Abstract
Adversarial attacks play an important role in testing and enhancing the reliability of deep learning (DL) systems. Most existing attacks for DL-based autonomous driving systems (ADSs) demonstrate strong performance under the white-box setting but struggle with black-box transferability, while black-box attacks are more practical in real-world scenarios as they operate without full model access. Numerous transferability-enhancement techniques have been proposed in other fields (e.g., image classification), however, they remain unexplored for end-to-end (E2E) ADSs.
Our study fills the gap by conducting the first comprehensive empirical analysis of nine transferability-enhancement methods on E2E ADSs, covering two types: three input transformation enhancements and six attack objective enhancements. We evaluate their effectiveness on two datasets with four steering models. Our findings reveal that, out of nine enhancements, Resizing+Translation delivers the best black-box transferability, producing up to 9.39° increase in MAE. Pred+Attn serves as the best objective enhancement, producing a maximum of 5.55° (white-box) and 6.21° (black-box) increase in MAE. Through attention heatmap visualizations, we discover that different models focus on similar regions when predicting, thereby enhancing the transferability of attention-based attacks.
In conclusion, our study provides valuable results and insights into the transferability-enhancement techniques for E2E ADSs, which also serve as a robust benchmark for further advancements in the autonomous driving field.
©2024 IEEE
Our study fills the gap by conducting the first comprehensive empirical analysis of nine transferability-enhancement methods on E2E ADSs, covering two types: three input transformation enhancements and six attack objective enhancements. We evaluate their effectiveness on two datasets with four steering models. Our findings reveal that, out of nine enhancements, Resizing+Translation delivers the best black-box transferability, producing up to 9.39° increase in MAE. Pred+Attn serves as the best objective enhancement, producing a maximum of 5.55° (white-box) and 6.21° (black-box) increase in MAE. Through attention heatmap visualizations, we discover that different models focus on similar regions when predicting, thereby enhancing the transferability of attention-based attacks.
In conclusion, our study provides valuable results and insights into the transferability-enhancement techniques for E2E ADSs, which also serve as a robust benchmark for further advancements in the autonomous driving field.
©2024 IEEE
| Original language | English |
|---|---|
| Title of host publication | 2024 31st Asia-Pacific Software Engineering Conference (APSEC) |
| Publisher | IEEE |
| Pages | 171-180 |
| ISBN (Electronic) | 979-8-3315-3401-1 |
| ISBN (Print) | 979-8-3315-3402-8 |
| DOIs | |
| Publication status | Published - 25 Apr 2025 |
| Event | 31st Asia-Pacific Software Engineering Conference (APSEC 2024) - Chongqing, China Duration: 3 Dec 2024 → 6 Dec 2024 |
Conference
| Conference | 31st Asia-Pacific Software Engineering Conference (APSEC 2024) |
|---|---|
| Country/Territory | China |
| City | Chongqing |
| Period | 3/12/24 → 6/12/24 |
Research Keywords
- Software Testing
- Adversarial Attacks
- Crossmodel Transferability
- Autonomous Driving
- Deep Learning