pith. sign in

arxiv: 1802.06430 · v3 · pith:WFSLHSY6new · submitted 2018-02-18 · 💻 cs.CR · cs.CV

DARTS: Deceiving Autonomous Cars with Toxic Signs

Chawin Sitawarin , Arjun Nitin Bhagoji , Arsalan Mosenia , Mung Chiang , Prateek Mittal This is my paper
classification 💻 cs.CR cs.CV
keywords attacksautonomouscarssignsproposedrecognitionsigntoxic
0
0 comments X
read the original abstract

Sign recognition is an integral part of autonomous cars. Any misclassification of traffic signs can potentially lead to a multitude of disastrous consequences, ranging from a life-threatening accident to even a large-scale interruption of transportation services relying on autonomous cars. In this paper, we propose and examine security attacks against sign recognition systems for Deceiving Autonomous caRs with Toxic Signs (we call the proposed attacks DARTS). In particular, we introduce two novel methods to create these toxic signs. First, we propose Out-of-Distribution attacks, which expand the scope of adversarial examples by enabling the adversary to generate these starting from an arbitrary point in the image space compared to prior attacks which are restricted to existing training/test data (In-Distribution). Second, we present the Lenticular Printing attack, which relies on an optical phenomenon to deceive the traffic sign recognition system. We extensively evaluate the effectiveness of the proposed attacks in both virtual and real-world settings and consider both white-box and black-box threat models. Our results demonstrate that the proposed attacks are successful under both settings and threat models. We further show that Out-of-Distribution attacks can outperform In-Distribution attacks on classifiers defended using the adversarial training defense, exposing a new attack vector for these defenses.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. The Adversarial Robustness of Sampling

    cs.DS 2019-06 unverdicted novelty 7.0

    To achieve robustness to adaptive adversaries, Bernoulli and reservoir sampling require sample size Ω(log |R| / ε²) instead of the static VC-dimension bound.

  2. Fooling a Real Car with Adversarial Traffic Signs

    cs.CR 2019-06 unverdicted novelty 6.0

    A reproducible pipeline produces physical adversarial traffic signs that successfully attack production-grade traffic sign recognition systems in a real car under black-box conditions.

  3. MobilBye: Attacking ADAS with Camera Spoofing

    cs.CR 2019-06 unverdicted novelty 5.0

    Experiments show that Mobileye can be fooled into interpreting drone-projected spoofed traffic signs as real under varied conditions like color, shape, speed, size, and light.