pith. sign in

arxiv: 1907.05418 · v1 · pith:NN4DHFXQnew · submitted 2019-07-11 · 💻 cs.CR · cs.CV· cs.LG· stat.ML

Adversarial Objects Against LiDAR-Based Autonomous Driving Systems

Yulong Cao , Chaowei Xiao , Dawei Yang , Jing Fang , Ruigang Yang , Mingyan Liu , Bo Li This is my paper

Pith reviewed 2026-05-24 22:50 UTC · model grok-4.3

classification 💻 cs.CR cs.CVcs.LGstat.ML
keywords adversarial examplesLiDARautonomous drivingphysical attacksobject detectionoptimization methodssecurity vulnerabilities
0
0 comments X

The pith

LiDAR detection in autonomous vehicles can be evaded by optimized adversarial objects.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes methods to generate adversarial objects that avoid detection by LiDAR sensors in self-driving cars. It begins with an evolution-based blackbox attack and then introduces a gradient-based optimizer named LiDAR-Adv. These objects are evaluated on the Baidu Apollo platform in simulation and through physical experiments with 3D-printed versions. A sympathetic reader would care because this indicates that physical attacks on sensor data are possible, which could affect the reliability of autonomous driving technology.

Core claim

Adversarial objects can be created using optimization to cause LiDAR-based autonomous driving detection systems to miss them under various conditions. This is shown first with a blackbox evolution-based algorithm and then with the gradient-based LiDAR-Adv approach. The effectiveness is verified both on the Baidu Apollo platform and with 3D-printed objects in the real world.

What carries the argument

LiDAR-Adv, the gradient-based optimization approach for creating 3D adversarial objects that evade LiDAR detection.

If this is right

  • The Baidu Apollo autonomous driving platform can be attacked by these objects in simulation.
  • 3D-printed adversarial objects maintain their ability to evade detection in physical tests.
  • Both blackbox and gradient-based optimization can generate successful attacks.
  • Such attacks are possible under various real-world conditions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenses against these attacks might require changes to how LiDAR data is processed or interpreted.
  • The same approach could be applied to other types of sensors used in autonomous systems.
  • This work highlights the need for testing physical robustness in addition to digital security for vehicle perception.

Load-bearing premise

The objects optimized in simulation or by querying the system will keep their adversarial properties when physically manufactured and used in actual environments.

What would settle it

Placing a 3D-printed adversarial object in the path of a LiDAR-equipped vehicle and observing whether the detection system identifies it correctly or fails to detect it.

Figures

Figures reproduced from arXiv: 1907.05418 by Bo Li, Chaowei Xiao, Dawei Yang, Jing Fang, Mingyan Liu, Ruigang Yang, Yulong Cao.

Figure 1
Figure 1. Figure 1: Overview of LiDAR-Adv. The first row shows that a normal box will be detected by the LiDAR-based detection system; while the generated adversarial object with similar size in row 2 cannot be detected. 2 Related work Image-space adversarial attacks Adversarial examples have been heavily explored in 2D image domains [3, 8, 13, 14, 21]. Various works [1, 7, 11] start to study robust physical adversarial examp… view at source ↗
Figure 2
Figure 2. Figure 2: Overview of LiDAR-based detection on AV. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Adversarial meshes of different sizes can fool the detectors even with more LiDAR hits. We generate [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The adversarial mesh generated by LiDAR-Adv is mis-detected as a “Pedestrian” [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Results of physical attack. Our 3D-printed robust adversarial object by [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
read the original abstract

Deep neural networks (DNNs) are found to be vulnerable against adversarial examples, which are carefully crafted inputs with a small magnitude of perturbation aiming to induce arbitrarily incorrect predictions. Recent studies show that adversarial examples can pose a threat to real-world security-critical applications: a "physical adversarial Stop Sign" can be synthesized such that the autonomous driving cars will misrecognize it as others (e.g., a speed limit sign). However, these image-space adversarial examples cannot easily alter 3D scans of widely equipped LiDAR or radar on autonomous vehicles. In this paper, we reveal the potential vulnerabilities of LiDAR-based autonomous driving detection systems, by proposing an optimization based approach LiDAR-Adv to generate adversarial objects that can evade the LiDAR-based detection system under various conditions. We first show the vulnerabilities using a blackbox evolution-based algorithm, and then explore how much a strong adversary can do, using our gradient-based approach LiDAR-Adv. We test the generated adversarial objects on the Baidu Apollo autonomous driving platform and show that such physical systems are indeed vulnerable to the proposed attacks. We also 3D-print our adversarial objects and perform physical experiments to illustrate that such vulnerability exists in the real world. Please find more visualizations and results on the anonymous website: https://sites.google.com/view/lidar-adv.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper proposes LiDAR-Adv, an optimization framework (black-box evolutionary and gradient-based) to synthesize 3D adversarial objects that evade LiDAR-based object detectors. It evaluates the objects against the Baidu Apollo autonomous driving platform in simulation and claims to demonstrate the same vulnerability with 3D-printed physical objects in real-world LiDAR scans.

Significance. If the physical transfer results hold with adequate controls and metrics, the work would be significant for highlighting a new attack surface on LiDAR sensors in safety-critical autonomous systems, extending prior image-domain adversarial research to 3D point clouds with both algorithmic and fabrication-based validation.

major comments (1)
  1. [Physical experiments] Physical experiments section: the central claim that 3D-printed objects retain their adversarial effect in real-world LiDAR scans is load-bearing, yet the manuscript provides no quantitative transfer metrics (e.g., detection rate or point-cloud distance between simulation and physical scans), no fabrication tolerance analysis, no controls for sensor pose/height/angle, and no environmental variation tests. This leaves the real-world vulnerability demonstration unverified even if the simulation results are correct.
minor comments (2)
  1. [Abstract] The abstract and introduction should explicitly state the LiDAR model and detection algorithm version used in Apollo experiments for reproducibility.
  2. [Figures] Figure captions for the 3D-printed objects should include scale, material, and placement distance from the sensor.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive review and the recommendation for major revision. We address the single major comment on the physical experiments below.

read point-by-point responses

  1. Referee: [Physical experiments] Physical experiments section: the central claim that 3D-printed objects retain their adversarial effect in real-world LiDAR scans is load-bearing, yet the manuscript provides no quantitative transfer metrics (e.g., detection rate or point-cloud distance between simulation and physical scans), no fabrication tolerance analysis, no controls for sensor pose/height/angle, and no environmental variation tests. This leaves the real-world vulnerability demonstration unverified even if the simulation results are correct.

    Authors: We agree that the physical experiments section would be strengthened by quantitative transfer metrics, fabrication tolerance analysis, explicit sensor pose controls, and environmental variation tests. The current manuscript presents the 3D-printed objects primarily as an illustrative demonstration that the simulated adversarial effect can appear in real LiDAR scans, without the detailed quantitative comparisons requested. We will revise the manuscript to add these elements, including detection-rate tables comparing simulation versus physical scans, a brief fabrication tolerance discussion, and documentation of the sensor positioning protocol used in the physical trials. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical attack generation and testing

full rationale

The paper presents an optimization procedure (evolution-based black-box and gradient-based LiDAR-Adv) to synthesize adversarial 3D objects, followed by direct evaluation on the Baidu Apollo platform in simulation and via 3D-printed physical objects. No equations, parameters, or claims are defined in terms of their own outputs; no predictions are obtained by fitting to a subset and then relabeled; no uniqueness theorems or ansatzes are imported via self-citation. The central results rest on experimental outcomes rather than any self-referential reduction. This is a standard empirical demonstration whose validity hinges on experimental controls, not on internal definitional loops.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based on abstract only; no specific free parameters or invented entities mentioned. The approach uses optimization which typically involves hyperparameters but none detailed. Relies on standard assumptions in ML attacks.

axioms (1)
  • domain assumption Standard assumptions in adversarial machine learning such as the ability to optimize perturbations via gradients or evolution strategies.
    The method relies on these for generating the adversarial objects.

pith-pipeline@v0.9.0 · 5786 in / 1180 out tokens · 25861 ms · 2026-05-24T22:50:49.703658+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Adversarial Trust Poisoning in Vehicular Collaborative Perception

    cs.CR 2026-05 unverdicted novelty 7.0

    TrustFlip weaponizes consistency-based trust defenses in vehicular collaborative perception by using physical adversarial objects to induce inconsistencies that are misattributed to benign vehicles, leading to their e...

  2. Safety in Embodied AI: A Survey of Risks, Attacks, and Defenses

    cs.CR 2026-03 unverdicted novelty 6.0

    The survey organizes over 400 papers on embodied AI safety into a multi-level taxonomy and flags overlooked issues such as fragile multimodal fusion and unstable planning under jailbreaks.

Reference graph

Works this paper leans on

23 extracted references · 23 canonical work pages · cited by 2 Pith papers · 10 internal anchors

  1. [1]

    Synthesizing Robust Adversarial Examples

    A. Athalye and I. Sutskever. Synthesizing robust adversarial examples. arXiv preprint arXiv:1707.07397, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  2. [2]

    Carlini and D

    N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. InIEEE Symposium on Security and Privacy, 2017, 2017

    work page 2017

  3. [3]

    Towards Evaluating the Robustness of Neural Networks

    N. Carlini and D. A. Wagner. Towards evaluating the robustness of neural networks. In2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, pages 39–57, 2017. doi: 10.1109/SP.2017.49. URL https://doi.org/10.1109/SP.2017.49

    work page doi:10.1109/sp.2017.49 2017

  4. [4]

    Cignoni, M

    P. Cignoni, M. Callieri, M. Corsini, M. Dellepiane, F. Ganovelli, and G. Ranzuglia. Meshlab: an open-source mesh processing tool. In Eurographics Italian chapter conference, volume 2008, pages 129–136, 2008

    work page 2008

  5. [5]

    Collobert and J

    R. Collobert and J. Weston. A unified architecture for natural language processing: Deep neural networks with multitask learning. In Proceedings of the 25th international conference on Machine learning, pages 160–167. ACM, 2008

    work page 2008

  6. [6]

    L. Deng, J. Li, J.-T. Huang, K. Yao, D. Yu, F. Seide, M. L. Seltzer, G. Zweig, X. He, J. D. Williams, et al. Recent advances in deep learning for speech research at microsoft. In ICASSP, volume 26, page 64, 2013

    work page 2013

  7. [7]

    Robust Physical-World Attacks on Deep Learning Models

    I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash, A. Rahmati, and D. Song. Robust physical-world attacks on deep learning models. arXiv preprint arXiv:1707.08945, 1, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  8. [8]

    I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  9. [9]

    K. He, X. Zhang, S. Ren, and J. Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016

    work page 2016

  10. [10]

    D. P. Kingma and J. Ba. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  11. [11]

    Adversarial examples in the physical world

    A. Kurakin, I. Goodfellow, and S. Bengio. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  12. [12]

    H.-T. D. Liu, M. Tao, C.-L. Li, D. Nowrouzezahrai, and A. Jacobson. Adversarial geometry and lighting using a differentiable renderer. CoRR, abs/1808.02651, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  13. [13]

    Moosavi-Dezfooli, A

    S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 2574–2582, 2016

    work page 2016

  14. [14]

    Papernot, P

    N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami. The limitations of deep learning in adversarial settings. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 372–387. IEEE, 2016

    work page 2016

  15. [15]

    C. R. Qi, H. Su, K. Mo, and L. J. Guibas. Pointnet: Deep learning on point sets for 3d classification and segmentation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 652–660, 2017

    work page 2017

  16. [16]

    C. E. Shannon. Communication theory of secrecy systems. Bell Labs Technical Journal, 28(4):656–715, 1949

    work page 1949

  17. [17]

    Silver, A

    D. Silver, A. Huang, C. J. Maddison, A. Guez, L. Sifre, G. Van Den Driessche, J. Schrittwieser, I. Antonoglou, V . Panneershelvam, M. Lanctot, et al. Mastering the game of go with deep neural networks and tree search.nature, 529(7587):484, 2016

    work page 2016

  18. [18]

    M. Sun, J. Tang, H. Li, B. Li, C. Xiao, Y . Chen, and D. Song. Data poisoning attack against unsupervised node embedding methods. arXiv preprint arXiv:1810.12881, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  19. [19]

    Generating 3D Adversarial Point Clouds

    C. Xiang, C. R. Qi, and B. Li. Generating 3d adversarial point clouds. arXiv preprint arXiv:1809.07016, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  20. [20]

    C. Xiao, R. Deng, B. Li, F. Yu, D. Song, et al. Characterizing adversarial examples based on spatial consistency information for semantic segmentation. In Proceedings of the (ECCV), pages 217–234, 2018

    work page 2018

  21. [21]

    C. Xiao, B. Li, J.-Y . Zhu, W. He, M. Liu, and D. Song. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  22. [22]

    C. Xiao, D. Yang, B. Li, J. Deng, and M. Liu. Meshadv: Adversarial meshes for visual recognition. In CVPR, 2018

    work page 2018

  23. [23]

    Spatially Transformed Adversarial Examples

    C. Xiao, J.-Y . Zhu, B. Li, W. He, M. Liu, and D. Song. Spatially transformed adversarial examples.arXiv preprint arXiv:1801.02612, 2018. 9 A Differential Renderer LiDAR Simulation The renderer simulates the physics of a LiDAR sensor that probes the objects in the scene by casting laser Nray rays: R ={ri∈ R3,∥ri∥ = 1,i = 1, 2,··· ,N ray}, with ri represen...

    work page internal anchor Pith review Pith/arXiv arXiv 2018