pith. sign in

arxiv: 2602.07249 · v2 · submitted 2026-02-06 · 💻 cs.CR · cs.LG

Beyond Crash: Hijacking Your Autonomous Vehicle for Fun and Profit

Qi Sun , Ahmed Abdo , Luis Burbano , Ziyang Li , Yaxing Yao , Alvaro Cardenas , Yinzhi Cao This is my paper

Pith reviewed 2026-05-16 05:53 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords autonomous vehiclesadversarial attacksroute hijackingphysical attacksvision-based drivingend-to-end controlJackZebra
0
0 comments X

The pith

JackZebra hijacks vision-based autonomous vehicles to attacker-chosen destinations using a physical display on a following car.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that vision-based autonomous vehicles can be gradually redirected from their planned routes to locations chosen by an attacker while continuing to operate without immediate safety failures. The attack uses a reconfigurable display and rear camera mounted on an adversary vehicle to maintain influence over time. Route hijacking is treated as a closed-loop control task that converts adversarial patches into steering primitives selected dynamically based on observed victim behavior. This creates a long-horizon compromise rather than a short-term crash or lane departure. Real-world and simulated tests report high success rates in reaching the target stops.

Core claim

JackZebra achieves the first route-level hijacking of a vision-based end-to-end driving stack by mounting a reconfigurable display and camera on an attacker vehicle, then converting adversarial patches into selectable steering primitives that are adjusted online through an interactive loop driven by rear-camera observations of the victim, allowing the influence to persist across changing viewpoints, lighting, weather, traffic, and the victim's replanning.

What carries the argument

Closed-loop control that selects steering primitives from adversarial patches based on real-time rear-camera observations of the victim's behavior.

If this is right

  • Victim vehicles reach attacker-specified stops while driving normally and without immediate safety violations.
  • Passengers inside the vehicle may remain unaware of the ongoing route changes.
  • Short-term perception defenses do not address long-horizon route integrity.
  • Physical displays become a practical vector for route manipulation in deployed AVs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • AV designs may need route-verification layers that compare perceived paths against external map data.
  • The same closed-loop idea could be tested against other sensor modalities beyond vision.
  • Defenses should incorporate checks for temporal consistency in steering commands over minutes rather than seconds.

Load-bearing premise

Adversarial influence from the physical display remains effective across changing viewpoints, lighting, weather, traffic, and the victim's continual replanning without triggering detection or conspicuous failures.

What would settle it

A controlled test in which the victim AV maintains its original route and stops at the planned destination despite the attacker's display and adjustments.

Figures

Figures reproduced from arXiv: 2602.07249 by Ahmed Abdo, Alvaro Cardenas, Luis Burbano, Qi Sun, Yaxing Yao, Yinzhi Cao, Ziyang Li.

Figure 1
Figure 1. Figure 1: An illustration of JackZebra ’s motivation: The victim car should follow the benign route (blue) to a safe location, but is hijacked by an SUV onto an adversarial route (red). At the intersection, the victim should turn left but instead goes straight and follows the adversarial SUV. We then present the threat model in Section 2.3 and finally describe the overview of JackZebra architecture in Section 2.4. 2… view at source ↗
Figure 2
Figure 2. Figure 2: JackZebra has two major stages: (i) an offline attack generation stage to optimize a bank with patches with different hijacking purposes, e.g., turning angles, and (ii) an online attack stage to adjust the victim car using a chosen image based on three types of sensors, including front- and back-facing cameras and GPS locations. Both the adversarial and the victim vehicles are under the influence of JackZe… view at source ↗
Figure 3
Figure 3. Figure 3: An illustration of Adversarial and Victim Vehicle [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Physical attack setup. (a) The victim car is equipped [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Victim’s camera views in two different physical [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: [RQ1] In this case study, the victim vehicle is sup [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: [RQ2] An illustration of failed hijacks under differ [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: [RQ6] Steering angle over time: benign driving [PITH_FULL_IMAGE:figures/full_fig_p012_9.png] view at source ↗
read the original abstract

Autonomous Vehicles (AVs), especially vision-based AVs, are rapidly being deployed without human operators. As AVs operate in safety-critical environments, understanding their robustness in an adversarial environment is an important research problem. Prior physical adversarial attacks on vision-based autonomous vehicles predominantly target immediate safety failures (e.g., a crash, a traffic-rule violation, or a transient lane departure) by inducing a short-lived perception or control error. This paper shows a qualitatively different risk: a long-horizon route integrity compromise, where an attacker gradually steers a victim AV away from its intended route and into an attacker-chosen destination while the victim continues to drive ``normally.'' This will not pose a danger to the victim vehicle itself, but also to potential passengers sitting inside the vehicle, who may not notice the route changes. In this paper, we design and implement the first adversarial framework, called JackZebra, which performs route-level hijacking of a vision-based end-to-end driving stack using a physically plausible attacker vehicle with a reconfigurable display and a camera sensor mounted on the rear. The central challenge is temporal persistence: adversarial influence must remain effective in changing viewpoints, lighting, weather, traffic, and the victim's continual replanning -- without triggering conspicuous failures. Our key insight is to treat route hijacking as a closed-loop control problem and to convert adversarial patches into steering primitives that can be selected online via an interactive adjustment loop based on observed victim behavior using the rear camera. Our evaluations in both simulated and real-world scenarios show that JackZebra can successfully hijack victim vehicles to deviate from original routes and stop at places designated by the adversary with a high success rate.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces JackZebra, the first adversarial framework for long-horizon route hijacking of vision-based end-to-end AV driving stacks. An attacker vehicle uses a reconfigurable physical display and rear-mounted camera to convert adversarial patches into selectable steering primitives, forming a closed-loop control system that gradually deviates the victim AV from its planned route toward an attacker-chosen destination while the victim continues normal operation and replanning. The central claim is that this influence persists across changing viewpoints, lighting, weather, and traffic with high success rates in both simulation and real-world experiments.

Significance. If the robustness claims hold under detailed scrutiny, the work would be significant for identifying a qualitatively new attack surface on deployed AVs: persistent route integrity compromise without immediate safety violations. This extends prior short-horizon physical attacks and underscores the need for defenses against closed-loop, feedback-driven adversarial influence in dynamic environments.

major comments (3)
  1. [Abstract and §4] Abstract and §4 (Evaluation): The manuscript asserts 'high success rate' for route deviation and destination stopping in simulated and real-world scenarios, yet supplies no quantitative metrics (success percentages, trial counts, failure frequencies, or repositioning overhead), baselines, or edge-case coverage. This directly weakens the central claim that the closed-loop adjustment maintains influence across variable conditions and replanning.
  2. [§3.2] §3.2 (Closed-loop control): The conversion of patches to steering primitives and online selection via rear-camera feedback is presented as the key insight for temporal persistence, but the description lacks concrete details on how primitives are chosen or adjusted when the victim replans routes or when viewpoints/lighting change, leaving the robustness mechanism underspecified.
  3. [§4.2] §4.2 (Real-world experiments): No analysis is provided of conspicuous failure modes, detection risk, or performance under traffic/weather variation, which is load-bearing for the claim that the attack remains effective without triggering obvious anomalies over long horizons.
minor comments (2)
  1. [§3.3] Clarify the exact parameterization of the steering primitives and the feedback loop gain in §3.3 to improve reproducibility.
  2. [Related Work] Add explicit comparison to prior physical adversarial patch works in the related-work section to better position the novelty of the long-horizon closed-loop approach.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We appreciate the referee's thorough review and constructive suggestions. We will revise the manuscript to provide more quantitative details, clarify the closed-loop mechanism, and analyze failure modes as requested.

read point-by-point responses

  1. Referee: [Abstract and §4] Abstract and §4 (Evaluation): The manuscript asserts 'high success rate' for route deviation and destination stopping in simulated and real-world scenarios, yet supplies no quantitative metrics (success percentages, trial counts, failure frequencies, or repositioning overhead), baselines, or edge-case coverage. This directly weakens the central claim that the closed-loop adjustment maintains influence across variable conditions and replanning.

    Authors: We agree with the referee that quantitative metrics are necessary to support the claims. We will revise the manuscript to include specific success percentages, the number of trials conducted, failure frequencies, and analysis of edge cases in both the abstract and §4. revision: yes

  2. Referee: [§3.2] §3.2 (Closed-loop control): The conversion of patches to steering primitives and online selection via rear-camera feedback is presented as the key insight for temporal persistence, but the description lacks concrete details on how primitives are chosen or adjusted when the victim replans routes or when viewpoints/lighting change, leaving the robustness mechanism underspecified.

    Authors: We will provide additional details in the revised §3.2 on the primitive selection process. The attacker selects the steering primitive by mapping the observed victim behavior from the rear camera to the patch that induces the desired steering adjustment. Adjustments for replanning are handled by continuously updating the target based on the victim's current route estimate, with robustness to viewpoint and lighting changes achieved through the closed-loop feedback. We will include a detailed description and pseudocode to make this mechanism explicit. revision: yes

  3. Referee: [§4.2] §4.2 (Real-world experiments): No analysis is provided of conspicuous failure modes, detection risk, or performance under traffic/weather variation, which is load-bearing for the claim that the attack remains effective without triggering obvious anomalies over long horizons.

    Authors: The referee is right that a dedicated analysis of these aspects would enhance the paper. We will add to §4.2 a discussion of failure modes observed in real-world tests (such as those caused by sudden weather changes), the low detection risk due to the reconfigurable display mimicking standard vehicle equipment, and performance variations under different traffic and weather conditions based on our experimental data. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical attack implementation with direct experimental validation

full rationale

The paper presents JackZebra as a practical adversarial framework for long-horizon route hijacking of vision-based AVs, implemented via a reconfigurable display on an attacker vehicle and closed-loop adjustment using rear-camera feedback. All load-bearing claims rest on experimental results in simulation and real-world settings showing high success rates for route deviation and destination control. No equations, fitted parameters, predictions, uniqueness theorems, or self-citations are used to derive the core results; the persistence of adversarial influence is asserted via direct testing rather than any self-referential construction. This matches the expected non-circular outcome for an empirical systems paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Limited information available from abstract only; the central claim rests on standard assumptions in physical adversarial attacks on vision-based AVs.

axioms (1)
  • domain assumption Physical adversarial patterns displayed on a nearby vehicle can persistently influence the perception and planning of a vision-based end-to-end driving stack.
    Invoked as the basis for converting patches into steering primitives.

pith-pipeline@v0.9.0 · 5620 in / 1152 out tokens · 47879 ms · 2026-05-16T05:53:03.212592+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

59 extracted references · 59 canonical work pages

  1. [1]

    https://github.com/Thinklab-SJTU/Bench2DriveZoo/ tree/tcp/admlp

    Bench2drivezoo tcp model. https://github.com/Thinklab-SJTU/Bench2DriveZoo/ tree/tcp/admlp

    work page

  2. [2]

    https://www.amfam.com/resources/articles/on-the- road/avoid-hard-braking

    How to avoid hard brake. https://www.amfam.com/resources/articles/on-the- road/avoid-hard-braking

    work page

  3. [3]

    https://carla.org/

    Open-source simulator for autonomous driving research. https://carla.org/

    work page

  4. [4]

    https://github.com/OpenDriveLab/TCP

    Opendrive tcp model. https://github.com/OpenDriveLab/TCP

    work page

  5. [5]

    https://www.waveshare.com/wiki/PiRacer_AI_Kit

    Piracer donkeycar — ai autonomous racing robot powered by raspberry pi 4, deep learning, self driving. https://www.waveshare.com/wiki/PiRacer_AI_Kit

    work page

  6. [6]

    https://www.lytx.com/blog/putting-a-stop-to- rolling-stops

    Putting a stop to rolling stops. https://www.lytx.com/blog/putting-a-stop-to- rolling-stops

    work page

  7. [7]

    https://github.com/OpenDriveLab/TCP

    Tcp - trajectory-guided control prediction for end-to-end autonomous driving: A simple yet strong baseline. https://github.com/OpenDriveLab/TCP

    work page

  8. [8]

    Sneaky spikes: Uncovering stealthy backdoor attacks in spiking neural networks with neuro- morphic data

    Gorka Abad, Oğuzhan Ersoy, Stjepan Picek, and Aitor Urbieta. Sneaky spikes: Uncovering stealthy backdoor attacks in spiking neural networks with neuro- morphic data. InNetwork and Distributed System Security Symposium (NDSS) 2024, 2024

    work page 2024

  9. [9]

    Avmon: Securing autonomous vehicles by learning control invariants and residual prediction

    Ahmed Abdo, Sakib Md Bin Malek, Xuanpeng Zhao, and Nael Abu-Ghazaleh. Avmon: Securing autonomous vehicles by learning control invariants and residual prediction. In2024 Symposium on Vehicle Security and Privacy (VehicleSec), 2024

    work page 2024

  10. [10]

    Aurora begins commercial driverless trucking in texas, ushering in a new era of freight

    Aurora Innovation, Inc. Aurora begins commercial driverless trucking in texas, ushering in a new era of freight. Aurora Investor Relations Press Release, May 2025

    work page 2025

  11. [11]

    Blind backdoors in deep learning models, 2021

    Eugene Bagdasaryan and Vitaly Shmatikov. Blind backdoors in deep learning models, 2021

    work page 2021

  12. [12]

    Baidu announces fourth quarter and fiscal year 2024 results

    Baidu, Inc. Baidu announces fourth quarter and fiscal year 2024 results. Baidu Investor Relations Press Release, February 2025

    work page 2024

  13. [13]

    Hrushikesh Bhupathiraju, Pirouz Naghavi, Takeshi Sugawara, Z

    Yulong Cao, S. Hrushikesh Bhupathiraju, Pirouz Naghavi, Takeshi Sugawara, Z. Morley Mao, and Sara Rampazzi. You can’t see me: Physical removal attacks on LiDAR-based autonomous vehicles driving frameworks. In32nd USENIX Security Symposium (USENIX Security 23), pages 2993–3010, 2023

    work page 2023

  14. [14]

    Invisible for both camera and lidar: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks

    Yulong Cao, Ningfei Wang, Chaowei Xiao, Dawei Yang, Jin Fang, Ruigang Yang, Qi Alfred Chen, Mingyan Liu, and Bo Li. Invisible for both camera and lidar: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In2021 IEEE Symposium on Security and Privacy (SP), pages 176–194, 2021

    work page 2021

  15. [15]

    Canflict: Exploiting peripheral conflicts for data-link layer attacks on automotive networks

    Alvise de Faveri Tron, Stefano Longari, Michele Carminati, Mario Polino, and Stefano Zanero. Canflict: Exploiting peripheral conflicts for data-link layer attacks on automotive networks. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22), 2022

    work page 2022

  16. [16]

    Robust physical-world attacks on deep learning visual classification

    Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. Robust physical-world attacks on deep learning visual classification. In2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1625–1634, 2018

    work page 2018

  17. [17]

    Diffpad: Denoising diffusion-based adversarial patch decontamination, 2024

    Jia Fu, Xiao Zhang, Sepideh Pashami, Fatemeh Rahimian, and Anders Holst. Diffpad: Denoising diffusion-based adversarial patch decontamination, 2024

    work page 2024

  18. [18]

    Spencer Hallyburton, Yupei Liu, Yulong Cao, Z

    R. Spencer Hallyburton, Yupei Liu, Yulong Cao, Z. Morley Mao, and Miroslav Pajic. Security analysis of Camera-LiDAR fusion against Black-Box attacks on autonomous vehicles. In31st USENIX Security Symposium (USENIX Security 22), pages 1903–1920, 2022

    work page 1903

  19. [19]

    Höhne, Michael Bussmann, and Wolf- gang Hönig

    Pia Hanfeld, Khaled Wahba, Marina M.-C. Höhne, Michael Bussmann, and Wolf- gang Hönig. Kidnapping deep learning-based multirotors using optimized flying adversarial patches. In2023 International Symposium on Multi-Robot and Multi- Agent Systems (MRS), pages 78–84, 2023

    work page 2023

  20. [20]

    Harris, K

    Charles R. Harris, K. Jarrod Millman, Stéfan J. van der Walt, Ralf Gommers, Pauli Virtanen, David Cournapeau, Eric Wieser, Julian Taylor, Sebastian Berg, Nathaniel J. Smith, Robert Kern, Matti Picus, Stephan Hoyer, Marten H. van Kerkwijk, Matthew Brett, Allan Haldane, Jaime Fernández del Río, Mark Wiebe, Pearu Peterson, Pierre Gérard-Marchant, Kevin Shepp...

    work page 2020

  21. [21]

    Transformers 4.46.0

    Hugging Face. Transformers 4.46.0. https://pypi.org/project/transformers/4.46.0/, October 2024. Version 4.46.0. Accessed: 2026-04-27

    work page 2024

  22. [22]

    Fooling the eyes of autonomous vehicles: Robust physical adversarial examples against traffic sign recognition systems.NDSS, 2022

    Wei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, and Gang Qu. Fooling the eyes of autonomous vehicles: Robust physical adversarial examples against traffic sign recognition systems.NDSS, 2022

    work page 2022

  23. [23]

    Fooling the eyes of autonomous vehicles: Robust physical adversarial examples against traffic sign recognition systems, 2022

    Wei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, and Gang Qu. Fooling the eyes of autonomous vehicles: Robust physical adversarial examples against traffic sign recognition systems, 2022

    work page 2022

  24. [24]

    Bench2drive: Towards multi-ability benchmarking of closed-loop end-to-end au- tonomous driving

    Xiaosong Jia, Zhenjie Yang, Qifeng Li, Zhiyuan Zhang, and Junchi Yan. Bench2drive: Towards multi-ability benchmarking of closed-loop end-to-end au- tonomous driving. InAdvances in Neural Information Processing Systems (NeurIPS 2024), Datasets and Benchmarks Track, 2024

    work page 2024

  25. [25]

    Glitchhiker: Uncovering vulnerabilities of image signal transmission with iemi

    Qinhong Jiang, Xiaoyu Ji, Chen Yan, Zhixin Xie, Haina Lou, and Wenyuan Xu. Glitchhiker: Uncovering vulnerabilities of image signal transmission with iemi. In32nd USENIX Security Symposium (USENIX Security 23), 2023

    work page 2023

  26. [26]

    Rowhammer- based trojan injection: One bit flip is sufficient for backdooring dnns

    Xiang Li, Ying Meng, Junming Chen, Lannan Luo, and Qiang Zeng. Rowhammer- based trojan injection: One bit flip is sufficient for backdooring dnns. In34th USENIX Security Symposium (USENIX Security 25), 2025

    work page 2025

  27. [27]

    Segment and complete: Defending object detectors against adversarial patch attacks with robust patch detection, 2022

    Jiang Liu, Alexander Levine, Chun Pong Lau, Rama Chellappa, and Soheil Feizi. Segment and complete: Defending object detectors against adversarial patch attacks with robust patch detection, 2022

    work page 2022

  28. [28]

    RPAU: Fooling the eyes of UAVs via physical adversarial patches.IEEE Transactions on Intelligent Transportation Systems, 25(3):2586–2598, 2024

    Taifeng Liu, Chao Yang, Xinjing Liu, Ruidong Han, and Jianfeng Ma. RPAU: Fooling the eyes of UAVs via physical adversarial patches.IEEE Transactions on Intelligent Transportation Systems, 25(3):2586–2598, 2024

    work page 2024

  29. [29]

    Controlloc: Physical-world hijacking attack on camera-based perception in autonomous driving

    Chen Ma, Ningfei Wang, Zhengyu Zhao, Qian Wang, Qi Alfred Chen, and Chao Shen. Controlloc: Physical-world hijacking attack on camera-based perception in autonomous driving. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS ’25, page 738–752, New York, NY, USA, 2025. Association for Computing Machinery

    work page 2025

  30. [30]

    The "beatrix” resurrections: Robust backdoor detection via gram matrices, 2022

    Wanlun Ma, Derui Wang, Ruoxi Sun, Minhui Xue, Sheng Wen, and Yang Xiang. The "beatrix” resurrections: Robust backdoor detection via gram matrices, 2022

    work page 2022

  31. [31]

    Berkay Celik

    Raymond Muller, Ruoyu Song, Chenyi Wang, Yuxia Zhan, Jean-Philippe Mon- teuuis, Yanmao Man, Ming Li, Ryan Gerdes, Jonathan Petit, and Z. Berkay Celik. Investigating physical latency attacks against camera-based perception. In2025 IEEE Symposium on Security and Privacy (SP), 2025

    work page 2025

  32. [32]

    Local gradients smoothing: Defense against localized adversarial attacks

    Muzammal Naseer, Salman Khan, and Fatih Porikli. Local gradients smoothing: Defense against localized adversarial attacks. In2019 IEEE winter conference on applications of computer vision (W ACV), pages 1300–1307. IEEE, 2019

    work page 2019

  33. [33]

    Diffusion models for adversarial purification, 2022

    Weili Nie, Brandon Guo, Yujia Huang, Chaowei Xiao, Arash Vahdat, and Anima Anandkumar. Diffusion models for adversarial purification, 2022

    work page 2022

  34. [34]

    Version 1.23

    NumPy Developers.NumPy v1.23 Manual, 2022. Version 1.23. Accessed: 2026-04- 27

    work page 2022

  35. [35]

    Version 1.26

    NumPy Developers.NumPy v1.26 Manual, September 2023. Version 1.26. Ac- cessed: 2026-04-27

    work page 2023

  36. [36]

    OpenCV 4.9.0 Release

    OpenCV. OpenCV 4.9.0 Release. https://github.com/opencv/opencv/releases/ tag/4.9.0, December 2023. Version 4.9.0. Accessed: 2026-04-27

    work page 2023

  37. [37]

    Asset: Robust backdoor data detection across a multiplicity of deep learning paradigms, 2023

    Minzhou Pan, Yi Zeng, Lingjuan Lyu, Xue Lin, and Ruoxi Jia. Asset: Robust backdoor data detection across a multiplicity of deep learning paradigms, 2023

    work page 2023

  38. [38]

    Hidden trigger backdoor attack on NLP models via linguistic style manipulation

    Xudong Pan, Mi Zhang, Beina Sheng, Jiaming Zhu, and Min Yang. Hidden trigger backdoor attack on NLP models via linguistic style manipulation. In31st USENIX Security Symposium (USENIX Security 22), pages 3611–3628, Boston, MA, August

    work page

  39. [39]

    Deepxplore: automated whitebox testing of deep learning systems.Commun

    Kexin Pei, Yinzhi Cao, Junfeng Yang, and Suman Jana. Deepxplore: automated whitebox testing of deep learning systems.Commun. ACM, 62(11):137–145, October 2019. Conference’17, July 2017, Washington, DC, USA Qi Sun, Ahmed Abdo, Luis Burbano, Ziyang Li, Yaxing Yao, Alvaro Cardenas, and Yinzhi Cao

    work page 2019

  40. [40]

    Deback- door: A deductive framework for detecting backdoor attacks on deep models with limited data, 2025

    Dorde Popovic, Amin Sadeghi, Ting Yu, Sanjay Chawla, and Issa Khalil. Deback- door: A deductive framework for detecting backdoor attacks on deep models with limited data, 2025

    work page 2025

  41. [41]

    Spiking neural network hypergraphs with spike frequency data,

    Python-Pillow Contributors. Pillow 10.3.0. https://doi.org/10.5281/zenodo. 10903255, April 2024. Version 10.3.0. Accessed: 2026-04-27

    work page doi:10.5281/zenodo 2024

  42. [42]

    PyTorch 2.2: Flashattention-v2 integration, aotinductor

    PyTorch Foundation. PyTorch 2.2: Flashattention-v2 integration, aotinductor. https://pytorch.org/blog/pytorch2-2/, January 2024. Version 2.2. Accessed: 2026- 04-27

    work page 2024

  43. [43]

    PyTorch 2.3 Release Blog

    PyTorch Foundation. PyTorch 2.3 Release Blog. https://pytorch.org/blog/ pytorch2-3/, April 2024. Version 2.3.0. Accessed: 2026-04-27

    work page 2024

  44. [44]

    Simlingo: Vision-only closed-loop autonomous driving with language-action alignment

    Katrin Renz, Long Chen, Elahe Arani, and Oleg Sinavski. Simlingo: Vision-only closed-loop autonomous driving with language-action alignment. InProceedings of the Computer Vision and Pattern Recognition Conference, pages 11993–12003, 2025

    work page 2025

  45. [45]

    Dirty road can attack: Security of deep learning based automated lane centering under Physical-World attack

    Takami Sato, Junjie Shen, Ningfei Wang, Yunhan Jia, Xue Lin, and Qi Alfred Chen. Dirty road can attack: Security of deep learning based automated lane centering under Physical-World attack. In30th USENIX Security Symposium (USENIX Security 21), pages 3309–3326. USENIX Association, August 2021

    work page 2021

  46. [46]

    On the realism of lidar spoofing attacks against autonomous driving vehicle at high speed and long distance

    Takami Sato, Ryo Suzuki, Yuki Hayakawa, Kazuma Ikeda, Ozora Sako, Rokuto Nagata, Ryo Yoshida, Qi Alfred Chen, and Kentaro Yoshioka. On the realism of lidar spoofing attacks against autonomous driving vehicle at high speed and long distance. InNetwork and Distributed System Security Symposium (NDSS) 2025, 2025

    work page 2025

  47. [47]

    Berkay Celik, and Dongyan Xu

    Khaled Serag, Rohit Bhatia, Akram Faqih, Muslum Ozgur Ozmen, Vireshwar Kumar, Z. Berkay Celik, and Dongyan Xu. ZBCAN: A Zero-Byte CAN defense system. In32nd USENIX Security Symposium (USENIX Security 23), pages 6893– 6910, Anaheim, CA, August 2023. USENIX Association

    work page 2023

  48. [48]

    Explanation-Guided backdoor poisoning attacks against malware classifiers

    Giorgio Severi, Jim Meyer, Scott Coull, and Alina Oprea. Explanation-Guided backdoor poisoning attacks against malware classifiers. In30th USENIX Security Symposium (USENIX Security 21), pages 1487–1504. USENIX Association, August 2021

    work page 2021

  49. [49]

    RIDAS: Real-time identification of attack sources on controller area networks

    Jiwoo Shin, Hyunghoon Kim, Seyoung Lee, Wonsuk Choi, Dong Hoon Lee, and Hyo Jin Jo. RIDAS: Real-time identification of attack sources on controller area networks. In32nd USENIX Security Symposium (USENIX Security 23), pages 6911–6928, Anaheim, CA, August 2023. USENIX Association

    work page 2023

  50. [50]

    Berkay Celik, and Antonio Bianchi

    Ruoyu Song, Muslum Ozgur Ozmen, Hyungsub Kim, Raymond Muller, Z. Berkay Celik, and Antonio Bianchi. Discovering adversarial driving maneuvers against autonomous vehicles. In32nd USENIX Security Symposium (USENIX Security 23), pages 2957–2974, Anaheim, CA, August 2023. USENIX Association

    work page 2023

  51. [51]

    Safe, routine, ready: Autonomous driving in five new cities

    The Waymo Team. Safe, routine, ready: Autonomous driving in five new cities. Waymo Blog, November 2025

    work page 2025

  52. [52]

    Too afraid to drive: Systematic discovery of semantic dos vulnerability in autonomous driving planning under physical-world attacks

    Ziwen Wan, Junjie Shen, Jalen Chuang, Xin Xia, Joshua Garcia, Jiaqi Ma, and Qi Alfred Chen. Too afraid to drive: Systematic discovery of semantic dos vulnerability in autonomous driving planning under physical-world attacks. In Network and Distributed System Security Symposium (NDSS) 2022, 2022

    work page 2022

  53. [53]

    Graph backdoor

    Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. Graph backdoor. In30th USENIX Security Symposium (USENIX Security 21), pages 1523–1540, 2021

    work page 2021

  54. [54]

    Rolling colors: Adversarial laser exploits against traffic light recognition

    Chen Yan, Zhijian Xu, Zhanyuan Yin, Xiaoyu Ji, and Wenyuan Xu. Rolling colors: Adversarial laser exploits against traffic light recognition. In31st USENIX Security Symposium (USENIX Security 22), pages 1957–1974, 2022

    work page 1957

  55. [55]

    An LLM-Assisted Easy-to-Trigger backdoor attack on code completion models: Injecting disguised vulnerabilities against strong detection

    Shenao Yan, Shen Wang, Yue Duan, Hanbin Hong, Kiho Lee, Doowon Kim, and Yuan Hong. An LLM-Assisted Easy-to-Trigger backdoor attack on code completion models: Injecting disguised vulnerabilities against strong detection. In33rd USENIX Security Symposium (USENIX Security 24), pages 1795–1812, Philadelphia, PA, August 2024. USENIX Association

    work page 2024

  56. [56]

    Enhanced membership inference attacks against machine learning models

    Jiayuan Ye, Aadyaa Maddi, Sasi Kumar Murakonda, Vincent Bindschaedler, and Reza Shokri. Enhanced membership inference attacks against machine learning models. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22), 2022

    work page 2022

  57. [57]

    𝜋-jack: Physical-world adversarial attack on monocular depth estimation with perspective hijacking

    Tianyue Zheng, Jingzhi Hu, Rui Tan, Yinqian Zhang, Ying He, and Jun Luo. 𝜋-jack: Physical-world adversarial attack on monocular depth estimation with perspective hijacking. In33rd USENIX Security Symposium (USENIX Security 24), 2024

    work page 2024

  58. [58]

    DoubleStar: Long-Range attack towards depth estimation based obstacle avoidance in autonomous systems

    Ce Zhou, Qiben Yan, Yan Shi, and Lichao Sun. DoubleStar: Long-Range attack towards depth estimation based obstacle avoidance in autonomous systems. In 31st USENIX Security Symposium (USENIX Security 22), pages 1885–1902, 2022

    work page 1902

  59. [59]

    AE-Morpher: Improve physical robustness of adversarial objects against LiDAR- based detectors via object reconstruction

    Shenchen Zhu, Yue Zhao, Kai Chen, Bo Wang, Hualong Ma, and Cheng’an Wei. AE-Morpher: Improve physical robustness of adversarial objects against LiDAR- based detectors via object reconstruction. In33rd USENIX Security Symposium (USENIX Security 24), pages 7339–7356, Philadelphia, PA, August 2024. USENIX Association

    work page 2024