Automated driving systems rely on 3D object detectors to recognize possible obstacles from LiDAR point clouds. However, recent works show the adversary can forge non-existent cars in the prediction results with a few fake points (i.e., appearing attack). By removing statistical outliers, existing defenses are however designed for specific attacks or biased by predefined heuristic rules. Towards more comprehensive mitigation, we first systematically inspect the mechanism of recent appearing attacks: Their common weaknesses are observed in crafting fake obstacles which (i) have obvious differences in the local parts compared with real obstacles and (ii) violate the physical relation between depth and point density. In this paper, we propose a novel plug-and-play defensive module which works by side of a trained LiDAR-based object detector to eliminate forged obstacles where a major proportion of local parts have low objectness, i.e., to what degree it belongs to a real object. At the core of our module is a local objectness predictor, which explicitly incorporates the depth information to model the relation between depth and point density, and predicts each local part of an obstacle with an objectness score. Extensive experiments show, our proposed defense eliminates at least 70% cars forged by three known appearing attacks in most cases, while, for the best previous defense, less than 30% forged cars are eliminated. Meanwhile, under the same circumstance, our defense incurs less overhead for AP/precision on cars compared with existing defenses. Furthermore, We validate the effectiveness of our proposed defense on simulation-based closed-loop control driving tests in the open-source system of Baidu's Apollo.

翻译：自动驾驶系统依赖3D目标检测器从激光雷达点云中识别可能的障碍物。然而，近期研究表明，攻击者能够通过少量伪造点（即出现攻击）在预测结果中伪造不存在的车辆。现有防御方法通过移除统计离群点，却仅针对特定攻击设计，或受预定义启发式规则影响而产生偏差。为建立更全面的缓解机制，我们首先系统性地剖析了近期出现攻击的运作机理：其共同弱点体现在构建的伪造障碍物（i）局部区域与真实障碍物存在显著差异，且（ii）违背了深度与点密度之间的物理关系。本文提出一种新颖的即插即用防御模块，可在训练好的基于激光雷达的目标检测器旁协同工作，消除局部区域中大部分目标性（即属于真实物体的程度）较低的伪造障碍物。该模块的核心是局部目标性预测器，其显式融合深度信息以建模深度与点密度的关系，并为障碍物的每个局部区域预测一个目标性得分。大量实验表明，在多数情况下，我们的防御机制可消除三种已知出现攻击伪造的至少70%的车辆，而现有最佳防御方法仅能消除不到30%的伪造车辆。同时，在相同条件下，相比现有防御方法，我们的防御对车辆的平均精度/精度产生的开销更小。此外，我们在百度Apollo开源系统的仿真闭环控制驾驶测试中验证了所提防御的有效性。