counteracting adversarial attacks in autonomous driving
play

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , - PowerPoint PPT Presentation

Oct 22, 2023 •339 likes •640 views

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao 1 , Bei Yu 1 , Shiyan Hu 2 1 The Chinese University of Hong Kong 2 University of Southampton 1 / 21 Vision-Based Object Detection Classification

  1. Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao 1 , Bei Yu 1 , Shiyan Hu 2 1 The Chinese University of Hong Kong 2 University of Southampton 1 / 21

  2. Vision-Based Object Detection Classification Localization ◮ output: class label ◮ output: bounding box in image Object Detection: ◮ class label l ◮ bounding box in image, represented as vector ( x , y , w , h ) 2 / 21

  3. Vision-Based Object Detection ����������������������������� Region Proposal Network (RPN) ����������������������� Objectness scores Bounding box regression ����������������� ����������������������������������������������������������� ◮ Generate k boxes, regress label scores and coordinates for the k boxes. �� ◮ Use some metrics ( e.g. , IoU) to measure the qualities of boxes. 3 / 21

  4. Vision-Based Object Detection Faster R-CNN Vision-based object detection model. classifier RoI pooling proposals Region Proposal Network feature maps conv layers image 4 / 21

  5. Stereo-Based Vision System A typical stereo-based multi-task object detection model ◮ Two sibling branches ( e.g. , RPN modules) which use left and right images as inputs. ◮ A single branch conducts a regression task, e.g. predict viewpoint. Sometimes there are several independent single branches. 5 / 21

  6. ��������� ���������������� ��������������� ��������� �������� ��������� ���������� ����������� ��������������������� ����������� �������� � � ��������� ����������� Stereo-Based Vision System ◮ Take advantage of left and right images to detect cars. ◮ Conduct multiple 3D regression tasks based on the joint detection results. , ℎ z - x y (" # , % & ) " ) (" * , % + ) ( " ) ( " # Take advantage of left and right images. Multiple stereo-based tasks. 6 / 21

  7. Adversarial Attacks ◮ Vision-based systems suffer from image perturbations (noises, dark light, signs, etc. ). ◮ Deep learning models are vulnerable to these perturbations. ◮ The security risk is especially dangerous for 3D object detection in autonomous driving. ◮ Adversarial attacks have been widely studied to simulate these perturbations. ◮ Two typical and widely used attack methods: Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD). 7 / 21

  8. Generate Adversarial Images Fast Gradient Sign Method (FGSM) ◮ Direction of gradient: sign ( ∇ x L ( θ, x , y )) , with loss function L ( θ, x , y ) . ◮ Generates new input image with constrained perturbation δ : x ′ = x + δ = x + ǫ · sign ( ∇ x L ( θ, x , y )) , (1) s . t . � δ � ≤ ǫ. 8 / 21

  9. Generate Adversarial Images Fast Gradient Sign Method (FGSM) ◮ Direction of gradient: sign ( ∇ x L ( θ, x , y )) , with loss function L ( θ, x , y ) . ◮ Generates new input image with constrained perturbation δ : x ′ = x + δ = x + ǫ · sign ( ∇ x L ( θ, x , y )) , (1) s . t . � δ � ≤ ǫ. Projected Gradient Descent (PGD) ◮ Contains several attack steps: � x t + 1 = ( x t + α · sign ( ∇ x L ( θ, x , y ))) (2) x + S 8 / 21

  10. Adversarial Training Traditional Training Method ◮ The typical form of most adversarial training algorithms involve training of target model on adversarial images. ◮ Adversarial training methods perform the following min-max training strategy shown as below: min max L ( x + δ, θ ; y ) , s . t . � δ � p ≤ ǫ, θ δ where � · � p is the ℓ p -norm. 9 / 21

  11. Adversarial Training Traditional Training Method ◮ The typical form of most adversarial training algorithms involve training of target model on adversarial images. ◮ Adversarial training methods perform the following min-max training strategy shown as below: min max L ( x + δ, θ ; y ) , s . t . � δ � p ≤ ǫ, θ δ where � · � p is the ℓ p -norm. Stereo-based Training method min max δ l ,δ r L ( x l + δ l , x r + δ r , θ ; y ) , θ s . t . � δ l � p ≤ ǫ, � δ r � p ≤ ǫ where x l and x r represent left and right images, and δ l and δ r represent the perturbations on the left and right images respectively. 9 / 21

  12. Stereo-Based Regularizer For sibling branches ◮ Let f l ( · ) and f r ( · ) denote the features learned from left and right images. ◮ Distance between left and right images: Left Box d ( x l , x r ) = � f l ( x l ) − f r ( x r ) � n . Right Box ◮ Distance between two images with perturbations: d ( x l + δ l , x r + δ r ) = � f l ( x l + δ l ) − f r ( x r + δ r ) � n . ◮ Add a margin m to reinforce the optimization of the distance function. d ( x l , x r ) = � f l ( x l ) − f r ( x r ) + m � n , d ( x l + δ l , x r + δ r ) = � f l ( x l + δ l ) − f r ( x r + δ r ) + m � n . 10 / 21

  13. Stereo-Based Regularizer For sibling branches ◮ The distance after attacks should be close to the original distance: L b = | d ( x l + δ l , x r + δ r ) − d ( x l , x r ) | . 11 / 21

  14. Stereo-Based Regularizer For sibling branches ◮ The distance after attacks should be close to the original distance: L b = | d ( x l + δ l , x r + δ r ) − d ( x l , x r ) | . For single branch ◮ The left and right features are used as the joint inputs: L m = � f m ( x l + δ l , x r + δ r ) − f m ( x l , x r ) � n . 11 / 21

  15. Stereo-Based Regularizer For sibling branches ◮ The distance after attacks should be close to the original distance: L b = | d ( x l + δ l , x r + δ r ) − d ( x l , x r ) | . For single branch ◮ The left and right features are used as the joint inputs: L m = � f m ( x l + δ l , x r + δ r ) − f m ( x l , x r ) � n . New objective function L = L o + L b + L m , where L o is the original objective function. 11 / 21

  16. Local Smoothness Optimization Adversarial Robustness through Local Linearization ◮ Encourage the loss to behave linearly in the vicinity of training data. ◮ Approximate the loss function by its linear Taylor expansion in a small neighborhood. ◮ Take f l ( · ) as an example, the first-order Taylor remainder h l ( ǫ, x l ) is given by : h l ( ǫ, x l ) = � δ l ∇ x l f l ( x l ) + f l ( x l + δ l ) − f l ( x l ) − δ l ∇ x l f l ( x l ) � n . ◮ Define γ l ( x l , ǫ ) as the maximum of h l ( ǫ, x l ) : γ l ( ǫ, x l ) = max � δ l � p ≤ ǫ h l ( ǫ, x l ) . (3) 12 / 21

  17. Local Smoothness Optimization Relaxation of regularizers ◮ According to the triangle inequality, � f l ( x l + δ l ) − f l ( x l ) � n is further relaxed to be: � f l ( x l + δ l ) − f l ( x l ) � n ≈� δ l ∇ x l f l ( x l ) + f l ( x l + δ l ) − f l ( x l ) − δ l ∇ x l f l ( x l ) � n ≤� δ l ∇ x l f l ( x l ) � n + � f l ( x l + δ l ) − f l ( x l ) − δ l ∇ x l f l ( x l ) � n ≤� δ l ∇ x l f l ( x l ) � n + γ l ( x l , ǫ ) , 13 / 21

  18. Local Smoothness Optimization Relaxation of regularizers ◮ According to the triangle inequality, � f l ( x l + δ l ) − f l ( x l ) � n is further relaxed to be: � f l ( x l + δ l ) − f l ( x l ) � n ≈� δ l ∇ x l f l ( x l ) + f l ( x l + δ l ) − f l ( x l ) − δ l ∇ x l f l ( x l ) � n ≤� δ l ∇ x l f l ( x l ) � n + � f l ( x l + δ l ) − f l ( x l ) − δ l ∇ x l f l ( x l ) � n ≤� δ l ∇ x l f l ( x l ) � n + γ l ( x l , ǫ ) , ◮ Accordingly, the regularization term L b is relaxed as: L b = | � f l ( x l + δ l ) − f r ( x r + δ r ) + m � n − � f l ( x l ) − f r ( x r ) + m � n | ≤ � f l ( x l + δ l ) − f r ( x l ) � n + � f l ( x r + δ r ) − f r ( x r ) � n ≤ � δ l ∇ x l f l ( x l ) � n + γ l ( ǫ, x l ) + � δ r ∇ x r f r ( x r ) � n + γ r ( ǫ, x r ) , where γ l ( ǫ, x l ) = max � δ l � p ≤ ǫ h l ( ǫ, x l ) and γ r ( ǫ, x r ) = max � δ r � p ≤ ǫ h r ( ǫ, x r ) . 13 / 21

  19. Local Smoothness Optimization Relaxation of regularizers ◮ The regularization term for the single branch is relaxed as: L m = � f m ( x l + δ l , x r + δ r ) − f m ( x l , x r ) � n ≤ � δ l ∇ x l f m ( x l , x r ) + δ r ∇ x r f m ( x l , x r ) � n + γ m ( ǫ, x l , x r ) , where γ m ( ǫ, x l , x r ) is the maximum of the high-order remainder h m ( ǫ, x l , x r ) . 14 / 21

  20. Local Smoothness Optimization Relaxation of regularizers ◮ The regularization term for the single branch is relaxed as: L m = � f m ( x l + δ l , x r + δ r ) − f m ( x l , x r ) � n ≤ � δ l ∇ x l f m ( x l , x r ) + δ r ∇ x r f m ( x l , x r ) � n + γ m ( ǫ, x l , x r ) , where γ m ( ǫ, x l , x r ) is the maximum of the high-order remainder h m ( ǫ, x l , x r ) . ◮ They are defined as follows: h m ( ǫ, x l , x r ) = � f m ( x l + δ l , x r + δ r ) − f m ( x l , x r ) − δ l ∇ x l f m ( x l , x r ) − δ r ∇ x r f m ( x l , x r ) � n , γ m ( ǫ, x l , x r ) = � δ l � p ≤ ǫ, � δ r � p ≤ ǫ. h m ( ǫ, x l , x r ) . max 14 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor

Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor

Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures Jiachen Sun 1 Yulong Cao 1 , Qi Alfred Chen 2 , and Z. Morley Mao 1 1 2 Autonomous Vehicle (AV) Perception

525 views • 38 slides
Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,

Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele,

IEEE SECON 2016 Counteracting Denial-of-Sleep Attacks in Wake-up-based Sensing Systems Angelo T. Capossele, Valerio Cervo, Chiara Petrioli, Dora Spenza Motivation: Duty Cycling Tradeoff between energy saving and data latency Low duty cycle

337 views • 13 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos

Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos

Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos TuSimple? Whats level 4 Why trucks? Camera or LiDAR? Xiaodi Hou TuSimple Building an autonomous truck 4 pillars of autonomous driving Algorithms

530 views • 40 slides
AUTONOMOUS DRIVING IN AGRICULTURE LEADING TO AUTONOMOUS WORKSITE SOLUTIONS Dr. John F. Reid,

AUTONOMOUS DRIVING IN AGRICULTURE LEADING TO AUTONOMOUS WORKSITE SOLUTIONS Dr. John F. Reid,

AUTONOMOUS DRIVING IN AGRICULTURE LEADING TO AUTONOMOUS WORKSITE SOLUTIONS Dr. John F. Reid, John Deere Dr. John F. Reid Experience and Perspective on Autonomous Driving: Off-road PhD. Research in Automatic Guidance (1983-1986)

339 views • 33 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
T echnical and Legal Challenges for Urban Autonomous Driving Seung-Woo Seo, Prof. Vehicle

T echnical and Legal Challenges for Urban Autonomous Driving Seung-Woo Seo, Prof. Vehicle

T echnical and Legal Challenges for Urban Autonomous Driving Seung-Woo Seo, Prof. Vehicle Intelligence Lab. Seoul National University sseo@snu.ac.kr I. Main Challenges for Urban Autonomous Driving I. Dilemma in Autonomous Driving II.

713 views • 27 slides
Visual Scene Understanding for Autonomous Driving Raquel Urtasun University of Toronto Oct 3,

Visual Scene Understanding for Autonomous Driving Raquel Urtasun University of Toronto Oct 3,

Visual Scene Understanding for Autonomous Driving Raquel Urtasun University of Toronto Oct 3, 2014 R. Urtasun ( UofT) Autonomous Driving Oct 3, 2014 1 / 34 Autonomous Driving State of the art Localization, path planning, obstacle avoidance

661 views • 45 slides
AUTONOMOUS DRIVING FRENCH NATIONAL PLAN NEW FRANCE FOR INDUSTRY (NFI) PLAN JF SENCERIN

AUTONOMOUS DRIVING FRENCH NATIONAL PLAN NEW FRANCE FOR INDUSTRY (NFI) PLAN JF SENCERIN

AUTONOMOUS DRIVING FRENCH NATIONAL PLAN NEW FRANCE FOR INDUSTRY (NFI) PLAN JF SENCERIN AUTONOMOUS DRIVING NFI PROGRAM DIRECTOR, RENAULT AUTONOMOUS DRIVING FRENCH NATIONAL PLAN Affordable autonomous vehicles for all from 2020 3

84 views • 7 slides
AI and Self-Driving Cars Heechul Yun Autonomous Car

AI and Self-Driving Cars Heechul Yun Autonomous Car

AI and Self-Driving Cars Heechul Yun Autonomous Car https://www.latimes.com/business/autos/la-fi-waymo-self-driving-california-20181030-story.html 2 Levels of Automation (SAE J3016) L1 Some cars today L2 Tesla L3 Uber

427 views • 28 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
Car to car communication of autonomous driving vehicles in dangerous situations NAME: FABIAN

Car to car communication of autonomous driving vehicles in dangerous situations NAME: FABIAN

Car to car communication of autonomous driving vehicles in dangerous situations NAME: FABIAN KALEUN MODULE: INTELLIGENT ROBOTICS MATRICULATION NR.: 7324727 Content 1. Introduction to autonomous driving vehicles 2. How car to car

1.02k views • 33 slides
Autonomous driving : French policy update F-US roundtable Connected and autonomous vehicles : a

Autonomous driving : French policy update F-US roundtable Connected and autonomous vehicles : a

Autonomous driving : French policy update F-US roundtable Connected and autonomous vehicles : a State of Play Washington, DC, January 10, 2018 Xavier Delache Ministre de la Transition Ecologique et Solidaire

446 views • 27 slides
S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS

S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS

S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS DRIVING AUTONOMOUS DRIVING Bernhard Firner, March 20, 2019 AUTONOMOUS DRIVING Sounds simple Actually pretty diffjcult Can start with sub-domains to

798 views • 49 slides
Commercialize Autonomous Driving From Lab to Production Line Dr. Xing Yuan | Baidu, Inc. Now,

Commercialize Autonomous Driving From Lab to Production Line Dr. Xing Yuan | Baidu, Inc. Now,

Commercialize Autonomous Driving From Lab to Production Line Dr. Xing Yuan | Baidu, Inc. Now, Baidu is an AI company Accelerate AI Productization & Commercialization via Open Platforms & Ecosystems Paradigm Shift: Autonomous Driving in

236 views • 23 slides
Triangle Rasterization Sung-Eui Yoon ( ) ( ) C Course URL: URL

Triangle Rasterization Sung-Eui Yoon ( ) ( ) C Course URL: URL

Introduction to Computer Graphics and OpenGL p p p Triangle Rasterization Sung-Eui Yoon ( ) ( ) C Course URL: URL http://sglab.kaist.ac.kr/~sungeui/ETRI_CG/ Class Objectives Class Objectives Understand triangle

987 views • 49 slides
Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1

Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1

Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1 Outline Distances and Similarities Distance Metric Learning Mahalanobis Distances Metric Learning Formulation Mahalanobis metric for clustering

716 views • 44 slides
Perceptron Algorithm An aside: a hyperplane is a perceptron. (single layer neural network, do you

Perceptron Algorithm An aside: a hyperplane is a perceptron. (single layer neural network, do you

Perceptron Algorithm An aside: a hyperplane is a perceptron. (single layer neural network, do you see? Linear programming!) Labelled points with x 1 ,..., x n . Alg: Given x 1 ,..., x n . Hyperplane separator. + Let w 1 = x 1 .

322 views • 3 slides
Lecture 7: Arora Rao Vazirani Lecture Outline Part I: Semidefinite Programming Relaxation for

Lecture 7: Arora Rao Vazirani Lecture Outline Part I: Semidefinite Programming Relaxation for

Lecture 7: Arora Rao Vazirani Lecture Outline Part I: Semidefinite Programming Relaxation for Sparsest Cut Part II: Combining Approaches Part III: Arora-Rao-Vazirani Analysis Overview Part IV: Analyzing Matchings of Close Points

722 views • 56 slides
Cloth Simulation CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2018 Cloth

Cloth Simulation CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2018 Cloth

Cloth Simulation CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2018 Cloth Simulation Cloth simulation has been an important topic in computer animation since the early 1980s It has been extensively researched,

599 views • 45 slides
Finding Shortest Paths Shortest Path Problem Shortest Path Problem We are given a graph G = ( V ,

Finding Shortest Paths Shortest Path Problem Shortest Path Problem We are given a graph G = ( V ,

Finding Shortest Paths Shortest Path Problem Shortest Path Problem We are given a graph G = ( V , E ) and an edge weight function : E R . Length of a Path The length or weight ( P ) of a path P = { v 1 , v 2 , . . . , v l } with at

495 views • 20 slides
Buffons needle probability of rational product Cantor sets Izabella Laba The Abel

Buffons needle probability of rational product Cantor sets Izabella Laba The Abel

Buffons needle probability of rational product Cantor sets Izabella Laba The Abel Symposium, Oslo, August 2012 Izabella Laba Buffons needle probability of rational product Cantor sets The Favard length problem Let E =

954 views • 82 slides
Inductive Theorem Proving Automated Reasoning Petros Papapanagiotou

Inductive Theorem Proving Automated Reasoning Petros Papapanagiotou

Introduction Inductive Proofs Automation Conclusion Inductive Theorem Proving Automated Reasoning Petros Papapanagiotou P.Papapanagiotou@sms.ed.ac.uk 11 October 2012 Petros Papapanagiotou Inductive Theorem Proving Introduction Inductive

379 views • 34 slides

More recommend