Emerging Threats in Deep Learning-Based Autonomous Driving A Comprehensive Survey
2025-05-03
0
0
4.93MB
28 页
10玖币
侵权投诉
Emerging Threats in Deep Learning-Based Autonomous Driving: A
Comprehensive Survey
Cao Huia, Zou Wenlonga, Wang Yinkunb, Song Tingcand Liu Mengjuna,∗
aSchool of Education,Hubei University,Youyi Road No.368,Wuhan,430062,Hubei,P.R.China
bInstitute of Information Engineering,Chinese Academy of Sciences, Beijing,100093,P.R.China
cSchool of Foreign Languages,Hubei University,Youyi Road,No.368, Wuhan,430062,Hubei,P.R.China
ARTICLE INFO
Keywords:
Trustworthy AI
Deep Learning
Artificial Intelligence
Autonomous Driving
Cyber Security
Adversarial Examples
Abstract
Since the 2004 DARPA Grand Challenge, the autonomous driving technology has witnessed nearly
two decades of rapid development. Particularly, in recent years, with the application of new sensors
and deep learning technologies extending to the autonomous field, the development of autonomous
driving technology has continued to make breakthroughs. Thus, many carmakers and high-tech giants
dedicated to research and system development of autonomous driving. However, as the foundation
of autonomous driving, the deep learning technology faces many new security risks. The academic
community has proposed deep learning countermeasures against the adversarial examples and AI
backdoor, and has introduced them into the autonomous driving field for verification. Deep learning
security matters to autonomous driving system security, and then matters to personal safety, which is
an issue that deserves attention and research.This paper provides an summary of the concepts, devel-
opments and recent research in deep learning security technologies in autonomous driving. Firstly, we
briefly introduce the deep learning framework and pipeline in the autonomous driving system, which
mainly include the deep learning technologies and algorithms commonly used in this field. Moreover,
we focus on the potential security threats of the deep learning based autonomous driving system in
each functional layer in turn. We reviews the development of deep learning attack technologies to
autonomous driving, investigates the State-of-the-Art algorithms, and reveals the potential risks. At
last, we provides an outlook on deep learning security in the autonomous driving field and proposes
recommendations for building a safe and trustworthy autonomous driving system.
1. Introduction
Research about Autonomous Land Vehicles (ALVs) be-
gan as early as 1980s with funding from the US Depart-
ment of Defense(DoD). In the 21st century, DARPA con-
ducted the Grand Challenge that launched a new generation
of autonomous driving. The development of artificial in-
telligence(AI) technology is driving the rapid progress of
autonomous vehicles with an increasing expectation from
the public. Currently, many traditional carmakers, such as
universal Motors, Toyota, Volvo, BMW and Audi have car-
ried out researches into the autonomous driving system. On
another hand, not to be outdone, most of high-tech giants,
Google Waymo, Tesla, Baidu and Huawei, devoted them-
selves to autonomous driving technology. Along with arti-
ficial intelligence technology, autonomous driving has seen
rapid development and is expected to enter the practical stage.
⋆This document is the results of the research project funded by the
National Natural Science Foundation of China: Research on secure data
management mechanism of new college entrance examination comprehen-
sive quality evaluation: A security enhancement of block chain empower-
ment(No. 72204077)
⋆⋆ This document is the results of the research project funded bt the
Hubei Natural Science Foundation project:Research on the data security
management mechanism of new College Entrance Examination compre-
hensive quality evaluation based on blockchain.(No. 2021CFB470)
∗Corresponding author
∗∗First two author equal contribution
cao-hui@whu.edu.cn (C. Hui); lmj_whu@163.com (L. Mengjun)
https://scholar.google.com/citations?user=1XoXUTYAAAAJ&hl=en
(C. Hui)
ORCID(s):
However, security is a major concern in the application
of the autonomous driving system, because there are new
types of security risks associated with autonomous driving
system that depends heavily on deep learning. On the one
hand, from the perspective of technical threat on AI secu-
rity and privacy protection, new countermeasures have been
proposed successively, including adversarial examples [1,
2], data poisoning and AI Backdoor[3], model extraction[4],
model inversion[5], and membership privacy inference[6].
On the another hand, from the social trust perspective of AI,
issues about fairness, AI abuse, environment, compliance,
and ethic, have also received attention and research. Cur-
rently, there is some literature[7,8,9,10,11,12,13] sum-
marized AI security threats in the general environment. Dif-
ferent from that, this paper focuses on the environment of
autonomous driving system, it reveals the new security risks
posed by AI technologies bringing new security challenges
to autonomous driving. Unlike other applications of deep
learning, the autonomous driving system is a more complex
AI architecture consisting of dozens of functional modules,
and different environment modules with different character-
istics, raising different requirements for AI security attack
and mitigation techniques, including:
•Physical world requirements. AI threats of autonomous
driving system should be able to take effect in the real
physical world, and not only in the digital world and
computer simulation systems. Techniques specific to
adversarial examples attacks in the physical world are
the focus of this paper.
Hui Cao et al.: Preprint submitted to Elsevier Page 1 of 28
arXiv:2210.11237v1 [cs.CR] 19 Oct 2022
Emerging Threats in Deep Learning-Based Autonomous Driving
•Robustness requirements. The environment is un-
certain and often varies to a large extent in autonomous
driving. On the one hand, the images collected under
different weather, light and other natural conditions
can vary; on the other hand, changes in a long dis-
tance and large angle range also make image acquisi-
tion highly variable due to the high-speed movement
of vehicles. Therefore, AI threats need to be able to
take effect continuously and stably under a variety of
conditions, which raises very high demands on the ro-
bustness of attacks, such as adversarial examples and
AI backdoor. This paper focuses on robustness en-
hancement methods.
•Fusion environment requirements. Autonomous driv-
ing system often employs multi-modal fusion sensing
techniques that combine different types of information
from multiple RGB cameras, LiDAR, RaDAR, etc.,
to sense the fused images. The autonomous driving
environment requires that adversarial examples coun-
termeasures and other related threat technologies can
be stabilized to remain in effect in the fused environ-
ment. Artificial intelligence threats in multi-modal fu-
sion environments are also the focus of this paper.
Due to the above concerns and requirements, AI safety tech-
nologies in the field of autonomous driving have continued
to develop, and some research results and breakthroughs have
been achieved. This paper introduces the latest research progress
relevant to unique technologies and reveals the AI security
risks in autonomous driving systems. This paper faces the
above challenges of autonomous driving systems, rather than
in the general environment. Section 1 briefly introduces the
infrastructure and key technologies of AI in autonomous driv-
ing; section 2 offers a glimpse of the AI risks in the sensor
layer; section 3 comprehensively reviewed the AI risk in the
perception layer, introduced the idea and detail of important
algorithms; section 4 provides the potential deep leaning risk
and attack technology in decision layer in autonomous driv-
ing; section 5 focus on new threat of V2X that based on fed-
eration learning in the future; section 6 gives a summary and
outlook.
1.1. Basic Concepts of Autonomous Driving
Essentially, autonomous driving is making driving deci-
sions through artificial intelligence techniques or other au-
tomated decision-making methods. According to the So-
ciety of Automotive Engineers (SAE) standard J3016[14],
autonomous driving can be categorized into the following
classes.
•L0 – No Driving Automation: driving is carried out
entirely by a person, but warnings and system assis-
tance are available during the journey.
•L1 – Driver Assistance: based on the perception of
the driving environment, only a single aspect of au-
tomation, which system operates the steering wheel
or acceleration and deceleration assists the driver with
ADAS, while other driving operations are performed
by the human driver.
•L2 – Partial Driving Automation: based on the per-
ception of the driving environment, the system oper-
ates both the steering wheel and acceleration or decel-
eration. However, it requires a human driver to remain
constantly alert and ready to take full control with lit-
tle or no warning.
•L3 – Conditional Driving Automation: based on the
perception of the driving environment, autonomous
driving system can perform all driving operations un-
der the supervision of a human driver.
•L4 – High Driving Automation: under certain envi-
ronmental conditions, autonomous driving system can
perform all driving operations unsupervised.
•L5 – Full Driving Automation: the autonomous driv-
ing system can perform all driving operations unsu-
pervised in all environmental conditions.
For autonomous driving system, there are different views
and concepts, as well as different development and evolu-
tionary routes. One is focus on intelligentization and cyber-
ization of vehicle components, mainly researching on sen-
sors, in-vehicle communication, vehicle-to-everything (V2X),
and et al, which main participant by traditional car-makers.
The other is focus on autonomous diving decisions, mainly
researching artificial intelligence and autonomous driving,
and the main participants include: UC Berkeley, Google WayMo,
Baidu, Apollo, Intel Carla, NVIDIA and other artificial in-
telligence companies. However, whether it starts from the
vehicle moving towards AI or the other way round, auto-
mated driving decision is the core mission in autonomous
driving, and safety based on AI driving decisions making is
a necessary prerequisite for the safety of autonomous driv-
ing system. The higher the level of autonomous driving, the
higher the reliance on AI technology represented by deep
learning, which lead to higher the requirements for the safety
and robustness of deep learning itself.
1.2. Architecture of Autonomous Driving System
In terms of the autonomous driving architecture and ma-
chine learning technologies based, autonomous driving sys-
tems can be divided into end-to-end (E2E) and modular ar-
chitectures.
•The modular autonomous driving system divides an
individual set of autonomous driving functions into
several parts, each of which is completed by one or
a group of artificial intelligence models, usually in-
cluding: positioning and projecting, target recogni-
tion, trajectory prediction, road planning & driving
decision making, vehicle control, and other functions.
These functional modules contain the sensing layer,
the perception layer, the decision layer and the vehi-
cle networking layer.
Hui Cao et al.: Preprint submitted to Elsevier Page 2 of 28
Emerging Threats in Deep Learning-Based Autonomous Driving
(a) Modular Autonomous Driving Framework
(b) E2E Autonomous Driving Framework
Figure 1: Autonomous Driving Framework
•The End-to-End autonomous driving system often con-
sists of a large number of complex judgment functions
in driving decisions performed by one or a group of ar-
tificial intelligence models that make the final driving
decision based on the environment and cloud inputs.
1.3. Sensing Layer
The sensing layer includes a variety of sensors that col-
lect information about the environment for the autonomous
driving system. Common sensors used in autonomous driv-
ing vehicles compromise RGB cameras, LiDAR (Light De-
tection and Ranging), RaDAR (Radio Waves to Determine
the Distance), GPS, and ultrasonic sensors. Here are the
characteristics of different sensors:
•The advantages of RGB cameras are: 1) lower cost,
and 2) relatively mature recognition technology; their
limitation is that the distance is dependent on estima-
tion.
•The advantage of LiDAR is that it is accurate; its lim-
itation is that it is susceptible to interference from the
weather.
•The advantage of radar is that it is relatively immune
to weather interference; its limitation is that it has in-
sufficient imaging capability.
There are a number of existing works that provide a de-
tailed comparison of sensors for autonomous driving vehi-
cles, which will not be the emphasis of this paper. There are
some survey papers related to the sensing layer[15,16,17].
Most companies have chosen autonomous driving tech-
nology solutions that multi-modal fusion, while some have
chosen solutions that rely primarily on RGB cameras. How-
ever, it needs to be emphasized that, regardless of the choice
of sensor configuration solution, the various advanced sen-
sors only fulfill the function of raw information collection
and do not replace the key role played by artificial intelli-
gence in the perception and decision-making of autonomous
driving system, and are equally unable to avoid the new safety
risks posed by AI.
1.4. Perception Layer
The perception layer perceives and identifies things like
object perceiving and identification, segmentation, depth es-
timation and localization, which are based on the vehicle’s
state and road information collected by the sensors in the
sensor layer. The commonly used techniques are given as
follows, which include 2D object recognition, 3D object recog-
nition, multi-modal fusion, trajectory prediction, and so on.
Figure 2: Sensor in Autonomous Driving
•2D Objection Recognition is based on a flat image
to identify the presence or absence of a specific tar-
get in the image and locate it. technologically, 2D
object recognition can be divided into two classifica-
tions: two-stage objection recognition algorithms and
one-stage objection recognition algorithms. The two-
stage algorithms first find a series of region proposals,
and then classify the objects in the proposals by Con-
volutional Neural Networks(CNN). Commonly used
two-stage algorithms include FasterRCNN[18] and MaskRCNN[19]
characterized by relatively high accuracy and high con-
sumption. One-stage algorithms do not generate a sep-
arate region proposal but return to the predicted class
and location of the target directly. Commonly used
one-stage algorithms include: SSD[20]and Yolo v3[21].
In 2017, Lin et al.[22] proposed a new loss function -
"Focal Loss", which can significantly improve the ac-
curacy of dense target recognition, and this technique
was first applied to the field of face recognition. It is
now applied to many target recognition fields, among
which, in 2021, Yosuke Shinya et al.[23] proposed
Hui Cao et al.: Preprint submitted to Elsevier Page 3 of 28
Emerging Threats in Deep Learning-Based Autonomous Driving
UniverseNet, a target detection algorithm that applies
Focal Loss, which can achieve better results in dense
target and small target scenarios. A detailed compari-
son of current mainstream 2D target recognition tech-
niques can be found in references[15,16,17]
•Multi-Modal Fusion. A single type of sensor cannot
capture all of the environmental information needed to
support autonomous driving, while autonomous driv-
ing systems require information from several types and
a large number of sensors to make integrated deci-
sions, which leads us to make multi-modal fusion. De-
pending on occurred times[24], the fusion can be di-
vided into three modes: pre-fusion,post-fusion, and
deep fusion. Pre-fusion combines the data collected
by all types of sensors and then makes a comprehen-
sive decision. Post-fusion to make decisions on the
data collected by different sensors and then aggregate
the sub-decisions. Deep fusion constitute by the fu-
sion of data, features and decision integration, and can
be subdivided into five types: data in data out,data
in feature out,feature in feature out,feature in de-
cision out, and decision in decision out[25,26]. An
in-depth analysis and comparison of the various inte-
gration methods can be found in the literature.[26,27,
28,26]
•3D Objection Detection and Segmentation. Because
2D images have no depth information that is needed in
autonomous driving, such as path planning and colli-
sion avoidance in autonomous driving, therefore 3D
objection detection plays a key role. Classified by the
detected information, 3D target detection has 3 bases:
2D image, 3D point cloud map and multi-modal fu-
sion image. Among them, 3D target detection based
on 2D images often uses 3D target matching and depth
estimation to estimate the 3D target bounding box for
targets in 2D images using algorithms like Mono3D[29],
3DVP[30], Deepmanta[31], and SVGA-Net[32]. 3D
target recognition based on 3D point cloud maps is
the recognition of targets in the images with 3D in-
formation and marks the target outline. Commonly
used algorithms include: VeloFCN[33] , BirdNet[34],
3DFCN[35] , PointNet++[36] and VoxelNet[37]. 3D
target detection based on multi-modal integration im-
ages is to use different integration modes to identify
3D targets. Commonly used algorithms include: MV3D[38],
AVOD[39], and F-PointNet[40]. A comparison and
in-depth study of various 3D target detection algorithms
can be found in the literature[41,42].
Other deep learning research directions in the perception layer
include Pedestrian Detection, Lane Detection, Traffic Sign
Recognition, Pedestrian Attribute Recognition, Fast Vehi-
cle Detection, Pedestrian Density Estimation, Plate Recog-
nition, etc. There is detail on the leaderboard[43].
(a) Pre-fusion
(b) Post-fusion
(c) Deep fusion
Figure 3: Fusion of Autonomous Driving
1.5. Decision-Making Layer
Driving decision-making is the core of autonomous driv-
ing, and machine learning methods are often used, with two
technical routes available: Imitation Learning and Reinforce-
ment Learning.
•Imitation Learning. Imitation learning refers to the
learning behavior of agents who acquire the ability
to perform a specific task by observing and imitating
the behavior of human experts[44]. Imitation learn-
ing has been successful in the field of autonomous
driving[45] Imitation learning tends to collect a large
amount of environmental state 𝑆𝑖(environmental data
collected by various sensors, including 3D point cloud
maps, RGB images, etc.) as features and record the
Hui Cao et al.: Preprint submitted to Elsevier Page 4 of 28
Emerging Threats in Deep Learning-Based Autonomous Driving
actions performed by the human experts at the same
time. 𝐴𝑖is used as a label to form a training data set
𝐷∶ (𝑠1, 𝑎1),(𝑠2, 𝑎2),(𝑠3, 𝑎3), .... Using specific imi-
tation learning algorithms, artificial intelligence mod-
els are trained and used to make future driving deci-
sions. The famous imitation learning methods include
the E2E autonomous driving algorithm based on con-
ditional imitation learning [46], and the ChauffeurNet[47].
•Deep Reinforcement Learning. Deep reinforcement
learning simulates the self-learning model of organ-
isms in nature. To be concrete, an agent monitors its
own behavior and the resulting environmental changes,
sets the reward value for different changes, and then
continuously optimizes the model and its own behav-
ior based on this. In 2013, Mnih et al.[48] combined
deep learning with reinforcement learning and pro-
posed the Deep Q Learning(DQN) method. DQN is
based on a set of Q values in a reward table. The sys-
tem’s driving status 𝑆𝑖and the driving operation 𝑎𝑖to
obtain the corresponding reward value 𝑟𝑖, which auto-
matically generates training data 𝐷∶ ((𝑠1, 𝑎1), 𝑟1),((𝑠2, 𝑎2), 𝑟2),((𝑠3, 𝑎3), 𝑟3), ....
The reinforcement learning model is then trained by
specific algorithms, while reinforcement learning is
supplemented with current operational data to con-
tinuously optimize the model. Nowadays, deep re-
inforcement learning has been rapidly developed and
widely used, with subsequently emerged Deep Recur-
rent Q Networks (DRQNs)[49], attention mechanism
deep recurrent Q networks[50], asynchronous/synchronous
dominant actor-critic (A3C/A2C)[51], and reinforce-
ment learning for unsupervised and unassisted tasks[52],
which are widely used in e-Sports, health & medicine,
recommendation system and other fields. There are
some surveys of deep reinforcement learning[53,54].
A variety of deep reinforcement learning frameworks
and algorithms are widely used in the field of autonomous
driving vehicles. For example, Feng et al.[55], Al-
izadeh et al.[56], Mirchevska et al.[57], and Quek et
al.[58] apply deep reinforcement learning techniques
to driving decisions; Holen et al.[59] use deep rein-
forcement learning for autonomous driving roadway
recognition; Feng et al.[60] utilize deep reinforcement
learning techniques for traffic light optimization con-
trol. Some researchers have also proposed an autonomous
driving solution with the fusion of imitation learning
and reinforcement learning[61,62].
1.6. Vehicle Networks
With the development of communications and AI tech-
nology, vehicle networks are increasingly playing an impor-
tant role in autonomous driving, especially the vehicle net-
works construction, which supports a distributed AI model
and provides a novel type of AI technology in autonomous
driving, while also bringing new security risks.
•Vehicle-to-Everything (V2X). V2X is a multi-layered
network system designed to enhance collaboration be-
tween pedestrians, vehicles and transport infrastruc-
ture. It is universally composed of Vehicle-to-Vehicle
(V2V) networks, Vehicle-to-Infrastructure (V2I) net-
works, Vehicle-to-Pedestrian (V2P) networks and Vehicle-
to-Road side units (V2R) networks[63]. The commu-
nication technologies used in the vehicular internet of
things can be broadly classified into two categories,
Dedicated Short Range Communication (DSRC) and
Long-Term Evolution (LTE) cellular communication,
called cellular-V2X or C-V2X for short[64].
•Federated Learning. The vehicular internet of things
provides the network foundation for distributed artifi-
cial intelligence. Federated Learning is a distributed
AI framework that replaces sensitive data interactions
with model interactions, enabling more efficient and
better privacy for knowledge sharing and transition.
Based on the V2X, the federated learning can provide
distributed and interactive AI services[65,66,67] for
autonomous driving system. This paper focuses on
the novel security risks posed by Federated Learning
in the vehicular internet of things, and reviews related
security technology developments.
1.7. Summary
We concluded the major AI application used in autonomous
driving in Table1
2. Emerging Threats in Sensors
Sensors are foundational part for the autonomous driv-
ing system, which provide raw environmental information
for autonomous driving decision-making. The security of
sensors directly affects the safety of autonomous driving sys-
tem. We classify attacks against sensors into two categories,
where attacks that aim to compromise the usability of the
sensing are classified as Jamming Attacks and attacks that
aim to compromise the integrity of the information collected
by the sensors are classified as Spoofing Attacks.
2.1. Jamming Attacks
The Jamming Attack means that attackers take some ac-
tions to reduce the quality of data collected by the sensor,
even making sensor unavailable. In 2015, Petit et al.[114]
attempted a jamming attack on autonomous driving sensors
by artificially setting up bright light interference that could
"blind" the camera. In 2016, Yan et al.[115] experimented
with blind attacks on ultrasonic sensors. Similarly, a va-
riety of in-vehicle sensors such as RGB cameras, LiDAR,
RaDAR, gyroscopic sensors and GPS sensors could be sub-
ject to jamming attacks[116,117,118,119].
2.2. Spoofing Attacks
The Spoofing Attacks means that attackers injecting fake
signals to affect the normal behaviour of the autonomous
driving system. In 2015, Petit et al.[114] attempted to send
specific spoofed laser signals, causing the LiDAR systems
Hui Cao et al.: Preprint submitted to Elsevier Page 5 of 28
摘要:
展开>>
收起<<
EmergingThreatsinDeepLearning-BasedAutonomousDriving:AComprehensiveSurveyCaoHuia,ZouWenlonga,WangYinkunb,SongTingcandLiuMengjuna,
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
Michael Moorcock - Elric 6 - StormbringerVIP免费
2024-12-08 6 -
Michael Crichton - PreyVIP免费
2024-12-08 11 -
Mercedes Lackey - WintermoonVIP免费
2024-12-08 7 -
Mercedes Lackey - SE 1- Born To RunVIP免费
2024-12-08 8 -
Mercedes Lackey - Heralds of Valdemar 1 - Arrows Of The QueeVIP免费
2024-12-08 10 -
Melville, Herman - TypeeVIP免费
2024-12-08 15 -
MaryJanice Davidson - [Betsy 5] - Undead and Unpopular (v1.0)VIP免费
2024-12-08 18 -
Marion Zimmer Bradley - Darkover - The Heirs of HammerfellVIP免费
2024-12-08 19 -
MacDonnell, J E - 096 - Execute!VIP免费
2024-12-08 15 -
Lovecraft, H P - The Dream Quest Of Unknown KadadthVIP免费
2024-12-08 21
分类:图书资源
价格:10玖币
属性:28 页
大小:4.93MB
格式:PDF
时间:2025-05-03
作者详情
相关内容
-
2015年6月英语四级真题答案及解析(卷二)
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2015年6月英语四级真题答案及解析(卷三)
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第二套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第三套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第一套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
渝公网安备50010702506394
