Abstract
Light Detection and Ranging (LiDAR) plays a key role in the perception stacks of modern advanced driver assistance and autonomous driving systems. Neural networks are the state-of-the-art technique to classify 3D points from LiDAR sensors. However, neural networks have shown to be susceptible to adversarial attacks. In this article, we formalize these adversarial attacks on LiDAR semantic segmentation as generic multi-objective optimization and solve the resulting minimization problem with an Evolutionary Algorithms. Therefore, we can treat the neural network as a black box and do not rely on any intrinsic knowledge as estimating the gradients, etc. We present two ways to encode the problem for Evolutionary Algorithms. Our experiments with the real-world KITTI dataset and a state-of-the-art semantic segmentation neural network for LiDAR data show that Evolutionary Algorithms are suitable for solving the optimization problem. Further, our results confirm that targeting the attack by constraining the volume for manipulated LiDAR points leads to more effective attack patterns with lower perturbations than attack a set of arbitrary points from the scan.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The phrasing in this explanation refers to a minimization problem. An explanation focused on maximization problems is omitted since minimization problems can be trivially transformed into maximization problems and vice versa.
References
Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.J., Srivastava, M.B.: Genattack: practical black-box attacks with gradient-free optimization. In: Proceedings of the Genetic and Evolutionary Computation Conference, Association for Computing Machinery, GECCO’19, New York, pp. 1111–1119 (2019). https://doi.org/10.1145/3321707.3321749
Angermeier, D., Beilke, K., Hansch, G., Eichler, J.: Modeling security risk assessments. In: 17th Escar Europe: Embedded Security in Cars (2019). https://doi.org/10.13154/294-6670
Bastos, D., Monteiro, P.P., Oliveira, A.S.R., Drummond, M.V.: An overview of lidar requirements and techniques for autonomous driving. In: 2021 Telecoms Conference (ConfTELE), pp. 1–6 (2021). https://doi.org/10.1109/ConfTELE50222.2021.9435580
Behley, J., Garbade, M., Milioto, A., Quenzel, J., Behnke, S., Stachniss, C., Gall, J.: Semantickitti: a dataset for semantic scene understanding of lidar sequences. In: Proceedings of the IEEE International Conference on Computer Vision (ICCV), pp. 9296–9306 (2019). https://doi.org/10.1109/ICCV.2019.00939
Cao, Y., Xiao, C., Cyr, B., Zhou, Y., Park, W., Rampazzi, S., Chen, Q.A., Fu, K., Mao, Z.M.: Adversarial sensor attack on lidar-based perception in autonomous driving. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, New York, pp. 2267–2281 (2019). https://doi.org/10.1145/3319535.3339815
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017), pp. 39–57. https://doi.org/10.1109/SP.2017.49
Chen, J., Jordan, M.I., Wainwright, M.J.: HopSkipJumpAttack: a query-efficient decision-based attack. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1277–1294. https://doi.org/10.1109/SP40000.2020.00045
Deb, K.: A fast elitist non-dominated sorting genetic algorithm for multi-objective optimization: Nsga-2. IEEE Trans. Evol. Comput. 6(2), 182–197 (2002)
Geyer, J., Kassahun, Y., Mahmudi, M., Ricou, X., Durgesh, R., Chung, A.S., Hauswald, L., Pham, V.H., Mühlegg, M., Dorn, S., Fernandez, T., Jänicke, M., Mirashi, S., Savani, C., Sturm, M., Vorobiov, O., Oelker, M., Garreis, S., Schuberth, P.: A2D2: audi autonomous driving dataset (2020). https://www.a2d2.audi. 2004.06320
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: 3rd International Conference on Learning Representations, ICLR 2015, San Diego (2015)
He, K., Gkioxari, G., Dollár, P., Girshick, R.B.: Mask R-CNN. In: 2017 IEEE International Conference on Computer Vision (ICCV), pp. 2980–2988. https://doi.org/10.1109/ICCV.2017.322
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Threat modeling-uncover security design flaws using the stride approach. MSDN Magazine-Louisville, pp. 68–75 (2006)
Jiménez, F., Naranjo, J.E., Anaya, J.J., García, F., Ponz, A., Armingol, J.M.: Advanced driver assistance system for road environments to improve safety and efficiency. Transp. Res. Proc. 14, 2245–2254 (2016)
LeCun, Y., Jackel, L.D., Bottou, L., Cortes, C., Denker, J.S., Drucker, H., Guyon, I., Müller, U.A., Säckinger, E., Simard, P., Vapnik, V.: Learning algorithms for classification: a comparison on handwritten digit recognition. In: Neural Networks: The Statistical Mechanics Perspective, pp. 261–276. World Scientific, Singapore
Li, X., Sun, Z., Cao, D., He, Z., Zhu, Q.: Real-time trajectory planning for autonomous urban driving: framework, algorithms, and verifications. IEEE/ASME Trans. Mechatron. 21(2), 740–753 (2016). https://doi.org/10.1109/TMECH.2015.2493980
Li, Y., Ma, L., Zhong, Z., Liu, F., Chapman, M.A., Cao, D., Li, J.: Deep learning for lidar point clouds in autonomous driving: a review. IEEE Trans. Neural Netw. Learn. Syst. 32(8), 3412–3432 (2020)
LLC W: Expanding our testing in san francisco (2021). https://blog.waymo.com/2021/02/expanding-our-testing-in-san-francisco.html
Lukasiewycz, M., Glaß, M., Reimann, F., Teich, J.: Opt4j: a modular framework for meta-heuristic optimization. In: Proceedings of the 13th Annual Conference on Genetic and Evolutionary Computation. Association for Computing Machinery GECCO’11, New York, pp. 1723–1730 (2011). https://doi.org/10.1145/2001576.2001808
Macher, G., Schmittner, C., Veledar, O., Brenner, E.: ISO/SAE DIS 21434 Automotive Cybersecurity Standard - in a Nutshell. Springer, Berlin (2020)
McManamon, P.: LiDAR Technologies and Systems, 1st edn. Society of Photo-Optical Instrumentation Engineers (SPIE), Bellingham (2019) . https://doi.org/10.1117/3.2518254
Meshcheryakov, R., Iskhakov, A., Mamchenko, M., Romanova, M., Uvaysov, S., Amirgaliyev, Y., Gromaszek, K.: A probabilistic approach to estimating allowed SNR values for automotive lidars in smart cities under various external influences. Sensors 22(2) (2022). https://www.mdpi.com/1424-8220/22/2/609
Monteuuis, J.P., Boudguiga, A., Zhang, J., Labiod, H., Servel, A., Urien, P.: SARA: security automotive risk analysis method. In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, pp. 3–14 (2018)
Petit, J., Shladover, S.E.: Potential cyberattacks on automated vehicles. IEEE Trans. Intell. Transp. Syst. 16(2), 546–556 (2015). https://doi.org/10.1109/TITS.2014.2342271
Petit, J., Stottelaar, B., Feiri, M., Kargl, F.: Remote attacks on automated vehicles sensors: experiments on camera and lidar. In: Black Hat Europe (2015)
Qi, C.R., Su, H., Mo, K., Guibas, L.J.: Pointnet: deep learning on point sets for 3D classification and segmentation. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 77–85 (2017). https://doi.org/10.1109/CVPR.2017.16
Reuters: Baidu, pony.ai approved for robotaxi services in beijing (2021). https://www.reuters.com/technology/baidu-ponyai-approved-robotaxi-services-beijing-2021-11-25/
SAE International: Taxonomy and definitions for terms related to driving automation systems for on-road motor vehicles (2021)
Shin, H., Son, Y., Park, Y., Kwon, Y., Kim, Y.: Sampling race: bypassing timing-based analog active sensor spoofing detection on analog-digital systems. In:10th USENIX Workshop on Offensive Technologies (WOOT’16), USENIX Association, Austin (2016). https://www.usenix.org/conference/woot16/workshop-program/presentation/shin
Shin, H., Kim, D., Kwon, Y., Kim, Y.: Illusion and dazzle: adversarial optical channel exploits against lidars for automotive applications. In: Cryptographic Hardware and Embedded Systems–CHES 2017, vol. 10529, pp. 445–467. Springer, Cham, (2017). https://doi.org/10.1007/978-3-319-66787-4_22
Sun, J., Cao, Y., Chen, Q.A., Mao, Z.M.: Towards robust lidar-based perception in autonomous driving: general black-box adversarial sensor attack and countermeasures. In: 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, pp. 877–894 (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/sun
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goofellow, I., Fergus, R.: Intriguing properties of neural networks. In: International Conference on Learning Representations (ICLR), Banff, AB, Kanada (2014)
Tu, J., Ren, M., Manivasagam, S., Liang, M., Yang, B., Du, R., Cheng, F., Urtasun, R.: Physically realizable adversarial examples for lidar object detection (2020). CoRR abs/2004.00543. https://arxiv.org/abs/2004.00543
Vorobeychik, Y., Kantarcioglu, M.: Adversarial Machine Learning, 1st edn. Morgan & Claypool, San Rafael (2018). https://doi.org/10.2200/S00861ED1V01Y201806AIM039
Wallace, A.M., Halimi, A., Buller, G.S.: Full waveform lidar for adverse weather conditions. IEEE Trans. Veh. Technol. 69(7), 7064–7077 (2020). https://doi.org/10.1109/TVT.2020.2989148
Xiang, C., Qi, C.R., Li, B.: Generating 3D adversarial point clouds. In: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 9128–9136 (2019). https://doi.org/10.1109/CVPR.2019.00935
Xu, C., Wu, B., Wang, Z., Zhan, W., Vajda, P., Keutzer, K., Tomizuka, M.: Squeezesegv3: spatially-adaptive convolution for efficient point-cloud segmentation. In: Computer Vision – ECCV 2020, vol. 28, pp. 1–19 (2020). https://doi.org/10.1007/978-3-030-58604-1
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Urfei, J., Smirnov, F., Weichslgartner, A., Wildermann, S. (2023). Gradient-Free Adversarial Attacks on 3D Point Clouds from LiDAR Sensors. In: Kukkala, V.K., Pasricha, S. (eds) Machine Learning and Optimization Techniques for Automotive Cyber-Physical Systems. Springer, Cham. https://doi.org/10.1007/978-3-031-28016-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-28016-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-28015-3
Online ISBN: 978-3-031-28016-0
eBook Packages: EngineeringEngineering (R0)