SoK: On the Semantic AI Security in Autonomous Driving
Junjie Shen, Ningfei Wang, Ziwen Wan, Yunpeng Luo, Takami Sato, Zhisheng Hu, Xinyang Zhang, Shengjian Guo, Zhenyu Zhong, Kang Li, Ziming Zhao, Chunming Qiao, Qi Alfred Chen
TL;DR
The paper defines semantic AI security for autonomous driving, bridging system-level attack inputs to AI components and AI outputs to system-level driving outcomes. It presents a first comprehensive SoK of 53 semantic AD AI security papers, identifying six key scientific gaps and proposing PASS, an open-source, uniform, system-driven evaluation platform that uses a simulation-centric hybrid design to enable comparable system-level assessments. A STOP-sign case study demonstrates that strong component-level attack performance does not necessarily translate to similar system-level effects, underscoring the AI-to-system semantic gap. The work advocates for community-driven benchmarks, broader defense strategies (including prevention and certified robustness), and open-sourcing to accelerate realistic, usable progress in semantic AD AI security.
Abstract
Autonomous Driving (AD) systems rely on AI components to make safety and correct driving decisions. Unfortunately, today's AI algorithms are known to be generally vulnerable to adversarial attacks. However, for such AI component-level vulnerabilities to be semantically impactful at the system level, it needs to address non-trivial semantic gaps both (1) from the system-level attack input spaces to those at AI component level, and (2) from AI component-level attack impacts to those at the system level. In this paper, we define such research space as semantic AI security as opposed to generic AI security. Over the past 5 years, increasingly more research works are performed to tackle such semantic AI security challenges in AD context, which has started to show an exponential growth trend. In this paper, we perform the first systematization of knowledge of such growing semantic AD AI security research space. In total, we collect and analyze 53 such papers, and systematically taxonomize them based on research aspects critical for the security field. We summarize 6 most substantial scientific gaps observed based on quantitative comparisons both vertically among existing AD AI security works and horizontally with security works from closely-related domains. With these, we are able to provide insights and potential future directions not only at the design level, but also at the research goal, methodology, and community levels. To address the most critical scientific methodology-level gap, we take the initiative to develop an open-source, uniform, and extensible system-driven evaluation platform, named PASS, for the semantic AD AI security research community. We also use our implemented platform prototype to showcase the capabilities and benefits of such a platform using representative semantic AD AI attacks.
