Recently, multi-agent collaborative (MAC) perception has been proposed and outperformed the traditional single-agent perception in many applications, such as autonomous driving. However, MAC perception is more vulnerable to adversarial attacks than single-agent perception due to the information exchange. The attacker can easily degrade the performance of a victim agent by sending harmful information from a malicious agent nearby. In this paper, we extend adversarial attacks to an important perception task -- MAC object detection, where generic defenses such as adversarial training are no longer effective against these attacks. More importantly, we propose Malicious Agent Detection (MADE), a reactive defense specific to MAC perception that can be deployed by each agent to accurately detect and then remove any potential malicious agent in its local collaboration network. In particular, MADE inspects each agent in the network independently using a semi-supervised anomaly detector based on a double-hypothesis test with the Benjamini-Hochberg procedure to control the false positive rate of the inference. For the two hypothesis tests, we propose a match loss statistic and a collaborative reconstruction loss statistic, respectively, both based on the consistency between the agent to be inspected and the ego agent where our detector is deployed. We conduct comprehensive evaluations on a benchmark 3D dataset V2X-sim and a real-road dataset DAIR-V2X and show that with the protection of MADE, the drops in the average precision compared with the best-case "oracle" defender against our attack are merely 1.28% and 0.34%, respectively, much lower than 8.92% and 10.00% for adversarial training, respectively.

翻译：近年来，多智能体协同感知被提出，并在自动驾驶等众多应用中超越了传统单智能体感知的性能。然而，由于存在信息交换，多智能体协同感知比单智能体感知更容易受到对抗攻击。攻击者可以通过附近的恶意智能体发送有害信息，轻易地降低受害智能体的性能。在本文中，我们将对抗攻击扩展到一个重要的感知任务——多智能体协同目标检测，其中诸如对抗训练等通用防御方法对这些攻击不再有效。更重要的是，我们提出了恶意智能体检测，这是一种针对多智能体协同感知的主动式防御方案，可部署于每个智能体，以准确检测并随后从其本地协作网络中移除任何潜在的恶意智能体。具体而言，MADE使用基于双重假设检验的半监督异常检测器独立检查网络中的每个智能体，并采用Benjamini-Hochberg程序来控制推断的误报率。对于这两个假设检验，我们分别提出了匹配损失统计量和协同重构损失统计量，两者均基于待检查智能体与部署了本检测器的自我智能体之间的一致性。我们在基准3D数据集V2X-sim和真实道路数据集DAIR-V2X上进行了全面评估，结果表明，在MADE的保护下，针对我们的攻击，与最佳情况下的“先知”防御者相比，平均精度下降分别仅为1.28%和0.34%，远低于对抗训练分别带来的8.92%和10.00%的下降。