The advent of deep learning and its astonishing performance in perception tasks, such as object recognition and classification, has enabled its usage in complex systems, including autonomous vehicles. On the other hand, deep learning models are susceptible to mis-predictions when small, adversarial changes are introduced into their input. Such mis-predictions can be triggered in the real world and can propagate to a failure of the entire system, as opposed to a localized mis-prediction. In recent years, a growing number of research works have investigated ways to mount attacks against autonomous vehicles that exploit deep learning components for perception tasks. Such attacks are directed toward elements of the environment where these systems operate and their effectiveness is assessed in terms of system-level failures triggered by them. There has been however no systematic attempt to analyze and categorize such attacks. In this paper, we present the first taxonomy of system-level attacks against autonomous vehicles. We constructed our taxonomy by first collecting 8,831 papers, then filtering them down to 1,125 candidates and eventually selecting a set of 19 highly relevant papers that satisfy all inclusion criteria. Then, we tagged them with taxonomy categories, involving three assessors per paper. The resulting taxonomy includes 12 top-level categories and several sub-categories. The taxonomy allowed us to investigate the attack features, the most attacked components, the underlying threat models, and the propagation chains from input perturbation to system-level failure. We distilled several lessons for practitioners and identified possible directions for future work for researchers.

翻译：深度学习技术的兴起及其在目标识别与分类等感知任务中展现的惊人性能，使其能够应用于包括自动驾驶汽车在内的复杂系统。然而，当输入数据被引入微小对抗性扰动时，深度学习模型容易产生错误预测。此类错误预测可在现实世界中被触发，并可能传播导致整个系统故障，而非仅局限于局部预测错误。近年来，越来越多的研究工作探索了如何针对自动驾驶汽车中用于感知任务的深度学习组件实施攻击。这类攻击指向自动驾驶系统运行环境中的要素，其有效性通过所触发的系统级故障进行评估。然而，目前尚未有系统性的研究对这些攻击进行分析与归类。本文提出了首个针对自动驾驶汽车的系统级攻击分类法。我们通过收集8,831篇文献，筛选出1,125篇候选文献，最终选定满足所有纳入标准的19篇高度相关文献构建分类体系。每篇文献由三位评估者进行标注分类。最终形成的分类法包含12个顶层类别及若干子类别。该分类法使我们能够深入分析攻击特征、最常受攻击的组件、潜在威胁模型以及从输入扰动到系统级故障的传播链。我们为从业者提炼了若干实践启示，并为研究者指出了未来工作的可能方向。