This paper introduces an attacking mechanism to challenge the resilience of autonomous driving systems. Specifically, we manipulate the decision-making processes of an autonomous vehicle by dynamically displaying adversarial patches on a screen mounted on another moving vehicle. These patches are optimized to deceive the object detection models into misclassifying targeted objects, e.g., traffic signs. Such manipulation has significant implications for critical multi-vehicle interactions such as intersection crossing and lane changing, which are vital for safe and efficient autonomous driving systems. Particularly, we make four major contributions. First, we introduce a novel adversarial attack approach where the patch is not co-located with its target, enabling more versatile and stealthy attacks. Moreover, our method utilizes dynamic patches displayed on a screen, allowing for adaptive changes and movement, enhancing the flexibility and performance of the attack. To do so, we design a Screen Image Transformation Network (SIT-Net), which simulates environmental effects on the displayed images, narrowing the gap between simulated and real-world scenarios. Further, we integrate a positional loss term into the adversarial training process to increase the success rate of the dynamic attack. Finally, we shift the focus from merely attacking perceptual systems to influencing the decision-making algorithms of self-driving systems. Our experiments demonstrate the first successful implementation of such dynamic adversarial attacks in real-world autonomous driving scenarios, paving the way for advancements in the field of robust and secure autonomous driving.

翻译：本文提出了一种攻击机制，旨在挑战自动驾驶系统的鲁棒性。具体而言，我们通过在另一辆移动车辆上安装的屏幕动态显示对抗补丁，来操控自动驾驶车辆的决策过程。这些补丁经过优化，可诱使目标检测模型对指定目标（如交通标志）进行错误分类。这种操控对关键的多年辆交互场景（如交叉路口通行和变道）具有重大影响，而这些场景直接影响自动驾驶系统的安全性与高效性。本文做出四大贡献：第一，我们提出了一种新型对抗攻击方法，使补丁无需与其目标共位，从而实现更具通用性和隐蔽性的攻击。此外，该方法利用屏幕显示动态补丁，支持自适应变化与移动，增强了攻击的灵活性与性能。为此，我们设计了屏幕图像变换网络（SIT-Net），该网络可模拟环境对显示图像的影响，缩小仿真场景与现实场景之间的差距。进一步地，我们在对抗训练过程中引入位置损失项，以提升动态攻击的成功率。最后，我们将重点从单纯攻击感知系统转向影响自动驾驶系统的决策算法。实验证明，这是首次在真实自动驾驶场景中成功实现此类动态对抗攻击，为鲁棒且安全的自动驾驶领域发展奠定了基础。