Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Adversarial Examples in Environment Perception for Automated Driving (Review)

Jun Yan, Huilin Yin

TL;DR

This survey analyzes how adversarial examples threaten environment perception in automated driving and surveys two broad defense categories: empirical defenses (notably adversarial training) and certified defenses (such as randomized smoothing and formal verification). It catalogs a wide range of attack families—gradient-based, black-box, universal, and physical attacks—and maps their impact across traffic signs, vehicle/detection, road semantics, LiDAR, and trajectory prediction. The work highlights the gap between robust performance and clean accuracy, discusses SOTIF relevance, and presents practical directions for rapid, edge-friendly defense methods and robust evaluation frameworks. Overall, it argues for integrated, safety-focused strategies that combine robust training, detection, and certified guarantees to enable trustworthy autonomous driving systems.

Abstract

The renaissance of deep learning has led to the massive development of automated driving. However, deep neural networks are vulnerable to adversarial examples. The perturbations of adversarial examples are imperceptible to human eyes but can lead to the false predictions of neural networks. It poses a huge risk to artificial intelligence (AI) applications for automated driving. This survey systematically reviews the development of adversarial robustness research over the past decade, including the attack and defense methods and their applications in automated driving. The growth of automated driving pushes forward the realization of trustworthy AI applications. This review lists significant references in the research history of adversarial examples.

Adversarial Examples in Environment Perception for Automated Driving (Review)

TL;DR

This survey analyzes how adversarial examples threaten environment perception in automated driving and surveys two broad defense categories: empirical defenses (notably adversarial training) and certified defenses (such as randomized smoothing and formal verification). It catalogs a wide range of attack families—gradient-based, black-box, universal, and physical attacks—and maps their impact across traffic signs, vehicle/detection, road semantics, LiDAR, and trajectory prediction. The work highlights the gap between robust performance and clean accuracy, discusses SOTIF relevance, and presents practical directions for rapid, edge-friendly defense methods and robust evaluation frameworks. Overall, it argues for integrated, safety-focused strategies that combine robust training, detection, and certified guarantees to enable trustworthy autonomous driving systems.

Abstract

The renaissance of deep learning has led to the massive development of automated driving. However, deep neural networks are vulnerable to adversarial examples. The perturbations of adversarial examples are imperceptible to human eyes but can lead to the false predictions of neural networks. It poses a huge risk to artificial intelligence (AI) applications for automated driving. This survey systematically reviews the development of adversarial robustness research over the past decade, including the attack and defense methods and their applications in automated driving. The growth of automated driving pushes forward the realization of trustworthy AI applications. This review lists significant references in the research history of adversarial examples.

Paper Structure

This paper contains 42 sections, 2 theorems, 18 equations, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Theory Preliminary
  3. Gradient-based Adversarial Attacks
  4. Adversarial Defense
  5. Adversarial Attacks
  6. White-box Attacks
  7. Universal Adversarial Perturbations
  8. Black-box Attacks
  9. Transfer-based Black-box Attacks
  10. Score-based Black-box Attacks
  11. Decision-based Black-box Attacks
  12. Physical Attacks
  13. Traffic Sign Recognition and Detection
  14. Vehicle Detection
  15. Person Detection
  16. ...and 27 more sections

Key Result

theorem thmcountertheorem

cohen2019certified Let $f: \mathbb{R}^{d} \rightarrow \mathcal{Y}$ be be any deterministic or random function, and let $\varepsilon \sim \mathcal{N}\left(0, \sigma^{2} I\right)$. Let g be defined as in Eq. (eq:randomized_smoothing_eq1). Suppose $c_{A} \in \mathcal{Y} \text{ and } \underline{p_{A}}, Then $g(x+\delta)=c_{A}$ for all $\|\delta\|_{2}<R$, where

Figures (7)

  • Figure 1: The growth of papers related to adversarial robustness carlini2019blog @Nicholas Carlini's Blog.
  • Figure 2: Deep learning systems and the encountered attacks. Adversarial attacks happen in the model prediction process.
  • Figure 3: The threat of adversarial examples in the practical tasks of automated driving.
  • Figure 4: The evaluation paradigm of smoothed classifier cohen2019certified. Left: the decision regions of the base classifier $f$ are marked in different colors. The dotted lines represent the level sets of the distribution $\mathcal{N}\left(x, \sigma^{2} I\right)$. Right: the distribution $\mathcal{N}\left(x, \sigma^{2} I\right)$. Here, $\underline{p_{A}}$ is a lower bound on the probability of the top class, and $\overline{p_{B}}$ is an upper bound on the probability of each other class. The classifier function is in blue.
  • Figure 5: Taxonomy and illustration of different categories of adversarial attacks.
  • ...and 2 more figures

Theorems & Definitions (2)

  • theorem thmcountertheorem
  • theorem thmcountertheorem