What happens to an autonomous vehicle (AV) if its data are adversarially compromised? Prior security studies have addressed this question through mostly unrealistic threat models, with limited practical relevance, such as white-box adversarial learning or nanometer-scale laser aiming and spoofing. With growing evidence that cyber threats pose real, imminent danger to AVs and cyber-physical systems (CPS) in general, we present and evaluate a novel AV threat model: a cyber-level attacker capable of disrupting sensor data but lacking any situational awareness. We demonstrate that even though the attacker has minimal knowledge and only access to raw data from a single sensor (i.e., LiDAR), she can design several attacks that critically compromise perception and tracking in multi-sensor AVs. To mitigate vulnerabilities and advance secure architectures in AVs, we introduce two improvements for security-aware fusion: a probabilistic data-asymmetry monitor and a scalable track-to-track fusion of 3D LiDAR and monocular detections (T2T-3DLM); we demonstrate that the approaches significantly reduce attack effectiveness. To support objective safety and security evaluations in AVs, we release our security evaluation platform, AVsec, which is built on security-relevant metrics to benchmark AVs on gold-standard longitudinal AV datasets and AV simulators.

翻译：如果自动驾驶汽车（AV）的数据受到对抗性攻击，会发生什么？先前安全研究主要通过不现实的威胁模型来探讨此问题，例如白盒对抗学习或纳米级激光瞄准和欺骗，其实用相关性有限。随着越来越多的证据表明网络威胁对自动驾驶汽车及广义信息物理系统（CPS）构成真实且紧迫的危险，我们提出并评估了一种新型自动驾驶汽车威胁模型：一种能够破坏传感器数据但缺乏任何态势感知能力的网络级攻击者。我们证明，即使攻击者的知识有限，且仅能访问单一传感器（即激光雷达）的原始数据，仍可设计多种攻击，严重破坏多传感器自动驾驶汽车中的感知与跟踪功能。为缓解漏洞并推进自动驾驶汽车的安全架构，我们提出了两项针对安全感知融合的改进方案：概率性数据不对称监控器，以及可扩展的三维激光雷达与单目检测的航迹到航迹融合方法（T2T-3DLM）；我们证明这些方法显著降低了攻击有效性。为支持自动驾驶汽车的客观安全评估，我们发布了安全评估平台AVsec，该平台基于安全相关指标，在黄金标准的纵向自动驾驶汽车数据集和仿真器上对自动驾驶汽车进行基准测试。