Computer vision plays a critical role in ensuring the safe navigation of autonomous vehicles (AVs). An AV perception module facilitates safe navigation. This module enables AVs to recognize traffic signs, traffic lights, and various road users. However, the perception module is vulnerable to adversarial attacks, which can compromise its accuracy and reliability. One such attack is the adversarial patch attack (APA), an attack in which an adversary strategically places a specially crafted sticker on an object to deceive object classifiers. Such an APA can cause AVs to misclassify traffic signs, leading to catastrophic incidents. To enhance the security of an AV perception system against APAs, this study develops a Generative Adversarial Network (GAN)-based single-stage defense strategy for traffic sign classification. This approach is tailored to defend against APAs across different classes of traffic signs, without prior knowledge of a patch's design, and is effective against patches of varying sizes. In addition, our single-stage defense is computationally efficient, requiring significantly lower computation time than existing multi-stage defenses, making it suitable for real-time deployment in autonomous driving systems. Compared to a classifier without any defense mechanism, our experimental analysis demonstrates that the defense strategy presented in this paper improves our classifier's accuracy under APA conditions by up to 90% considering the traffic sign classes considered in this study. and overall classification accuracy is enhanced by 55% for all traffic signs considered in this study. Our defense strategy is model agnostic, making it applicable to any traffic sign classifier, regardless of the underlying classification model.

翻译：计算机视觉在确保自动驾驶车辆安全导航方面发挥着关键作用。自动驾驶感知模块是实现安全导航的核心组件，该模块使车辆能够识别交通标志、交通信号灯及各类道路使用者。然而，感知模块易受对抗性攻击的影响，这些攻击可能损害其准确性与可靠性。对抗性补丁攻击即属此类攻击手段，攻击者通过在物体表面策略性放置特制贴纸来欺骗目标分类器。此类攻击可能导致自动驾驶车辆误判交通标志，进而引发灾难性事故。为提升自动驾驶感知系统对抗补丁攻击的安全性，本研究开发了一种基于生成对抗网络的单阶段防御策略，专门用于交通标志分类任务。该方法具备以下特性：能够针对不同类别交通标志的对抗性补丁进行防御，无需预先获知补丁设计模式，且对多种尺寸的补丁均具有防御效果。此外，本单阶段防御策略计算效率优异，所需计算时间显著低于现有多阶段防御方案，适用于自动驾驶系统的实时部署需求。实验分析表明：相较于无防御机制的分类器，本文提出的防御策略在对抗性补丁攻击场景下，针对研究所涉及的交通标志类别，将分类准确率最高提升90%；就本研究涵盖的所有交通标志而言，整体分类准确率提升55%。该防御策略具有模型无关性，可适用于任何交通标志分类器，无需考虑底层分类模型的具体架构。