Attack End-to-End Autonomous Driving through Module-Wise Noise

The early end-to-end autonomous driving models combine relatively few tasks. [4] adopts a bounding box-based intermediate representation to construct the motion planner. Considering that Non-Maximum Suppression(NMS) in this method can lead to loss of perceptual information, P3 [5] innovatively designs an end-to-end network that utilizes maps, advanced control instructions, and LIDAR points to generate interpretable intermediate semantic occupancy representations, which facilitates safer trajectory planning. Following P3, MP3 [6] and ST-P3 [7] achieve new improvements. UniAD [8] is the first end-to-end network that integrates full-stack autonomous driving tasks. By thoroughly considering the contributions of each task to autonomous driving and mutual promotion among modules, UniAD significantly surpasses previous sota performance on each task.

Adversarial noise refers to carefully crafted perturbations designed for neural network input data, which are typically small but can cause models to produce complete error outputs [9, 10, 11, 12, 13, 14, 15, 16, 17]. [9] first introduces the concept of adversarial attack and utilizes L-BFGS approximation. Following that, a series of adversarial attack methods are proposed, such as gradient-based methods [18, 19], and optimization-based methods [20]. Although early adversarial attacks primarily target image classification models, they demonstrate the vulnerability of neural networks. Their attack principles have guided the implementation of various attack methods in different tasks, posing a serious threat to the practical application of models in the real world[14, 10, 11].

Let $y=F(x;\theta)$ represent the end-to-end autonomous driving model with parameters $\theta$, which includes $n$ sub modules $\{M_{i}\}_{i=1}^{n}$. The inference stage can be formulated as:

$$Q_{i}=M_{i}(Q_{i-1};\theta_{i}),i=1,2,...,n,$$

(1)

where $Q_{0}=x$ refers to the input images, $Q_{n}=y$ the planned results, and $Q_{i}$ the output intermediate queries of the $i$-th sub module.

In this research, we consider the interaction information among modules as a potential vulnerability. In addition to the input images, we inject adversarial noise $N_{i-1}$ into the input data $Q_{i-1}$ of each submodule $M_{i}$. That is,

$$Q_{i-1}^{adv}=Q_{i-1}+N_{i-1},i=1,2,...,n.$$

(2)

Let $N$ represents the final injected adversarial noise $\{N_{i}\}_{i=0}^{n-1}$, and $y^{adv}=F(x;\theta,N)$ denotes the decision results made by the end-to-end model after inference through each module under noise attack. Our attack objective is to find, for each data set $x$, an adversarial noise $N$ that satisfies the constraint on the perturbation magnitude $\xi$, while ensuring $y^{adv}\neq y$.

Figure 2 presents an overall framework of the proposed method. A complete autonomous driving model comprises perception, prediction and the final planner. We aim to inject adversarial noise into the input of all sub modules in the end-to-end autonomous driving model so mainly focus on the current full-stack autonomous driving model UniAD [8]. Undoubtedly, our noise injection scheme is applicable to any modular end-to-end autonomous driving model.

Images serve as the initial input for the model to perceive the environment, forming the foundation for all subsequent modules. Therefore, we design pixel-level noise specifically for input images, denoted as $N_{I}$. The track module accomplishes multi-object tracking, producing spatiotemporal information $Q_{A}$. Therefore, we design noise $N_{A}$ for the spatiotemporal features of agents. The mapping module models the features of road elements as $Q_{M}$ and we design adversarial noise $N_{M}$ for all map features. $Q_{A}$ and $Q_{M}$ respectively provide dynamic agent features and static scene information for downstream modules. The motion module, based on the aforementioned dynamic and static features, predicts the most likely future trajectory states of all agents, represented as $Q_{T}$. Similarly, we design noise $N_{T}$ for the state of agents. In addition, the motion module also expresses the future intentions of the ego vehicle, represented as $Q_{E}$. We separately design noise $N_{E}$ for $Q_{E}$. Since the occupancy map is ultimately used only in post-processing for collision optimization of the planned trajectory, and this optimization process is non-differentiable, we don’t consider injecting noise into the occupancy map.

We achieve the attack by iteratively optimizing module-wise noise. To be more specific, during the model’s inference stage for each batch of data, we first initialize corresponding adversarial noise randomly within the perturbation constraints for each module, following the forward propagation process of the model. At each iteration, noise injected into the corresponding module is propagated and stored until the final planning stage. We synchronize the update of all noise by the adversarial loss, using it to initialize the noise for the next iteration.

Adversarial loss, essential for noise update, includes attack loss and noise loss. Attack loss seeks to maximize deviation between sub module predictions and actual results, mathematically represented as:

$$L_{att}=L_{track}+L_{map}+L_{motion}+L_{occ}+L_{plan}.$$

(3)

The noise loss is used to constrain the injected adversarial loss to be as minimal as possible. We choose the L2 norm distance to measure the magnitude of module-wise noise. It is represented as:

$$L_{noi}=\sum_{i}\sigma_{i}\cdot||N_{i}||_{2},i=I,A,M,T,E,$$

(4)

where $\sigma_{i}$ are hyper-parameters. The final adversarial loss is represented as:

$$L_{adv}=L_{att}-L_{noi}.$$

(5)

We optimize the noise in a manner similar to PGD, performing gradient ascent on the adversarial noise, namely:

$$N_{i}^{t+1}=\prod_{\epsilon}(N_{i}^{t}+\frac{\epsilon}{\sqrt{k}}\cdot sgn(\nabla_{Ni}L_{adv})),$$

(6)

where k denotes the number of iterations and $\epsilon$ is a hyperparameter that constrains the magnitude of the perturbation.

Dataset. Our robustness evaluation experiments are conducted on the validation split of the large-scale autonomous driving dataset nuScenes [21].

Model. For the target model, we choose the current full-stack autonomous driving model UniAD, which includes complete sub tasks of perception, prediction, and decision. We conduct noise injection according to the five stages of the model as outlined in Section 3.2. For the specific implementation of the attack, we set the number of iterations $k=10$, $\sigma_{I}=8\times 10^{-6}$, $\sigma_{A}=\sigma_{M}=\sigma_{T}=\sigma_{E}=2\times 10^{-4}$.

Metrics. For the metrics, we choose the evaluation methods for five sub tasks adopted in [8].

Baselines. As there are currently no adversarial attacks targeting complex end-to-end autonomous driving models composed of a series of sub modules, we choose attack methods targeting end-to-end regression-based decision models as baselines [3]. In our comparative experiments, we set the maximum allowable perturbation $\epsilon$ for images to 8 and implement Image-specific Attack and Image-agnostic Attack tailored for UniAD.

Results. We provide the robustness evaluation results compared with baselines for the five tasks, as shown in Table 1. Our attack can significantly reduce the performance of all tasks. We measure the main planning performance of the vehicle using the L2 error between the planned trajectory and the ground truth trajectory, as well as the collision rate with obstacles in the ego vehicle’s driving environment. Results indicate that all three attacks lead to errors in the vehicle’s planning, but the proposed attack method poses the greatest threat to the model as it interferes with both the perception and prediction processes during model inference, and the final prediction heavily relies on the inference results of upstream modules, resulting in severe planning errors due to error accumulation. Overall, the attack intensities of the three methods exhibit the same trend across the five tasks, with the Image-specific Attack being much stronger than the Image-agnostic Attack, and our module-wise attack surpassing the Image-specific Attack.