Trajectory prediction systems are critical for autonomous vehicle safety, yet remain vulnerable to adversarial attacks that can cause catastrophic traffic behavior misinterpretations. Existing attack methods require white-box access with gradient information and rely on rigid physical constraints, limiting real-world applicability. We propose DTP-Attack, a decision-based black-box adversarial attack framework tailored for trajectory prediction systems. Our method operates exclusively on binary decision outputs without requiring model internals or gradients, making it practical for real-world scenarios. DTP-Attack employs a novel boundary walking algorithm that navigates adversarial regions without fixed constraints, naturally maintaining trajectory realism through proximity preservation. Unlike existing approaches, our method supports both intention misclassification attacks and prediction accuracy degradation. Extensive evaluation on nuScenes and Apolloscape datasets across state-of-the-art models including Trajectron++ and Grip++ demonstrates superior performance. DTP-Attack achieves 41 - 81% attack success rates for intention misclassification attacks that manipulate perceived driving maneuvers with perturbations below 0.45 m, and increases prediction errors by 1.9 - 4.2 for accuracy degradation. Our method consistently outperforms existing black-box approaches while maintaining high controllability and reliability across diverse scenarios. These results reveal fundamental vulnerabilities in current trajectory prediction systems, highlighting urgent needs for robust defenses in safety-critical autonomous driving applications.

翻译：轨迹预测系统对于自动驾驶安全性至关重要，然而其仍易受对抗攻击，此类攻击可能导致灾难性的交通行为误判。现有攻击方法需具备梯度信息的白盒访问权限并依赖刚性物理约束，限制了其现实世界适用性。我们提出DTP-Attack，一种专为轨迹预测系统设计的基于决策的黑盒对抗攻击框架。该方法仅作用于二值决策输出，无需模型内部参数或梯度信息，使其在现实场景中具备实用性。DTP-Attack采用一种新颖的边界游走算法，无需固定约束即可遍历对抗区域，并通过邻近保持机制自然维持轨迹真实性。与现有方法不同，我们的方法同时支持意图误分类攻击与预测精度退化攻击。在nuScenes和Apolloscape数据集上，基于包括Trajectron++和Grip++在内的最先进模型的广泛评估表明其性能优越。DTP-Attack在意图误分类攻击中实现了41%-81%的攻击成功率，以低于0.45米的扰动操纵感知驾驶行为，并将精度退化攻击的预测误差提升了1.9-4.2。我们的方法持续优于现有黑盒方法，同时在多样化场景下保持高可控性与可靠性。这些结果揭示了当前轨迹预测系统中的根本性漏洞，凸显了安全关键型自动驾驶应用中构建鲁棒防御体系的迫切需求。