AD$^2$: Analysis and Detection of Adversarial Threats in Visual Perception for End-to-End Autonomous Driving Systems

TL;DR

This work addresses the robustness of end-to-end autonomous driving systems under adversarial perturbations in the visual perception pipeline. It performs closed-loop CARLA experiments with three black-box attack vectors— Poltergeist (motion blur from acoustic interference), SNAL (ghost object injection), and ESIA (electromagnetic interference)—on state-of-the-art agents and demonstrates driving-score degradations up to 99%. To mitigate such threats, it introduces AD$^2$, a lightweight, real-time detector that leverages spatial-temporal attention over multi-camera inputs to identify adversarial frames without requiring access to internal agent latents, achieving superior detection performance (higher AUC/TPR, lower FPR) and efficiency (≈1.6× faster inference and ≈20× fewer parameters vs. a strong baseline). The results underscore persistent vulnerabilities in end-to-end AD systems under visual attacks while showing that external detectors like AD$^2$ can enable safer operation, for example by triggering alarms or safe-mode controllers; future work should address adaptive adversaries and real-world deployment considerations. Key metrics include Driving Score $DS = R imes P$, Route Completion $R$, Infraction Penalty $P$, and Lane Deviation $L_{ ext{dev}}$, with $R$ and $P$ formalized in the paper and $DS$ reflecting overall safety performance.

Abstract

End-to-end autonomous driving systems have achieved significant progress, yet their adversarial robustness remains largely underexplored. In this work, we conduct a closed-loop evaluation of state-of-the-art autonomous driving agents under black-box adversarial threat models in CARLA. Specifically, we consider three representative attack vectors on the visual perception pipeline: (i) a physics-based blur attack induced by acoustic waves, (ii) an electromagnetic interference attack that distorts captured images, and (iii) a digital attack that adds ghost objects as carefully crafted bounded perturbations on images. Our experiments on two advanced agents, Transfuser and Interfuser, reveal severe vulnerabilities to such attacks, with driving scores dropping by up to 99% in the worst case, raising valid safety concerns. To help mitigate such threats, we further propose a lightweight Attack Detection model for Autonomous Driving systems (AD$^2$) based on attention mechanisms that capture spatial-temporal consistency. Comprehensive experiments across multi-camera inputs on CARLA show that our detector achieves superior detection capability and computational efficiency compared to existing approaches.

Figures (9)

• Figure 1: Illustration of an adversarial attack on the perception system and a low-latency detector to protect against the attack in an end-to-end closed system model for autonomous driving.
• Figure 2: Adversarial attack setup for evaluation of end-to-end autonomous driving systems. Red marked labels are used to indicate the change when the system is under attack.
• Figure 3: Example images from cameras of Transfuser. The 3 cameras in Transfuser, Interfuser have overlapping fields of view.
• Figure 4: Proposed detection model, AD$^2$, leveraging spatial and temporal consistency.
• Figure 5: $L_{\text{dev}}$ plots for AD agents. Attacks are with interval $d=1$. Left side of the lane centre is positive. We have different x-axis (Frame number or Timestep) and y-axis (Distance) scales for different configurations. This is due to the different sequence of actions undertaken by the AD system leading to varying driving times. Under strong poltergeist attack on both agents and ESIA on Transfuser, the vehicle deviation is very high. In such cases, the agent goes outside the lane and ultimately gets blocked by some obstacle. Deviation under SNAL for both agents and under ESIA for Interfuser are comparatively minor.