Invisible Triggers, Visible Threats! Road-Style Adversarial Creation Attack for Visual 3D Detection in Autonomous Driving

TL;DR

This work investigates adversarial false-positive attacks on visual 3D detectors in autonomous driving and proposes AdvRoad, a two-stage framework that generates diverse road-style posters via Road-Style Adversary Generation and tailors them to specific scenarios through Scenario-Associated Adaptation. The posters are produced with a GAN-based generator and differentiable image-3D rendering, then refined per scene to maximize deception while maintaining natural road-like textures. Extensive digital and physical experiments demonstrate that AdvRoad can induce ghost objects across multiple detectors and datasets with notable stealth (low perceptual difference) and resilience to defenses, highlighting a practical safety threat to modern AD perception and the need for robust defenses.

Abstract

Modern autonomous driving (AD) systems leverage 3D object detection to perceive foreground objects in 3D environments for subsequent prediction and planning. Visual 3D detection based on RGB cameras provides a cost-effective solution compared to the LiDAR paradigm. While achieving promising detection accuracy, current deep neural network-based models remain highly susceptible to adversarial examples. The underlying safety concerns motivate us to investigate realistic adversarial attacks in AD scenarios. Previous work has demonstrated the feasibility of placing adversarial posters on the road surface to induce hallucinations in the detector. However, the unnatural appearance of the posters makes them easily noticeable by humans, and their fixed content can be readily targeted and defended. To address these limitations, we propose the AdvRoad to generate diverse road-style adversarial posters. The adversaries have naturalistic appearances resembling the road surface while compromising the detector to perceive non-existent objects at the attack locations. We employ a two-stage approach, termed Road-Style Adversary Generation and Scenario-Associated Adaptation, to maximize the attack effectiveness on the input scene while ensuring the natural appearance of the poster, allowing the attack to be carried out stealthily without drawing human attention. Extensive experiments show that AdvRoad generalizes well to different detectors, scenes, and spoofing locations. Moreover, physical attacks further demonstrate the practical threats in real-world environments.

Figures (6)

• Figure 1: Illustration of the adversarial FP attacks on the road. The 3D detection system will perceive a ghost object near the poster. Compared with previous work (left), our poster (right) is harder to attract human attention, making it more likely to pose a real threat.
• Figure 2: The AdvRoad framework. Stage 1 trains an adversarial generator that outputs universal road-style posters; Stage 2 updates the poster (the latent vector) to enhance the attack capability for the given scene.
• Figure 3: Visualizations of attack results in the digital domain. We place the spoofing poster on the road surface to launch the attack. (1) AdvRoad, our road-style naturalistic adversarial poster; (2) AdvPoster wang2025physically, generated by directly optimizing the pixel values; (3) Real Picture, use images of real vehicles as posters.
• Figure 4: Comparison with AdvPoster $w/$ (dash line) and $w/o$ (solid line) defense. All victim models use ResNet50 as image backbone.
• Figure 5: Attack results on the KITTI dataset. The ASRs (%) at different spoofing distances are given.