Localization in high-level Autonomous Driving (AD) systems is highly security critical. While the popular Multi-Sensor Fusion (MSF) based design can be more robust against single-source sensor spoofing attacks, it is found recently that state-of-the-art MSF algorithms is vulnerable to GPS spoofing alone due to practical factors, which can cause various road hazards such as driving off road or onto the wrong way. In this work, we perform the first systematic exploration of the novel usage of lane detection (LD) to defend against such attacks. We first systematically analyze the potentials of such a domain-specific defense opportunity, and then design a novel LD-based defense approach, $LD^3$, that aims at not only detecting such attacks effectively in the real time, but also safely stopping the victim in the ego lane upon detection considering the absence of onboard human drivers. We evaluate $LD^3$ on real-world sensor traces and find that it can achieve effective and timely detection against existing attack with 100% true positive rates and 0% false positive rates. Results also show that $LD^3$ is robust to diverse environmental conditions and is effective at steering the AD vehicle to safely stop within the current traffic lane. We implement $LD^3$ on two open-source high-level AD systems, Baidu Apollo and Autoware, and validate its defense capability in both simulation and the physical world in end-to-end driving. We further conduct adaptive attack evaluations and find that $LD^3$ is effective at bounding the deviations from reaching the attack goals in stealthy attacks and is robust to latest LD-side attack.

翻译：高级自动驾驶（AD）系统中的定位具有极高的安全性关键。尽管基于多传感器融合（MSF）的主流设计能更有效地抵御单一源传感器欺骗攻击，但最新研究发现，由于实际因素，最先进的MSF算法仅通过GPS欺骗就存在脆弱性，这可能导致车辆驶离道路或逆向行驶等各种道路危险。本文首次系统性探索了利用车道检测（LD）防御此类攻击的新方法。我们首先系统分析了这种领域特定防御机会的潜力，随后设计了一种新颖的基于LD的防御方法$LD^3$，其目标不仅在于实时有效检测此类攻击，还在于考虑无人驾驶乘员缺失的情况下，在检测到攻击时安全地将受害车辆停在本车道内。我们在真实传感器轨迹数据上评估了$LD^3$，结果显示其能针对现有攻击实现有效且及时的检测，真阳性率达到100%，假阳性率为0%。结果还表明，$LD^3$对不同环境条件具有鲁棒性，并能有效引导自动驾驶车辆在当前行车道内安全停车。我们在两个开源高级自动驾驶系统——百度Apollo和Autoware上实现了$LD^3$，并在仿真环境和物理世界的端到端驾驶中验证了其防御能力。我们进一步进行了自适应攻击评估，发现$LD^3$能有效限制隐蔽攻击中偏离攻击目标的偏差，并对最新的LD侧攻击具有鲁棒性。