Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Learning Mutual View Information Graph for Adaptive Adversarial Collaborative Perception

Yihang Tao, Senkang Hu, Haonan An, Zhengru Fang, Hangcheng Cao, Yuguang Fang

TL;DR

MVIG attack is proposed, a novel adaptive adversarial CP framework learning to capture vulnerability knowledge disclosed by different defensive CP systems from a unified mutual view information graph (MVIG) representation that combines MVIG representation with temporal graph learning to generate evolving fabrication risk maps.

Abstract

Collaborative perception (CP) enables data sharing among connected and autonomous vehicles (CAVs) to enhance driving safety. However, CP systems are vulnerable to adversarial attacks where malicious agents forge false objects via feature-level perturbations. Current defensive systems use threshold-based consensus verification by comparing collaborative and ego detection results. Yet, these defenses remain vulnerable to more sophisticated attack strategies that could exploit two critical weaknesses: (i) lack of robustness against attacks with systematic timing and target region optimization, and (ii) inadvertent disclosure of vulnerability knowledge through implicit confidence information in shared collaboration data. In this paper, we propose MVIG attack, a novel adaptive adversarial CP framework learning to capture vulnerability knowledge disclosed by different defensive CP systems from a unified mutual view information graph (MVIG) representation. Our approach combines MVIG representation with temporal graph learning to generate evolving fabrication risk maps and employs entropy-aware vulnerability search to optimize attack location, timing and persistence, enabling adaptive attacks with generalizability across various defensive configurations. Extensive evaluations on OPV2V and Adv-OPV2V datasets demonstrate that MVIG attack reduces defense success rates by up to 62\% against state-of-the-art defenses while achieving 47\% lower detection for persistent attacks at 29.9 FPS, exposing critical security gaps in CP systems. Code will be released at https://github.com/yihangtao/MVIG.git

Learning Mutual View Information Graph for Adaptive Adversarial Collaborative Perception

TL;DR

MVIG attack is proposed, a novel adaptive adversarial CP framework learning to capture vulnerability knowledge disclosed by different defensive CP systems from a unified mutual view information graph (MVIG) representation that combines MVIG representation with temporal graph learning to generate evolving fabrication risk maps.

Abstract

Collaborative perception (CP) enables data sharing among connected and autonomous vehicles (CAVs) to enhance driving safety. However, CP systems are vulnerable to adversarial attacks where malicious agents forge false objects via feature-level perturbations. Current defensive systems use threshold-based consensus verification by comparing collaborative and ego detection results. Yet, these defenses remain vulnerable to more sophisticated attack strategies that could exploit two critical weaknesses: (i) lack of robustness against attacks with systematic timing and target region optimization, and (ii) inadvertent disclosure of vulnerability knowledge through implicit confidence information in shared collaboration data. In this paper, we propose MVIG attack, a novel adaptive adversarial CP framework learning to capture vulnerability knowledge disclosed by different defensive CP systems from a unified mutual view information graph (MVIG) representation. Our approach combines MVIG representation with temporal graph learning to generate evolving fabrication risk maps and employs entropy-aware vulnerability search to optimize attack location, timing and persistence, enabling adaptive attacks with generalizability across various defensive configurations. Extensive evaluations on OPV2V and Adv-OPV2V datasets demonstrate that MVIG attack reduces defense success rates by up to 62\% against state-of-the-art defenses while achieving 47\% lower detection for persistent attacks at 29.9 FPS, exposing critical security gaps in CP systems. Code will be released at https://github.com/yihangtao/MVIG.git
Paper Structure (44 sections, 48 equations, 8 figures, 9 tables, 1 algorithm)

This paper contains 44 sections, 48 equations, 8 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Attack Methodology
  4. Attack Formulation
  5. Adversarial Threat Model
  6. MVIG-Based Adaptive Fabrication Attack
  7. Experiments
  8. Experimental Setup
  9. Quantitative Results
  10. Qualitative Results
  11. Ablation Studies
  12. Adaptiveness and Generalizability
  13. Conclusion
  14. Analysis of MVIG Representation
  15. System-Level Vulnerability Characterization
  16. ...and 29 more sections

Figures (8)

  • Figure 1: Overview of adversarial attacks targeting CP systems.
  • Figure 2: Overview of our MVIG attack framework. It begins with transforming historical CAV collaboration data into mutual view information graphs, generates fabrication risk maps via MVIGNet and employs entropy-aware vulnerability search to optimize both attack timing and location, creating persistent, believable fabricated objects in the victim's perception across consecutive frames.
  • Figure 3: ROC curves of different defenders on various CP attacks with different persistence.
  • Figure 4: MVIG attack in CP systems. Green boxes represent predictions without attack, red boxes show predictions after attack. Color-filled polygon regions in (c,g) correspond to GT occupancy information from different CAVs, dark: occupied, light: free, white: unknown.
  • Figure 5: Comparison of persistent attacks and their impacted zones. The BEV flow is calculated by matching the most similar objects in the consecutive detection maps.
  • ...and 3 more figures