towards robust lidar based perception in autonomous
play

Towards Robust LiDAR-based Perception in Autonomous Driving: General - PowerPoint PPT Presentation

Nov 01, 2023 •144 likes •525 views

Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures Jiachen Sun 1 Yulong Cao 1 , Qi Alfred Chen 2 , and Z. Morley Mao 1 1 2 Autonomous Vehicle (AV) Perception

  1. Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures Jiachen Sun 1 , Yulong Cao 1 , Qi Alfred Chen 2 , and Z. Morley Mao 1 1 2

  2. Autonomous Vehicle (AV) Perception Position Sensors Perception Speed Object Detection Object Future Path Prediction AV Future Path Planning Breaking Steering Control ……. LiDAR: Light Detection And Ranging 2 Picture ref: https://softwareengineeringdaily.com/2017/07/28/self-driving-deep-learning-with-lex-fridman/

  3. Autonomous Vehicle (AV) Perception • Machine learning, especially deep learning , is heavily adopted in state- of-the-art AV perception pipelines. Camera-based Camera Detected Perception Obstacles Model LiDAR-based LiDAR Detected Perception Obstacles Model 3

  4. Related Work: Security of AV Perception • Security of camera-based perception is well studied Found to be vulnerable to adversarial machine learning (AML) attacks in the – physical world. Camera-based Camera Fake Perception Obstacles Model LiDAR-based LiDAR Detected Perception Obstacles Model 1. Eykholt, Kevin, et al. "Physical adversarial examples for object detectors." arXiv preprint arXiv:1807.07769 (2018). 2. Zhao, Yue, et al. "Seeing isn't Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors." Proceedings of the 2019 4 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  5. Related Work: Security of LiDAR-based AV Perception Adv-LiDAR [1] demonstrated LiDAR-based perception is vulnerable to • sensor attack with the help of AML . – Formulation of the sensor attack capability. – Strategically injecting points. [1] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 5 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  6. Related Work: Security of LiDAR-based AV Perception Adv-LiDAR [1] demonstrated LiDAR-based perception is vulnerable to • sensor attack with the help of adversarial machine learning . LiDAR-based LiDAR Detected Fake fake vehicle Perception Obstacles Obstacles Model Optimization Strategically Solving Injecting Points [1] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 6 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  7. Motivation: Limitations of Existing Work • White-box attack limitation – Adv-LiDAR assumes that attackers have full knowledge of LiDAR-based perception model along with its pre- and post-processing modules. LiDAR Fake Pre- DNN Post- Obstacles processing Model processing 7

  8. Motivation: Limitations of Existing Work • White-box attack limitation • Attack generality limitation – Adv-LiDAR only targets Apollo 2.5 model. The designed differentiable approximation function cannot generalize to other models. – Optimized adversarial examples generated by Adv-LiDAR cannot attack other models. differentiable approximation function LiDAR Fake Pre- Apollo 2.5 Post- Obstacles processing Model processing 8

  9. Motivation: Limitations of Existing Work • White-box attack limitation • Attack generality limitation • No practical defense solution – There is no countermeasure proposed, making AVs still open to LiDAR spoofing attacks. differentiable approximation function LiDAR Fake Pre- Apollo 2.5 Post- Obstacles processing Model processing 9

  10. Contributions • Explore a general vulnerability of current LiDAR-based perception architectures. – Construct the first black-box attacks and achieve ~80% mean attack success rates on all target models . 10

  11. Contributions • Explore a general vulnerability of current LiDAR-based perception architectures and construct the first black-box spoofing attack. • Perform the first defense study, proposing CARLO as an anomaly detection module that can be stacked on LiDAR-based perception models. – Reduce the mean attack success rate to ~5.5% without sacrificing the detection accuracy. 11

  12. Contributions • Explore a general vulnerability of current LiDAR-based perception architectures and construct the first black-box spoofing attack. • Perform the first defense study, proposing CARLO as an anomaly detection module that can be stacked on LiDAR-based perception models. • Design the first end-to-end general architecture for robust LiDAR-based perception. – Reduce the mean attack success rate to ~2.3% with similar detection accuracy to the original model. 12

  13. Threat Model • Physical sensor attack capability [1] – Number of points. Attackers can spoof at most 200 points into the LiDAR point clouds. – Location of points . Attackers can modify the distance, altitude, and azimuth of a spoofed point. Azimuth is within 10°. [1] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 13 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  14. Threat Model • Physical sensor attack capability [1] – Number of points: 200 points. – Location of points: distance, altitude, and azimuth (10°). • Attack model Goal: spoofing fake vehicles right in front of the victim AV [1] . – – Attackers can control the spoofed points within the described sensor attack capability. – Attackers are not required to have access to the perception systems. [1] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 14 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  15. Threat Model • Physical sensor attack capability [1] – Number of points: 200 points. – Location of points: distance, altitude, and azimuth (10°). • Attack model Goal: spoofing fake vehicles right in front of the victim AV [1] . – – Within the described sensor attack capability. – Black-box access assumption. • Defense model – We consider defending LiDAR spoofing attacks under both white- and black-box settings. – We focus on software-level countermeasures due to cost concerns. [1] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 15 ACM SIGSAC Conference on Computer and Communications Security . 2019.

  16. State-of-the-art LiDAR-based Perception Models Bird’s-eye view (BEV)-based Model • Baidu Apollo 5.0 [1] (latest version) – – Baidu Apollo 2.5 (model attacked in [2] ) • Voxel-based Model – PointPillars [3] (CVPR’19, used by AutoWare [4] ) VoxelNet [5] (CVPR’18) – • Point-wise Model PointRCNN [6] (CVPR’19) – – Fast PointRCNN [7] (ICCV’19) [1] Baidu Apollo. https://apollo.auto, 2020. [2] Cao, Yulong, et al. "Adversarial sensor attack on lidar-based perception in autonomous driving." Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . 2019. [3] Lang, Alex H., et al. "Pointpillars: Fast encoders for object detection from point clouds." Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2019. [4] AutoWare.ai. https://gitlab.com/autowarefoundation/autoware.ai, 2020. [5] Zhou, Yin, and Oncel Tuzel. "Voxelnet: End-to-end learning for point cloud based 3d object detection." Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2018. [6] Shi, Shaoshuai, Xiaogang Wang, and Hongsheng Li. "Pointrcnn: 3d object proposal generation and detection from point cloud." Proceedings of the IEEE Conference on Computer 16 Vision and Pattern Recognition . 2019. [7] Chen, Yilun, et al. "Fast point r-cnn." Proceedings of the IEEE International Conference on Computer Vision. 2019.

  17. A General Vulnerability & Black-box Adversarial Sensor Attack

  18. Behind the Scenes of Adv-LiDAR • A valid front-near vehicle (located 5-8 meters right in front of the AV) should contain ~ 2000 reflected points and occupy 15 ° in azimuth [1] . A valid front-near vehicle • However, Adv-LiDAR was able to spoof a fake front-near vehicle by injecting much fewer amount of points ( 80 points). An attack trace generated by Adv-LiDAR [1] Statistical study on KITTI dataset (64-beam LiDAR) KITTI Vision Benchmark: 3D Object Detection. 18 http://www.cvlibs.net/datasets/kitti/eval_object.php?obj_benchmark=3d, 2020.

  19. Behind the Scenes of Adv-LiDAR • Two situations that a valid vehicle contains much fewer points in a LiDAR point cloud: An occluded vehicle – A distant vehicle – 19

  20. False Positives • Based on these observations, we find and validate two false positive (FP) conditions for the models : 1. FP1: If an occluded vehicle can be detected in the pristine point cloud by the model, its point set will be still detected as a vehicle when directly moved to a front-near location. 2. FP2: If a distant vehicle can be detected in the pristine point cloud by the model, its point set will be still detected as a vehicle when directly moved to a front-near location. 20

  21. Vulnerability Identification Attackers can directly exploit such two FP conditions to fool the LiDAR-based perception models and spoof a fake vehicle with much fewer points. 38 points 4.92 ° in azimuth 21

Recommend

New Perspective on Perception and Prediction Pipeline for Autonomous Driving Xinshuo Weng, Kris

New Perspective on Perception and Prediction Pipeline for Autonomous Driving Xinshuo Weng, Kris

New Perspective on Perception and Prediction Pipeline for Autonomous Driving Xinshuo Weng, Kris Kitani Robotics Institute, Carnegie Mellon University August 28, 2020 1 Perception and prediction are important components in the autonomous

988 views • 42 slides
LiDAR Teach-In OSRAM Licht AG | June 20, 2018 | Munich Light is OSRAM Agenda Introduction

LiDAR Teach-In OSRAM Licht AG | June 20, 2018 | Munich Light is OSRAM Agenda Introduction

www.osram.com LiDAR Teach-In OSRAM Licht AG | June 20, 2018 | Munich Light is OSRAM Agenda Introduction Autonomous driving LIDAR technology deep-dive LiDAR@OS: Emitter technologies Outlook OSRAM Licht AG 2 LiDAR Tech

798 views • 22 slides
Perception, Planning and Control F1/10 th Racing Perception, planning and control Localization

Perception, Planning and Control F1/10 th Racing Perception, planning and control Localization

Perception, Planning and Control F1/10 th Racing Perception, planning and control Localization IMU and PID Control LIDAR 2 Perception Sensors: specifications, placement and data Inertial Measurement Unit An I nertial M

1.05k views • 49 slides
Technology Mial Warren VP of Technology October 22, 2019 Outline Introduction to ADAS and

Technology Mial Warren VP of Technology October 22, 2019 Outline Introduction to ADAS and

Navigating Automotive LIDAR Technology Mial Warren VP of Technology October 22, 2019 Outline Introduction to ADAS and LIDAR for automotive use Brief history of LIDAR for autonomous driving Why LIDAR? LIDAR requirements

603 views • 29 slides
Semantic Grid Map based LiDAR Localization in Highly Dynamic Urban Scenarios 12 th IROS20 Workshop

Semantic Grid Map based LiDAR Localization in Highly Dynamic Urban Scenarios 12 th IROS20 Workshop

Semantic Grid Map based LiDAR Localization in Highly Dynamic Urban Scenarios 12 th IROS20 Workshop on Planning, Perception and Navigation for Intelligent Vehicles Oct. 2020 Chenxi Yang, Lei He, Hanyang Zhuang, Chunxiang Wang, Ming Yang *

330 views • 19 slides
Hands-on Intro To Developing Vision and LiDAR Classifier Formula Student Driverless Workshop

Hands-on Intro To Developing Vision and LiDAR Classifier Formula Student Driverless Workshop

Hands-on Intro To Developing Vision and LiDAR Classifier Formula Student Driverless Workshop powered by Introduction Sibo Zhu Zhijian Liu Haotian Tang Perception Lead at Perception Lead at Perception Lead at MIT Driverless

869 views • 61 slides
Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh Gawande, Lan Wang Computer Science, U. Memphis Autonomous vehicles need reliable, trustworthy real-time data Car B can help Car A and C avoid

489 views • 6 slides
Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos

Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos

Autonomous Driving: The Good The Bad and The Ugly When do you launch the product? Whos TuSimple? Whats level 4 Why trucks? Camera or LiDAR? Xiaodi Hou TuSimple Building an autonomous truck 4 pillars of autonomous driving Algorithms

530 views • 40 slides
THE PROGRESSION OF LIDAR Tuesday November 12, 2013 Historical LiDAR data Aerial Platforms

THE PROGRESSION OF LIDAR Tuesday November 12, 2013 Historical LiDAR data Aerial Platforms

NYGeoCon 2013 Saratoga Springs, NY THE PROGRESSION OF LIDAR Tuesday November 12, 2013 Historical LiDAR data Aerial Platforms Ground based. Project areas cover several hundred square miles. Typical point densities of 1

385 views • 13 slides
June 22 nd , 2017 Melissa Hendrickson 1 What is LiDAR? 2 LiDAR Returns Distance = (Speed of

June 22 nd , 2017 Melissa Hendrickson 1 What is LiDAR? 2 LiDAR Returns Distance = (Speed of

The multiple uses of LiDAR CDA Basin WAG June 22 nd , 2017 Melissa Hendrickson 1 What is LiDAR? 2 LiDAR Returns Distance = (Speed of Light x Time of Flight)/2 3 Correcting our Existing GIS Databases 4 Mining and Geology 5 Land Form

476 views • 28 slides
Learning to Optimally Segment Point Clouds Peiyun Hu, David Held, Deva Ramanan Carnegie Mellon

Learning to Optimally Segment Point Clouds Peiyun Hu, David Held, Deva Ramanan Carnegie Mellon

Learning to Optimally Segment Point Clouds Peiyun Hu, David Held, Deva Ramanan Carnegie Mellon University Paper ID: 2977 Raw LiDAR Scans Today, most autonomous vehicles perceive the world through LiDAR point clouds. Map-based Preprocessing

453 views • 17 slides
Visual Perception for Autonomous Driving on the NVIDIA DrivePX2 and using SYNTHIA Dr. Juan C.

Visual Perception for Autonomous Driving on the NVIDIA DrivePX2 and using SYNTHIA Dr. Juan C.

Visual Perception for Autonomous Driving on the NVIDIA DrivePX2 and using SYNTHIA Dr. Juan C. Moure Dr. Antonio Espinosa http:// grupsderecerca.uab.cat/hpca4se/en/content/gpu http://adas.cvc.uab.es/elektra/ http://www.synthiadataset.net Our

308 views • 20 slides
Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster,

Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster,

Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster, Dr. Martin Haueis Agenda Motivation: Why measure the world for autonomous driving? Map Content: What do we need to know about the world

401 views • 23 slides
See the View (STV) Project Environmental Perception for Safer and Reliable Autonomous Driving

See the View (STV) Project Environmental Perception for Safer and Reliable Autonomous Driving

See the View (STV) Project Environmental Perception for Safer and Reliable Autonomous Driving Arie Gavriely Arie.Gavriely@vayavision.com Co-funded by the Horizon 2020 program of the European Union Proprietary & Confidential | 1

266 views • 16 slides
LiDAR Surveying and the UAS Phenomena: Understanding How to See the Wood for the Trees

LiDAR Surveying and the UAS Phenomena: Understanding How to See the Wood for the Trees

LiDAR Surveying and the UAS Phenomena: Understanding How to See the Wood for the Trees SEPTEMBER 5 - 7, 2018 Terrestrial Laser Airborne LIDAR Unmanned Aerial Platforms Scanning Systems LiDAR Types Applications Platforms

362 views • 22 slides
Microsystems D i g i t i z i n g Yo u r W o r l d S e a m l e s s l y ADCs for Autonomous

Microsystems D i g i t i z i n g Yo u r W o r l d S e a m l e s s l y ADCs for Autonomous

Seamless Microsystems D i g i t i z i n g Yo u r W o r l d S e a m l e s s l y ADCs for Autonomous Driving Augustine Kuo VP Engineering Seamless Microsystems Seamless Microsystems Background LiDAR and RADAR in Wireless and Consumer cars

423 views • 20 slides
3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D Laser Scanning? LIDAR = Light Detecting and Ranging Real-Time, Ground Based, 360 Degree Collection of Three Dimensional Data Using

574 views • 46 slides
WP3 Developing research facilities LIDAR LISA LISA: 2-channels IR-VIS lidar MILI

WP3 Developing research facilities LIDAR LISA LISA: 2-channels IR-VIS lidar MILI

WP3 Developing research facilities LIDAR LISA LISA: 2-channels IR-VIS lidar MILI MILI: 2-channels UV eye- safe scanning lidar RALI RALI: 6-channels multiwavelength lidar FLUORES FLUORES: fluorescence lidar OLI

278 views • 10 slides
Ground-Based LiDAR Ground-Based LiDAR Dr. Robert Kayen Dr. Robert Kayen U.S. Geological Survey

Ground-Based LiDAR Ground-Based LiDAR Dr. Robert Kayen Dr. Robert Kayen U.S. Geological Survey

Ground-Based LiDAR Ground-Based LiDAR Dr. Robert Kayen Dr. Robert Kayen U.S. Geological Survey U.S. Geological Survey Menlo Park, CA Menlo Park, CA The Reconnaissance Problem: The Reconnaissance Problem: We want to collect and archive

322 views • 17 slides
The role of Planes and Edges in Lidar-Inertial Integration Teresa Vidal-Calleja Montreal, May

The role of Planes and Edges in Lidar-Inertial Integration Teresa Vidal-Calleja Montreal, May

The role of Planes and Edges in Lidar-Inertial Integration Teresa Vidal-Calleja Montreal, May 2019 cas.uts.edu.au LIDAR - INERTIAL 3D- Lidar IMU (300kHz points) Lidar Depth (10Hz) IMU Acceleration, velocity (100Hz) Sparse

438 views • 23 slides
Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR

Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR

Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR Scanning Overview Scanning background Applications Strengths Weaknesses Scanning Examples Fisher Associates LiDAR = light

610 views • 20 slides
Embedded Bayesian Perception & Risk Assessment for ADAS & Autonomous Cars Christian

Embedded Bayesian Perception & Risk Assessment for ADAS & Autonomous Cars Christian

Embedded Bayesian Perception & Risk Assessment for ADAS & Autonomous Cars Christian LAUGIER, Research Director at Inria Christian.laugier@inria.fr Contributions from Mathias Perrollaz, Christopher Tay Meng Keat, Stephanie Lefevre,

663 views • 33 slides
Real World Autonomous Agents Coordinate multiple agents Robust Execution of Contingent,

Real World Autonomous Agents Coordinate multiple agents Robust Execution of Contingent,

Massachusetts Institute of Technology Real World Autonomous Agents Coordinate multiple agents Robust Execution of Contingent, Provide robustness Temporally Flexible Plans Stephen Block Andreas Wehowsky, Brian Williams 2 Robustness

278 views • 5 slides
Autonomous Valet Parking Zheng Fang, Yongnan Chen, Ming Zhou, Chao Lu Presenter: Ming Zhou

Autonomous Valet Parking Zheng Fang, Yongnan Chen, Ming Zhou, Chao Lu Presenter: Ming Zhou

Marker-Based Mapping and Localization for Autonomous Valet Parking Zheng Fang, Yongnan Chen, Ming Zhou, Chao Lu Presenter: Ming Zhou E-mail: zhouminganhui@qq.com Robotic Environmental-perception and Autonomous-navigation Lab Faculty of Robotic

448 views • 17 slides

More recommend