Research On Adversarial Attack Defense Methods For Autopilot Based On FPGA

Autonomous vehicles are widely used in logistics distribution,shared travel,public transportation and other fields,and have a profound impact on urban transportation planning.CNN models are often used as traffic sign classification models in the perception module of autonomous vehicles due to its excellent performance.However,adversarial attacks may cause errors in the inference of the traffic sign classification model,which in turn leads to wrong decisions by the car,causing safety problems.In addition,the performance of the CNN model increases rapidly and the structure of the model becomes more and more complex,which makes the hardware resources consumed by CNN-based traffic sign classification models sharply increase,resulting in higher energy consumption of autonomous vehicles.This paper aims to improve the robustness of the traffic sign classification model,and based on FPGA’s flexible architecture,design a traffic sign classifier that can handle a variety of adversarial attacks,and can achieve a high energy efficiency ratio.This paper mainly completes the following work:Aiming at the high computational complexity of the 32-bit floating-point parameters of the CNN-based traffic sign classification model,which leads to high consumption of hardware resources,this paper adopts the quantization aware training method to quantize the weight parameters and activation parameters of the model into low bits,thereby compressing the model parameters’ size,reducing computational complexity.The experiment results on the traffic sign dataset,GTSRB,show that the full quantizatuion model with 4-bit weight and 2-bit activation can compress the weight parameters’ size to 1/8 of the floating-point weight parameters,and the activation parameter size to floating-point 1/16 of the activation parameters of the type,and has high classification accuracy and robustness.In order to further improve the robustness of the full quantization traffic sign classification model,this paper discusses the impact of various hardware-friendly defense schemes on the model robustness based on two adversarial attack defense algorithms,adversarial training and feature squeezing.The experimental results show that among the designed defense schemes,the defense effect of adversarial Fast Gradient Sign Method(FGSM)training is the best,which not only improves the average accuracy of the model on various adversarial examples by 9.81%,but also improves the classification accuracy of the model on the original traffic sign image.1.09%,and will not cause additional hardware resource consumption.Combining the above quantization scheme and defense scheme,this paper designs a pipeline architecture,which achieves on-chip data transmission in pixel,and implements an FPGA-based traffic sign classifier with high robustness and energy efficiency.The experimental results on the FPGA show that after adversarial FGSM training,the average average classification of the classifier on multiple adversarial examples is improved by 8.99%,and the classification accuracy on the original traffic sign images is improved by 2.48%.In addition,compared with the classifier based on Intel Arria10 GX1150(power consumption of 37.46 W,energy efficiency ratio of 47.38GOP/(s·W))and the classifier based on Xilinx XC7Z045(power consumption of9.63 W,energy efficiency ratio of 14.22GOP/(s·W)),the power consumption of the classifier based on Xilinx ZU3 EG designed in this paper is only 2.765 W,and it has an energy efficiency ratio of 20.03 GOP/(s·W),which achieves a good trade-off between low power consumption and high energy efficiency ratio.