Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AdvSwap: Covert Adversarial Perturbation with High Frequency Info-swapping for Autonomous Driving Perception

Yuanhao Huang, Qinfan Zhang, Jiandong Xing, Mengyue Cheng, Haiyang Yu, Yilong Ren, Xiao Xiong

TL;DR

AdvSwap introduces a covert adversarial attack for autonomous driving perception by swapping high-frequency information in the wavelet domain using an invertible information-swapping network. The method combines a Wavelet Decomposition Module, an invertible reversible swapping module, and dual optimizers (Adversarial and Classification) to produce $x_{adv}$ that misleads classifiers while remaining visually similar to $x_{orig}$ within a bound $\epsilon$. Across GTSRB and nuScenes, AdvSwap achieves near-perfect attack success with exceptional perceptual quality and transferability, and maintains robustness under selective defenses, demonstrating practical implications for resilience assessment and defense design. The work highlights the significance of high-frequency, information-centric perturbations in covert attacks and provides a framework for evaluating detector robustness under wavelet-domain manipulations.

Abstract

Perception module of Autonomous vehicles (AVs) are increasingly susceptible to be attacked, which exploit vulnerabilities in neural networks through adversarial inputs, thereby compromising the AI safety. Some researches focus on creating covert adversarial samples, but existing global noise techniques are detectable and difficult to deceive the human visual system. This paper introduces a novel adversarial attack method, AdvSwap, which creatively utilizes wavelet-based high-frequency information swapping to generate covert adversarial samples and fool the camera. AdvSwap employs invertible neural network for selective high-frequency information swapping, preserving both forward propagation and data integrity. The scheme effectively removes the original label data and incorporates the guidance image data, producing concealed and robust adversarial samples. Experimental evaluations and comparisons on the GTSRB and nuScenes datasets demonstrate that AdvSwap can make concealed attacks on common traffic targets. The generates adversarial samples are also difficult to perceive by humans and algorithms. Meanwhile, the method has strong attacking robustness and attacking transferability.

AdvSwap: Covert Adversarial Perturbation with High Frequency Info-swapping for Autonomous Driving Perception

TL;DR

AdvSwap introduces a covert adversarial attack for autonomous driving perception by swapping high-frequency information in the wavelet domain using an invertible information-swapping network. The method combines a Wavelet Decomposition Module, an invertible reversible swapping module, and dual optimizers (Adversarial and Classification) to produce that misleads classifiers while remaining visually similar to within a bound . Across GTSRB and nuScenes, AdvSwap achieves near-perfect attack success with exceptional perceptual quality and transferability, and maintains robustness under selective defenses, demonstrating practical implications for resilience assessment and defense design. The work highlights the significance of high-frequency, information-centric perturbations in covert attacks and provides a framework for evaluating detector robustness under wavelet-domain manipulations.

Abstract

Perception module of Autonomous vehicles (AVs) are increasingly susceptible to be attacked, which exploit vulnerabilities in neural networks through adversarial inputs, thereby compromising the AI safety. Some researches focus on creating covert adversarial samples, but existing global noise techniques are detectable and difficult to deceive the human visual system. This paper introduces a novel adversarial attack method, AdvSwap, which creatively utilizes wavelet-based high-frequency information swapping to generate covert adversarial samples and fool the camera. AdvSwap employs invertible neural network for selective high-frequency information swapping, preserving both forward propagation and data integrity. The scheme effectively removes the original label data and incorporates the guidance image data, producing concealed and robust adversarial samples. Experimental evaluations and comparisons on the GTSRB and nuScenes datasets demonstrate that AdvSwap can make concealed attacks on common traffic targets. The generates adversarial samples are also difficult to perceive by humans and algorithms. Meanwhile, the method has strong attacking robustness and attacking transferability.

Paper Structure

This paper contains 29 sections, 7 equations, 7 figures, 4 tables.

Table of Contents

  1. INTRODUCTION
  2. Related Works
  3. Adversarial Attacks
  4. Digital Attacks
  5. Adding and Droping of Perturbation
  6. Covert Attacks
  7. Information Swapping
  8. Wavelet Decomposition
  9. Residual Dense Network
  10. Invertible Block
  11. Proposed Method
  12. Overview
  13. Wavelet Decomposition Module
  14. Invertible Info-swapping Module
  15. Invertible Info-swapping Module
  16. ...and 14 more sections

Figures (7)

  • Figure 1: Perturbation comparison between the generated image and the original image. Adversarial examples generated by three algorithms: (a) Proposed AdvSwap, (b) SSAH luo2022frequency, (c) AdvDrop duan2021advdrop.
  • Figure 2: Overview of the proposed adversarial attack method.
  • Figure 3: The reversible module exchanges wavelet component information for feature extraction and enables deletion of original image information while injecting covert adversarial perturbation.
  • Figure 4: Comparison of adversarial samples and perturbed images generated by the SSAH, AdvDrop and the proposed AdvSwap in GTSRB.
  • Figure 5: Comparison of adversarial samples and perturbed images generated by the SSAH, AdvDrop and the proposed AdvSwap in nuScenes.
  • ...and 2 more figures