Efficient Black-Box Adversarial Attacks for Deep Driving Maneuver Classification Models

Abstract

Deep Neural Network (DNN) models are expected to be widely used in self-driven autonomous vehicles to understand surrounding environments and enhance driving safety. In this paper, we propose a Fast Black-box Adversarial (FBA) attack for time-series DNN models in connected autonomous vehicle (CAV) scenarios. In this attack, an attacker sends false driving signals to a vehicle to misclassify its DNN model (e.g., maintaining speed is misclassified to stopping). Though different black-box adversarial attacks have been proposed previously, they are mainly for image classification, which cannot be directly adopted in the CAV scenarios due to two challenges. First, the attack needs to be generated in near real time. Second, it should not be noticeable based on the driving time-series signals. To handle these two challenges, FBA consists of two steps for the adversarial signal generation: offline and online. First, based on our real data analysis observation that each driving maneuver has maneuver-specific similar patterns (in the time-series) regardless of drivers or vehicles, FBA finds the influential input portion for each maneuver as the offline adversarial signal portion. Second, given a benign driving signal input, FBA replaces its influential input portion with the offline adversarial signal portion and smooths the signals, and uses this input as the initial solution to find the optimal perturbation (that leads to successful attack while minimizing the perturbation values) online using the zeroth-order gradient descent method. It significantly reduces the time to find the optimal perturbation since the initial solution is closer to the optimal solution. Our experiments based on real-driving datasets show the effectiveness of FBA in dealing with the two challenges compared with the existing black-box adversarial attacks.