Research On Adversarial Attack And Defense Method Of Traffic Sign Recognition For Autopilot

With the continuous development of automatic driving technology,traffic sign recognition,as a crucial link in autopilot,has extremely high requirements for safety.Accurate and stable traffic sign recognition is a key technology to realize the next stage of L3 autopilot,and its performance has been significantly improved with the development of deep learning.However,the current traffic sign recognition system has poor ability to resist attacks,and even does not have basic defense capabilities.In order to improve the security of the traffic sign recognition system,it is of great application value to carry out research on adversarial attack and defense methods of traffic sign recognition for autopilot.The specific work of this paper is as follows:(1)A traffic sign patch attack method based on physical perturbation is proposed to achieve effective attacks on traffic sign recognition models in the physical world.Firstly,under different constraints,masks are randomly generated to simulate situations where traffic signs are maliciously stickered,painted or modified in real scenes.Secondly,the algorithm of perturbation generation combined with Gaussian noise is used to generate a printable antiperturbation patch,and it is applied to the traffic sign dataset to generate traffic sign adversarial samples to attack the traffic sign recognition model.(2)Based on the attack method in this paper,a joint defense mechanism combining wavelet transform and adversarial training is proposed.Based on the training strategy of this joint defense mechanism,three adversarial trainings are performed on the traffic sign recognition model,and a robust traffic sign adversarial sample defense model is obtained,which named IYOLO-TS.It can achieve an effective defense against the attack method in this paper.(3)The public traffic sign dataset LISA and the representative recognition model YOLOv5 s are selected for simulation experiments.Firstly,the attack performance of the traffic sign patch attack method based on physical perturbation is verified,and its effectiveness is proved.Secondly,verify the defense performance of the traffic sign adversarial sample defense model based on the joint defense mechanism,and prove its feasibility in defending the attack method in this paper.