Attacks And Defenses For Multimodal Fusion Perception Algorithms In Autonomous Driving

The perception system provides the decision-making basis for the automatic driving system.Therefore,ensuring that the perception system can accurately identify road targets during the automatic driving process is the top priority to ensure the safety of automatic driving.The perception system collects image(or point cloud)data from a camera(or lidar)and feeds it into a perception algorithm to detect road objects.With the gradual maturity of image-based or point cloud-based perception algorithms(single-modal perception algorithms),mainstream technologies have evolved to multimodal perception algorithms based on image and point cloud fusion to improve detection performance and robustness.However,the current research on the safety of perception algorithms mainly focuses on single-modal perception algorithms,which makes the autonomous driving systems based on current mainstream technologies have apparent safety hazards.This paper focuses on the safety issues of multimodal perception algorithms in autonomous driving systems.It proposes countermeasures against attack and defense technologies for multimodal perception algorithms and then provides critical technology accumulation for the analysis and improvement of the safety performance of perception algorithms.In terms of attack techniques of multimodal algorithms,this paper proposes an adversarial sample optimization technique for the mid-stage fusion multimodal perception algorithm,which maximizes the classification,location,and orientation loss of the target detection output in each detection frame.By minimizing the cost through the backpropagation process,the artifact in adversarial samples is eliminated,which could improve the effectiveness of untargeted attacks and ensure the authenticity of the adversarial samples.In terms of defense technology of multimodal algorithms,this paper discusses the defense effects of three data layer defense technologies: feature compression,smooth filtering,and JPEG compression and distillation technology in model layer defense for the above attack algorithms.The student detection network can improve the detection accuracy in attack scenarios;that is,it has better robustness,while other defense methods reduce the detection accuracy of the model.Based on the attack and defense technology of the multimodal detection algorithm proposed in this paper,this paper further designs and implements a multimodal confrontation attack and defense algorithm evaluation system.The system can manage experimental datasets and tasks efficiently.Moreover,it can enable researchers to evaluate attack and defense results qualitatively and quantitatively by visualizing autonomous driving scenes and the attack effects of adversarial samples,which could improve the efficiency of analysis and problem-solve in algorithm research.