CP-Guard+: A New Paradigm for Malicious Agent Detection and Defense in Collaborative Perception

TL;DR

This work targets the security of collaborative perception by proposing feature-level malicious agent detection to avoid expensive hypothesize-and-verify approaches. It introduces CP-GuardBench, a dataset for training and evaluating feature-level defenses, and CP-Guard+, a robust detector that uses residual latent features and a Dual-Centered Contrastive Loss to separate benign and malicious features. The approach demonstrated strong detection accuracy, robustness to unseen attacks, and improved computational efficiency (FPS) on CP-GuardBench and V2X-Sim, outperforming prior defend-and-verify baselines. The work provides practical mechanisms to secure CP systems in connected autonomous driving, with significant implications for real-time, scalable defense in multi-vehicle perception.

Abstract

Collaborative perception (CP) is a promising method for safe connected and autonomous driving, which enables multiple vehicles to share sensing information to enhance perception performance. However, compared with single-vehicle perception, the openness of a CP system makes it more vulnerable to malicious attacks that can inject malicious information to mislead the perception of an ego vehicle, resulting in severe risks for safe driving. To mitigate such vulnerability, we first propose a new paradigm for malicious agent detection that effectively identifies malicious agents at the feature level without requiring verification of final perception results, significantly reducing computational overhead. Building on this paradigm, we introduce CP-GuardBench, the first comprehensive dataset provided to train and evaluate various malicious agent detection methods for CP systems. Furthermore, we develop a robust defense method called CP-Guard+, which enhances the margin between the representations of benign and malicious features through a carefully designed Dual-Centered Contrastive Loss (DCCLoss). Finally, we conduct extensive experiments on both CP-GuardBench and V2X-Sim, and demonstrate the superiority of CP-Guard+.

Figures (6)

• Figure 1: (a) Illustration of the threats of malicious agent in collaborative perception. Malicious CAVs could send intricately crafted adversarial messages to an ego CAV, which will mislead it to generate false positive perception outputs. (b) Comparison between the proposed CP-Guard+ with the traditional hypothesize-and-verify malicious agent detection methods. Hypothesize-and-verify involves multiple rounds of malicious agent detection iterations at the output level and requires the generation of multiple hypothetical outputs for verification, incurring high computational overhead. In contrast, CP-Guard+ directly outputs robust CP results with intermediate feature-level detection, significantly reducing the computational overhead.
• Figure 2: Automatic Data Generation and Annotation Pipeline. We first train a robust LiDAR collaborative object detector. Then, we discard the detection head and decoder and only keep the backbone as the intermediate feature generator. The data generation pipeline is shown in (a), (b), and (c), where (a) is the intermediate feature generation, (b) is the attack implementation, and (c) is the pair generation and saving.
• Figure 3: Visualization and Statistics of CP-GuardBench. (a), (b), (c) and (d) are visualization, which visualize the normal intermediate features and the adversarial examples perturbed by different malicious agents. We can see the adversarial examples are almost identical to the normal examples, which indicates the challenges in detecting malicious agents. (e), (f), (g) and (h) are the statistics of CP-GuardBench, including the number of collaborators, attack ratio and attack types.
• Figure 4: (a) FPS performance comparison between CP-Guard+ with and other baselines. (b) Cosine disctance between the intermediate features of the malicious agent and the benign agent.
• Figure 5: (a) Effectiveness of contrastive loss (CL). 'w/o' means without CL. 'w/' means with CL. (b) Effectiveness of DCCLoss. 'w/o' means without DCCLoss. 'w/' means with DCCLoss. (c) Comparison of DCCLoss.