Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Evaluating randomized smoothing as a defense against adversarial attacks in trajectory prediction

Julian F. Schumann, Eduardo Figueiredo, Frederik Baymler Mathiesen, Luca Laurenti, Jens Kober, Arkady Zgonnikov

TL;DR

This work develops and evaluates a new defense mechanism for trajectory prediction models based on randomized smoothing -- an approach previously applied successfully in other domains and demonstrates that randomized smoothing offers a simple and computationally inexpensive technique for mitigating adversarial attacks in trajectory prediction.

Abstract

Accurate and robust trajectory prediction is essential for safe and efficient autonomous driving, yet recent work has shown that even state-of-the-art prediction models are highly vulnerable to inputs being mildly perturbed by adversarial attacks. Although model vulnerabilities to such attacks have been studied, work on effective countermeasures remains limited. In this work, we develop and evaluate a new defense mechanism for trajectory prediction models based on randomized smoothing -- an approach previously applied successfully in other domains. We evaluate its ability to improve model robustness through a series of experiments that test different strategies of randomized smoothing. We show that our approach can consistently improve prediction robustness of multiple base trajectory prediction models in various datasets without compromising accuracy in non-adversarial settings. Our results demonstrate that randomized smoothing offers a simple and computationally inexpensive technique for mitigating adversarial attacks in trajectory prediction.

Evaluating randomized smoothing as a defense against adversarial attacks in trajectory prediction

TL;DR

This work develops and evaluates a new defense mechanism for trajectory prediction models based on randomized smoothing -- an approach previously applied successfully in other domains and demonstrates that randomized smoothing offers a simple and computationally inexpensive technique for mitigating adversarial attacks in trajectory prediction.

Abstract

Accurate and robust trajectory prediction is essential for safe and efficient autonomous driving, yet recent work has shown that even state-of-the-art prediction models are highly vulnerable to inputs being mildly perturbed by adversarial attacks. Although model vulnerabilities to such attacks have been studied, work on effective countermeasures remains limited. In this work, we develop and evaluate a new defense mechanism for trajectory prediction models based on randomized smoothing -- an approach previously applied successfully in other domains. We evaluate its ability to improve model robustness through a series of experiments that test different strategies of randomized smoothing. We show that our approach can consistently improve prediction robustness of multiple base trajectory prediction models in various datasets without compromising accuracy in non-adversarial settings. Our results demonstrate that randomized smoothing offers a simple and computationally inexpensive technique for mitigating adversarial attacks in trajectory prediction.
Paper Structure (11 sections, 7 equations, 1 figure, 4 tables)

This paper contains 11 sections, 7 equations, 1 figure, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Adversarial attacks on trajectory prediction models
  4. Randomized smoothing
  5. Randomized smoothing for trajectory prediction
  6. Position-based smoothing
  7. Control-based smoothing
  8. Evaluation
  9. Experiment setup
  10. Results and discussion
  11. Conclusion

Figures (1)

  • Figure 1: An overview of randomized smoothing applied to trajectory prediction. a) In a benign scenario, it can be expected that a well-trained trajectory prediction model $\mathds{P}$ can make predictions which align with the ground truth. b) However, if the target agent, for which predictions are made, uses an adversarial attack, the prediction quality can deteriorate even in state-of-the-art models schumann2025realisticschumann2025step. c) Randomized smoothing can be used to overcome this issue. Instead of the actual past observations of the adversarial agent, the model is applied to multiple randomly perturbed versions of these observations. The final prediction is then built by averaging those separate model predictions.