A Multi-Agent Security Testbed for the Analysis of Attacks and Defenses in Collaborative Sensor Fusion

TL;DR

This work tackles the security of multi-agent collaborative sensor fusion in autonomous vehicles by introducing MAST, a ROS2-based security testbed that integrates the AVstack pipeline with CARLA/hallyburton multi-agent datasets. It formalizes threat models with uncoordinated and coordinated adversaries, and demonstrates how centralized fusion can be vulnerable to manipulation through case studies and Monte Carlo analyses. The authors provide a bridge between ROS2 and AVstack, an automated high-level configuration approach for rapid pipeline prototyping, and a scalable launch framework to vary agent/adversary counts at runtime $k_{FP} \sim \mathrm{Pois}(\lambda)$ and $k_{FN} = r \cdot |D|$, highlighting the need for security-aware MS/MA architectures. Overall, MAST enables near-real-time security evaluation of MS/MA autonomy and shows that protecting the command center integrity is critical to maintaining reliable situational awareness in adversarial settings.

Abstract

The performance and safety of autonomous vehicles (AVs) deteriorates under adverse environments and adversarial actors. The investment in multi-sensor, multi-agent (MSMA) AVs is meant to promote improved efficiency of travel and mitigate safety risks. Unfortunately, minimal investment has been made to develop security-aware MSMA sensor fusion pipelines leaving them vulnerable to adversaries. To advance security analysis of AVs, we develop the Multi-Agent Security Testbed, MAST, in the Robot Operating System (ROS2). Our framework is scalable for general AV scenarios and is integrated with recent multi-agent datasets. We construct the first bridge between AVstack and ROS and develop automated AV pipeline builds to enable rapid AV prototyping. We tackle the challenge of deploying variable numbers of agent/adversary nodes at launch-time with dynamic topic remapping. Using this testbed, we motivate the need for security-aware AV architectures by exposing the vulnerability of centralized multi-agent fusion pipelines to (un)coordinated adversary models in case studies and Monte Carlo analysis.

Figures (6)

• Figure 1: (a) Ownship operations use local information for safety-critical planning and incorporate external knowledge for mission-critical. Safety-critical is partitioned to mitigate impact of adversarial actors in the sensing network. (b) Command center integrates situational awareness from all agents. Collation synchronizes data while clustering, fusion, and group tracking distill agents' tracks into a unified operating picture.
• Figure 2: (a) Bird's-eye-view of multi-agent simulation under an unattacked scenario. Tracked object state estimates (green) overlap with ground truth object locations (blue). Agents (yellow) are positioned in the scene for case-study purposes and clearly do not provide full coverage over the town. Four infrastructure agents and one mobile agent ("ego") provide object estimates to the CC. All tracks are pushed to the visualizer for real-time feedback. (b, c) Image and LiDAR data, respectively, from ego agent with tracked objects from command center overlayed in green.
• Figure 3: (a) We model uncoordinated adversaries as directly manipulating detections from perception. Each adversary has its own local objective. This model can encompass physical access, sensing channels, and compromised model attack surfaces. (b) In the coordinated case, adversaries communicate with an attack coordinator to synchronize attack objective functions. We model this threat at the network level where communication links are compromised.
• Figure 4: Baseline: (a) Ego experiences strong occlusion in local information compared to (b) fusing multi-agent information from CC. (c, d) Bird's-eye view (BEV) companions to (a, b) with boxes on LiDAR data. (e) An infrastructure sensor provides a collaborative vantage point on the same scene. Multiple agents can mitigate ground-vehicle occlusions.
• Figure 5: Two of four agents are compromised in uncoordinated attack. (a) Compromised agent has attacker-induced false positives and negatives. (b) Attacks compromise CC and propagate into ego's fused state. Ego does not suffer from false negatives because other agents can correctly identify existing objects. This is due to attacks being uncoordinated. (c, d) BEV companions to (a, b) with track states marked in boxes.