Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Experimental Evaluation of Security Attacks on Self-Driving Car Platforms

Viet K. Nguyen, Nathan Lee, Mohammad Husain

Abstract

Deep learning-based perception pipelines in autonomous ground vehicles are vulnerable to both adversarial manipulation and network-layer disruption. We present a systematic, on-hardware experimental evaluation of five attack classes: FGSM, PGD, man-in-the-middle (MitM), denial-of-service (DoS), and phantom attacks on low-cost autonomous vehicle platforms (JetRacer and Yahboom). Using a standardized 13-second experimental protocol and comprehensive automated logging, we systematically characterize three dimensions of attack behavior:(i) control deviation, (ii) computational cost, and (iii) runtime responsiveness. Our analysis reveals that distinct attack classes produce consistent and separable "fingerprints" across these dimensions: perception attacks (MitM output manipulation and phantom projection) generate high steering deviation signatures with nominal computational overhead, PGD produces combined steering perturbation and computational load signatures across multiple dimensions, and DoS exhibits frame rate and latency degradation signatures with minimal control-plane perturbation. We demonstrate that our fingerprinting framework generalizes across both digital attacks (adversarial perturbations, network manipulation) and environmental attacks (projected false features), providing a foundation for attack-aware monitoring systems and targeted, signature-based defense mechanisms.

Experimental Evaluation of Security Attacks on Self-Driving Car Platforms

Abstract

Deep learning-based perception pipelines in autonomous ground vehicles are vulnerable to both adversarial manipulation and network-layer disruption. We present a systematic, on-hardware experimental evaluation of five attack classes: FGSM, PGD, man-in-the-middle (MitM), denial-of-service (DoS), and phantom attacks on low-cost autonomous vehicle platforms (JetRacer and Yahboom). Using a standardized 13-second experimental protocol and comprehensive automated logging, we systematically characterize three dimensions of attack behavior:(i) control deviation, (ii) computational cost, and (iii) runtime responsiveness. Our analysis reveals that distinct attack classes produce consistent and separable "fingerprints" across these dimensions: perception attacks (MitM output manipulation and phantom projection) generate high steering deviation signatures with nominal computational overhead, PGD produces combined steering perturbation and computational load signatures across multiple dimensions, and DoS exhibits frame rate and latency degradation signatures with minimal control-plane perturbation. We demonstrate that our fingerprinting framework generalizes across both digital attacks (adversarial perturbations, network manipulation) and environmental attacks (projected false features), providing a foundation for attack-aware monitoring systems and targeted, signature-based defense mechanisms.
Paper Structure (76 sections, 5 figures, 5 tables)

This paper contains 76 sections, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. System Model
  3. System Architecture
  4. Data Flow Pipeline
  5. Operational Constraints
  6. Assumptions and Scope
  7. Background and Literature Review
  8. Attack Surveys and Taxonomies
  9. Digital Adversarial Attacks for Driving
  10. Physical-World Transfer to Cameras
  11. Network and Pipeline Attacks
  12. Defenses and Practical Constraints
  13. Summary and Gap
  14. Methodology
  15. Threat Model
  16. ...and 61 more sections

Figures (5)

  • Figure 1: Perception--control pipeline on the research platforms. Attacks insert either before the model (input pixel-space), between model and controller (output manipulation), along the I/O/network path (DoS/MitM), or in the physical environment before camera capture (Phantom).
  • Figure 2: MitM proxy topology. The attacker interposes as an HTTP proxy on port 5000, modifying (1) uploads/status and/or (2) control messages. The proxy can inject input corruption (noise/blur/synthetic) or bias output control values before they reach the robot.
  • Figure 3: DoS topology. The attacker overwhelms or slows the network path via endpoint floods or network throttling (rate-limit/delay/drop), leading to RX queue bloat and stale inputs on the robot.
  • Figure 4: Attack fingerprints in three-dimensional signature space. Each attack produces a distinctive multi-dimensional profile across steering deviation, computational overhead, and responsiveness dimensions. Values are normalized within each dimension (0-1 scale) to highlight signature patterns rather than absolute magnitudes. MitM (Output) exhibits a control-dominant signature with maximal steering deviation and minimal computational/responsiveness impact. PGD (Untarg.) generates a multi-dimensional signature spanning all three axes, simultaneously perturbing control, computation, and responsiveness. DoS attacks produce responsiveness-dominant signatures with high FPS degradation and minimal control-plane perturbation. FGSM shows a control-moderate signature with intermediate steering impact. These distinct geometric profiles enable attack-class identification and inform targeted defense strategies.
  • Figure 5: Sample frames showing what the perception model receives under different attack conditions. All frames captured at similar track positions to enable direct visual comparison. Top row: (a) Normal operation baseline, (b) FGSM adversarial attack ($\epsilon=1$ in normalized input space), (c) MitM input blur attack. Bottom row: (d) MitM input noise injection, (e) MitM synthetic image replacement, (f) MitM output manipulation.