiDAR points leads to more effective attack patterns with lower perturbations than attack a set of arbitrary points from the scan.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 119.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The phrasing in this explanation refers to a minimization problem. An explanation focused on maximization problems is omitted since minimization problems can be trivially transformed into maximization problems and vice versa.

References

  1. Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.J., Srivastava, M.B.: Genattack: practical black-box attacks with gradient-free optimization. In: Proceedings of the Genetic and Evolutionary Computation Conference, Association for Computing Machinery, GECCO’19, New York, pp. 1111–1119 (2019). https://doi.org/10.1145/3321707.3321749

  2. Angermeier, D., Beilke, K., Hansch, G., Eichler, J.: Modeling security risk assessments. In: 17th Escar Europe: Embedded Security in Cars (2019). https://doi.org/10.13154/294-6670

  3. Bastos, D., Monteiro, P.P., Oliveira, A.S.R., Drummond, M.V.: An overview of lidar requirements and techniques for autonomous driving. In: 2021 Telecoms Conference (ConfTELE), pp. 1–6 (2021). https://doi.org/10.1109/ConfTELE50222.2021.9435580

  4. Behley, J., Garbade, M., Milioto, A., Quenzel, J., Behnke, S., Stachniss, C., Gall, J.: Semantickitti: a dataset for semantic scene understanding of lidar sequences. In: Proceedings of the IEEE International Conference on Computer Vision (ICCV), pp. 9296–9306 (2019). https://doi.org/10.1109/ICCV.2019.00939

  5. Cao, Y., Xiao, C., Cyr, B., Zhou, Y., Park, W., Rampazzi, S., Chen, Q.A., Fu, K., Mao, Z.M.: Adversarial sensor attack on lidar-based perception in autonomous driving. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, New York, pp. 2267–2281 (2019). https://doi.org/10.1145/3319535.3339815

  6. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017), pp. 39–57. https://doi.org/10.1109/SP.2017.49

  7. Chen, J., Jordan, M.I., Wainwright, M.J.: HopSkipJumpAttack: a query-efficient decision-based attack. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1277–1294. https://doi.org/10.1109/SP40000.2020.00045

  8. Deb, K.: A fast elitist non-dominated sorting genetic algorithm for multi-objective optimization: Nsga-2. IEEE Trans. Evol. Comput. 6(2), 182–197 (2002)

    Article  Google Scholar 

  9. Geyer, J., Kassahun, Y., Mahmudi, M., Ricou, X., Durgesh, R., Chung, A.S., Hauswald, L., Pham, V.H., Mühlegg, M., Dorn, S., Fernandez, T., Jänicke, M., Mirashi, S., Savani, C., Sturm, M., Vorobiov, O., Oelker, M., Garreis, S., Schuberth, P.: A2D2: audi autonomous driving dataset (2020). https://www.a2d2.audi. 2004.06320

  10. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego (2015)

    Google Scholar 

  11. He, K., Gkioxari, G., Dollár, P., Girshick, R.B.: Mask R-CNN. In: 2017 IEEE International Conference on Computer Vision (ICCV), pp. 2980–2988. https://doi.org/10.1109/ICCV.2017.322

  12. Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Threat modeling-uncover security design flaws using the stride approach. MSDN Magazine-Louisville, pp. 68–75 (2006)

    Google Scholar 

  13. Jiménez, F., Naranjo, J.E., Anaya, J.J., García, F., Ponz, A., Armingol, J.M.: Advanced driver assistance system for road environments to improve safety and efficiency. Transp. Res. Proc. 14, 2245–2254 (2016)

    Google Scholar 

  14. LeCun, Y., Jackel, L.D., Bottou, L., Cortes, C., Denker, J.S., Drucker, H., Guyon, I., Müller, U.A., Säckinger, E., Simard, P., Vapnik, V.: Learning algorithms for classification: a comparison on handwritten digit recognition. In: Neural Networks: The Statistical Mechanics Perspective, pp. 261–276. World Scientific, Singapore

    Google Scholar 

  15. Li, X., Sun, Z., Cao, D., He, Z., Zhu, Q.: Real-time trajectory planning for autonomous urban driving: framework, algorithms, and verifications. IEEE/ASME Trans. Mechatron. 21(2), 740–753 (2016). https://doi.org/10.1109/TMECH.2015.2493980

    Article  Google Scholar 

  16. Li, Y., Ma, L., Zhong, Z., Liu, F., Chapman, M.A., Cao, D., Li, J.: Deep learning for lidar point clouds in autonomous driving: a review. IEEE Trans. Neural Netw. Learn. Syst. 32(8), 3412–3432 (2020)

    Article  Google Scholar 

  17. LLC W: Expanding our testing in san francisco (2021). https://blog.waymo.com/2021/02/expanding-our-testing-in-san-francisco.html

  18. Lukasiewycz, M., Glaß, M., Reimann, F., Teich, J.: Opt4j: a modular framework for meta-heuristic optimization. In: Proceedings of the 13th Annual Conference on Genetic and Evolutionary Computation. Association for Computing Machinery GECCO’11, New York, pp. 1723–1730 (2011). https://doi.org/10.1145/2001576.2001808

  19. Macher, G., Schmittner, C., Veledar, O., Brenner, E.: ISO/SAE DIS 21434 Automotive Cybersecurity Standard - in a Nutshell. Springer, Berlin (2020)

    Book  Google Scholar 

  20. McManamon, P.: LiDAR Technologies and Systems, 1st edn. Society of Photo-Optical Instrumentation Engineers (SPIE), Bellingham (2019) . https://doi.org/10.1117/3.2518254

  21. Meshcheryakov, R., Iskhakov, A., Mamchenko, M., Romanova, M., Uvaysov, S., Amirgaliyev, Y., Gromaszek, K.: A probabilistic approach to estimating allowed SNR values for automotive lidars in smart cities under various external influences. Sensors 22(2) (2022). https://www.mdpi.com/1424-8220/22/2/609

  22. Monteuuis, J.P., Boudguiga, A., Zhang, J., Labiod, H., Servel, A., Urien, P.: SARA: security automotive risk analysis method. In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, pp. 3–14 (2018)

    Google Scholar 

  23. Petit, J., Shladover, S.E.: Potential cyberattacks on automated vehicles. IEEE Trans. Intell. Transp. Syst. 16(2), 546–556 (2015). https://doi.org/10.1109/TITS.2014.2342271

    Google Scholar 

  24. Petit, J., Stottelaar, B., Feiri, M., Kargl, F.: Remote attacks on automated vehicles sensors: experiments on camera and lidar. In: Black Hat Europe (2015)

    Google Scholar 

  25. Qi, C.R., Su, H., Mo, K., Guibas, L.J.: Pointnet: deep learning on point sets for 3D classification and segmentation. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 77–85 (2017). https://doi.org/10.1109/CVPR.2017.16

  26. Reuters: Baidu, pony.ai approved for robotaxi services in beijing (2021). https://www.reuters.com/technology/baidu-ponyai-approved-robotaxi-services-beijing-2021-11-25/

  27. SAE International: Taxonomy and definitions for terms related to driving automation systems for on-road motor vehicles (2021)

    Google Scholar 

  28. Shin, H., Son, Y., Park, Y., Kwon, Y., Kim, Y.: Sampling race: bypassing timing-based analog active sensor spoofing detection on analog-digital systems. In:10th USENIX Workshop on Offensive Technologies (WOOT’16), USENIX Association, Austin (2016). https://www.usenix.org/conference/woot16/workshop-program/presentation/shin

  29. Shin, H., Kim, D., Kwon, Y., Kim, Y.: Illusion and dazzle: adversarial optical channel exploits against lidars for automotive applications. In: Cryptographic Hardware and Embedded Systems–CHES 2017, vol. 10529, pp. 445–467. Springer, Cham, (2017). https://doi.org/10.1007/978-3-319-66787-4_22

  30. Sun, J., Cao, Y., Chen, Q.A., Mao, Z.M.: Towards robust lidar-based perception in autonomous driving: general black-box adversarial sensor attack and countermeasures. In: 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, pp. 877–894 (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/sun

  31. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goofellow, I., Fergus, R.: Intriguing properties of neural networks. In: International Conference on Learning Representations (ICLR), Banff, AB, Kanada (2014)

    Google Scholar 

  32. Tu, J., Ren, M., Manivasagam, S., Liang, M., Yang, B., Du, R., Cheng, F., Urtasun, R.: Physically realizable adversarial examples for lidar object detection (2020). CoRR abs/2004.00543. https://arxiv.org/abs/2004.00543

  33. Vorobeychik, Y., Kantarcioglu, M.: Adversarial Machine Learning, 1st edn. Morgan & Claypool, San Rafael (2018). https://doi.org/10.2200/S00861ED1V01Y201806AIM039

  34. Wallace, A.M., Halimi, A., Buller, G.S.: Full waveform lidar for adverse weather conditions. IEEE Trans. Veh. Technol. 69(7), 7064–7077 (2020). https://doi.org/10.1109/TVT.2020.2989148

    Article  Google Scholar 

  35. Xiang, C., Qi, C.R., Li, B.: Generating 3D adversarial point clouds. In: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 9128–9136 (2019). https://doi.org/10.1109/CVPR.2019.00935

  36. Xu, C., Wu, B., Wang, Z., Zhan, W., Vajda, P., Keutzer, K., Tomizuka, M.: Squeezesegv3: spatially-adaptive convolution for efficient point-cloud segmentation. In: Computer Vision – ECCV 2020, vol. 28, pp. 1–19 (2020). https://doi.org/10.1007/978-3-030-58604-1

Download references

Author information

Authors and Affiliations

  1. UL Method Park GmbH, Erlangen, Germany

    Jan Urfei

  2. Robert Bosch GmbH, Renningen, Germany

    Fedor Smirnov

  3. CARIAD SE, Ingolstadt, Germany

    Andreas Weichslgartner

  4. Friedrich-Alexander-Universität Erlangen-Nürnberg, Erlangen, Germany

    Stefan Wildermann

Authors
  1. Jan Urfei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fedor Smirnov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andreas Weichslgartner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefan Wildermann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Wildermann .

Editor information

Editors and Affiliations

  1. NVIDIA, Santa Clara, CA, USA

    Vipin Kumar Kukkala

  2. Colorado State University, Fort Collins, CO, USA

    Sudeep Pasricha

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Urfei, J., Smirnov, F., Weichslgartner, A., Wildermann, S. (2023). Gradient-Free Adversarial Attacks on 3D Point Clouds from LiDAR Sensors. In: Kukkala, V.K., Pasricha, S. (eds) Machine Learning and Optimization Techniques for Automotive Cyber-Physical Systems. Springer, Cham. https://doi.org/10.1007/978-3-031-28016-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-28016-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-28015-3

  • Online ISBN: 978-3-031-28016-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation