Multiple robots could perceive a scene (e.g., detect objects) collaboratively better than individuals, although easily suffer from adversarial attacks when using deep learning. This could be addressed by the adversarial defense, but its training requires the often-unknown attacking mechanism. Differently, we propose ROBOSAC, a novel sampling-based defense strategy generalizable to unseen attackers. Our key idea is that collaborative perception should lead to consensus rather than dissensus in results compared to individual perception. This leads to our hypothesize-and-verify framework: perception results with and without collaboration from a random subset of teammates are compared until reaching a consensus. In such a framework, more teammates in the sampled subset often entail better perception performance but require longer sampling time to reject potential attackers. Thus, we derive how many sampling trials are needed to ensure the desired size of an attacker-free subset, or equivalently, the maximum size of such a subset that we can successfully sample within a given number of trials. We validate our method on the task of collaborative 3D object detection in autonomous driving scenarios.

翻译：多机器人协作感知（如目标检测）较单机器人表现更优，但基于深度学习的协作系统易受对抗攻击威胁。现有对抗防御方法需预知攻击机制，而该机制通常未知。为此，我们提出ROBOSAC——一种可泛化至未知攻击者的新型采样策略。核心思想在于：协同感知应使个体感知结果趋向共识而非分歧。基于此，我们构建了"假设-验证"框架：通过对比随机采样队友子集在有/无协作下的感知结果，直至达成共识。在该框架中，采样子集包含的队友越多，感知性能越优，但需要更长的采样时间来剔除潜在攻击者。因此，我们推导出保证无攻击子集期望规模所需的采样次数，等价于给定采样次数内能成功采样的最大无攻击子集规模。我们在自动驾驶场景的协同3D目标检测任务中验证了该方法。