Deep neural networks (DNN) have become a common sensing modality in autonomous systems as they allow for semantically perceiving the ambient environment given input images. Nevertheless, DNN models have proven to be vulnerable to adversarial digital and physical attacks. To mitigate this issue, several detection frameworks have been proposed to detect whether a single input image has been manipulated by adversarial digital noise or not. In our prior work, we proposed a real-time detector, called VisionGuard (VG), for adversarial physical attacks against single input images to DNN models. Building upon that work, we propose VisionGuard* (VG), which couples VG with majority-vote methods, to detect adversarial physical attacks in time-series image data, e.g., videos. This is motivated by autonomous systems applications where images are collected over time using onboard sensors for decision-making purposes. We emphasize that majority-vote mechanisms are quite common in autonomous system applications (among many other applications), as e.g., in autonomous driving stacks for object detection. In this paper, we investigate, both theoretically and experimentally, how this widely used mechanism can be leveraged to enhance the performance of adversarial detectors. We have evaluated VG* on videos of both clean and physically attacked traffic signs generated by a state-of-the-art robust physical attack. We provide extensive comparative experiments against detectors that have been designed originally for out-of-distribution data and digitally attacked images.

翻译：深度神经网络（DNN）已成为自主系统中常见的感知模式，因其能根据输入图像从语义层面感知周围环境。然而，DNN模型已被证实易受对抗性数字攻击与物理攻击的影响。为缓解此问题，研究者提出多种检测框架，旨在判别单张输入图像是否被对抗性数字噪声所篡改。在前期工作中，我们提出了名为VisionGuard（VG）的实时检测器，用于检测针对DNN模型单张输入图像的对抗性物理攻击。在此基础之上，本文提出VisionGuard*（VG），将VG与多数投票方法相结合，用于检测时间序列图像数据（如视频）中的对抗性物理攻击。这一工作的动机源于自主系统应用场景——此类应用中，机载传感器随时间推移采集图像以支持决策。需要强调的是，多数投票机制在自主系统应用（及众多其他领域）中十分普遍，例如自动驾驶系统中用于目标检测的算法栈。本文从理论与实验两方面探究：如何利用这一广泛应用的机制增强对抗性检测器的性能。我们采用最先进的鲁棒物理攻击方法生成包含干净与受物理攻击交通标志的视频，对VG*进行评估。通过与最初针对分布外数据及数字攻击图像设计的检测器进行大量对比实验，验证了所提方法的有效性。