pith. sign in

arxiv: 2605.22122 · v1 · pith:UN4A2GH7new · submitted 2026-05-21 · 💻 cs.CR · cs.AI

Adversarial Trust Poisoning in Vehicular Collaborative Perception

Yutong Liu , Chenyi Wang , Ming F. Li , Qingzhao Zhang This is my paper

Pith reviewed 2026-05-22 05:20 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords collaborative perceptionadversarial attacktrust poisoningvehicular networksautonomous vehiclesinconsistency detectionphysical adversarial objectstrust estimation
0
0 comments X

The pith

Physical adversarial objects can trick consistency-based defenses into excluding benign vehicles from collaborative perception.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that consistency-based trust mechanisms in collaborative vehicle perception can be exploited by attackers who place genuine physical objects in the environment. These objects create real inconsistencies across benign vehicles' observations, which the defenses then misattribute to a targeted vehicle, lowering its trust score and removing it from the shared sensing process. A sympathetic reader would care because this turns the intended security features into a vector for degrading the accuracy and safety of the overall system without any direct data manipulation. The work demonstrates the attack's effectiveness across multiple architectures and proposes an initial countermeasure that marks uncertain regions to limit the damage.

Core claim

By deploying physical adversarial objects that induce genuine but conflicting observations among benign vehicles, the TrustFlip attack causes consistency-based defenses to misattribute the inconsistencies to the targeted vehicle, degrading its trust score until it is downweighted or excluded from collaboration, which removes reliable sensing input and reduces average precision by up to 13 percent while excluding the vehicle in up to 87.7 percent of tested scenarios.

What carries the argument

TrustFlip, the attack that places physical adversarial objects to generate cross-vehicle observation inconsistencies that consistency-based trust estimation then attributes to a chosen benign vehicle.

If this is right

  • Targeted benign vehicles are removed from collaboration in up to 87.7 percent of scenarios.
  • System average precision drops by as much as 13 percent when the attack succeeds.
  • Loss of reliable contributors can lead to safety-critical perception failures.
  • The attack affects multiple state-of-the-art collaborative perception architectures and defense mechanisms.
  • A self-reflection mechanism that marks disputed regions as uncertain can reduce attack success by 35 to 100 percent.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Environmental factors beyond deliberate adversarial placement, such as unusual object arrangements or sensor occlusions, might produce similar unintended trust degradation.
  • Trust systems could benefit from cross-checking inconsistencies against possible physical scene explanations rather than defaulting to vehicle-level penalties.
  • Detection of anomalous physical objects might become a necessary layer before trust scoring in future collaborative setups.

Load-bearing premise

Defenses will always treat observed inconsistencies as evidence of faulty or malicious data from the targeted vehicle instead of recognizing that physical objects in the scene can produce legitimate conflicting observations across multiple vehicles.

What would settle it

A controlled test in which physical adversarial objects are placed and the system still maintains the targeted vehicle's trust score without degradation or exclusion despite the induced inconsistencies.

Figures

Figures reproduced from arXiv: 2605.22122 by Chenyi Wang, Ming F. Li, Qingzhao Zhang, Yutong Liu.

Figure 1
Figure 1. Figure 1: Demonstration of TrustFlip. (1) The attacker deploys a physical adversarial object optimized to evade detection from a specific viewing angle. (2) A victim vehicle at that angle perceives the object inconsistently with other benign vehicles. (3) The CP defense misclassifies the victim as untrustworthy, excludes its data from fusion, and consequently degrades perception safety, such as by missing critical o… view at source ↗
Figure 2
Figure 2. Figure 2: Gradient-conflict diagnostics for three shape priors. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustration of Insight 2.3. The attack’s success rate and [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Overview of TrustFlip and TrustReflect. can observe) determines how much downstream perception is lost when the victim is excluded. The attacker therefore assesses the scenario, picks road segments and timings where collaboration is most informative, and aligns victim/object geometry to those moments [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Visualization of adversarial objects optimized on Point [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Effect of scenario selection on outcomes of attack on CP defenses (w/o [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Impact of the number of tracks on MATE. making LUCIA less sensitive to localized physical attacks like TrustFlip. Figure 8a shows that LUCIA ASR drops as CR grows. TrustFlip perturbs LiDAR evidence only in the local region of the physical object, so larger pooling windows average that signal with nearby unaffected features. Larger CRs therefore improve LUCIA’s robustness to localized physical discrepancies… view at source ↗
Figure 8
Figure 8. Figure 8: Impacting factors and diagnostics for LUCIA. [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Gradient-conflict trend for FROMREAL. The y-axis counts mask vertices whose victim and non-victim loss gradi￾ents point in opposing directions. vertices. Beyond side-view angles, the curve stays low and fluctuates around a small nonzero value because the remaining overlap is mainly on the rooftop surface. This supports the FROMREAL design choice in Section IV-D: optimizing a set of localized vertices gives… view at source ↗
Figure 11
Figure 11. Figure 11: Real-world LiDAR point clouds of the physical [PITH_FULL_IMAGE:figures/full_fig_p013_11.png] view at source ↗
read the original abstract

Collaborative perception (CP) enables connected and autonomous vehicles to share sensor data and jointly reason about their environment. To defend against adversaries that fabricate or manipulate shared data, existing systems employ cross-vehicle inconsistency detection and trust estimation, penalizing vehicles whose observations conflict with the majority. In this work, we show that these defenses themselves introduce a new attack surface. We present TrustFlip, a novel attack that weaponizes consistency-based defenses to poison the trust assigned to benign vehicles. Instead of injecting false data into the collaboration pipeline, it deploys physical adversarial objects that are genuine but induce inconsistent observations among benign vehicles. The resulting inconsistencies are misattributed by the defense to the targeted vehicle, causing its trust score to degrade and eventually leading to its downweighting or exclusion from collaboration. Consequently, the system loses reliable sensing contributors, degrading perception capability and potentially inducing safety-critical failures. We evaluate TrustFlip across multiple collaborative perception architectures and defense mechanisms. Our results show that state-of-the-art defenses can be significantly affected: the attack removes the targeted benign vehicle from collaboration in up to 87.7% of scenarios and drops Average Precision (AP) by up to 13%. As an initial mitigation, we introduce TrustReflect, a lightweight self-reflection mechanism that marks disputed regions as uncertain and excludes them from trust evaluation, reducing the attack success rate by 35-100%.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that consistency-based trust defenses in vehicular collaborative perception can be exploited by TrustFlip, an attack that deploys physical adversarial objects to create genuine but inconsistent observations across benign vehicles. These inconsistencies are misattributed by the defenses to the targeted benign vehicle, degrading its trust score and leading to exclusion from collaboration, with reported effects of up to 87.7% removal rate and 13% AP drop. The authors also propose TrustReflect, a self-reflection mechanism that marks disputed regions as uncertain to mitigate the attack by 35-100%.

Significance. If the empirical results hold under rigorous validation, the work identifies a previously unexamined attack surface in CP systems by showing how physical adversarial objects can weaponize existing inconsistency-detection defenses without fabricating data. This has clear implications for the security of connected autonomous vehicles. The proposal of TrustReflect as a lightweight mitigation is a constructive contribution, though its effectiveness depends on the same attribution assumptions under test.

major comments (2)
  1. Abstract and §4 (Evaluation): The abstract reports quantitative results (87.7% removal rate, 13% AP drop, 35-100% mitigation) but provides no details on experimental setup, number of trials, statistical significance, exact architectures tested, or how physical adversarial objects were placed and sensed. Full methods, data, and ablation studies are required to assess whether the central claim holds.
  2. §3 (Attack Design) and §4: The central claim requires that consistency-based trust mechanisms attribute observed inconsistencies exclusively to the targeted benign vehicle. Because inconsistencies are induced by genuine physical adversarial objects, a defense could instead detect high cross-vehicle variance in specific regions as external physical anomalies and downweight all involved vehicles or ignore them for trust scoring. The manuscript should include explicit experiments or analysis demonstrating why the tested defenses fail to make this distinction rather than assuming misattribution.
minor comments (2)
  1. Notation for trust scores and inconsistency metrics should be defined more clearly with equations in the methods section to aid reproducibility.
  2. Figure captions for attack scenarios and mitigation results could include more detail on the specific CP architectures and defense variants shown.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive feedback. We address each major comment below and have revised the manuscript to improve clarity and completeness.

read point-by-point responses

  1. Referee: Abstract and §4 (Evaluation): The abstract reports quantitative results (87.7% removal rate, 13% AP drop, 35-100% mitigation) but provides no details on experimental setup, number of trials, statistical significance, exact architectures tested, or how physical adversarial objects were placed and sensed. Full methods, data, and ablation studies are required to assess whether the central claim holds.

    Authors: We agree that the abstract would benefit from additional context on the experimental conditions. In the revised manuscript we will expand the abstract to briefly note the simulation platform, number of scenarios evaluated, and architectures tested. We will also augment §4 with expanded descriptions of the experimental setup, including adversarial object placement and sensing details, the number of independent trials, and statistical significance where applicable. Additional ablation studies on object positioning and sensing parameters will be included in the main text or supplementary material. revision: yes

  2. Referee: §3 (Attack Design) and §4: The central claim requires that consistency-based trust mechanisms attribute observed inconsistencies exclusively to the targeted benign vehicle. Because inconsistencies are induced by genuine physical adversarial objects, a defense could instead detect high cross-vehicle variance in specific regions as external physical anomalies and downweight all involved vehicles or ignore them for trust scoring. The manuscript should include explicit experiments or analysis demonstrating why the tested defenses fail to make this distinction rather than assuming misattribution.

    Authors: We appreciate this observation, which correctly identifies a possible direction for stronger defenses. Our evaluation applies TrustFlip to existing consistency-based mechanisms as published in prior work; these mechanisms compute pairwise inconsistencies without explicit spatial anomaly localization or physical-object detection. The reported results show that the tested defenses do misattribute the inconsistencies, producing the observed trust degradation. To address the concern directly, we will add a new subsection in §4 that analyzes the variance computation used by the defenses and explains why they do not isolate physical anomalies in the current implementations. We will also include a preliminary experiment comparing the baseline defenses against a simple variance-thresholding variant that attempts to flag external anomalies. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical attack evaluation without derivation chain

full rationale

The paper is an empirical security demonstration of the TrustFlip attack on collaborative perception systems. It describes a physical-adversarial-object mechanism that induces genuine inconsistencies, evaluates success rates (up to 87.7% vehicle removal, 13% AP drop) across architectures and defenses, and proposes TrustReflect as mitigation. No equations, fitted parameters, predictions, or uniqueness theorems appear in the provided text; results derive directly from experimental runs rather than reducing to self-referential definitions or self-citations. The work is therefore self-contained against external benchmarks with no load-bearing circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 2 invented entities

Review performed on abstract only; no explicit free parameters, axioms, or invented entities are stated beyond the introduction of the named attack and mitigation.

invented entities (2)
  • TrustFlip attack no independent evidence
    purpose: Weaponize consistency-based defenses to degrade trust of benign vehicles
    New attack introduced in the paper; no independent evidence provided in abstract.
  • TrustReflect mechanism no independent evidence
    purpose: Mark disputed regions as uncertain to reduce attack impact
    Proposed mitigation; no independent evidence provided in abstract.

pith-pipeline@v0.9.0 · 5778 in / 1238 out tokens · 45887 ms · 2026-05-22T05:20:51.551558+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

41 extracted references · 41 canonical work pages · 3 internal anchors

  1. [1]

    Connected and Automated Vehicles - Trans- portation Planning Capacity Building Program — planning.dot.gov,

    U. D. of Transportation, “Connected and Automated Vehicles - Trans- portation Planning Capacity Building Program — planning.dot.gov,” https://www.planning.dot.gov/planning/topic CV AV .aspx

    work page

  2. [2]

    Collaborative perception in autonomous driving: Methods, datasets, and challenges,

    Y . Han, H. Zhang, H. Li, Y . Jin, C. Lang, and Y . Li, “Collaborative perception in autonomous driving: Methods, datasets, and challenges,” IEEE Intelligent Transportation Systems Magazine, vol. 15, no. 6, pp. 131–151, 2023

    work page 2023

  3. [3]

    V2vnet: Vehicle-to-vehicle communication for joint perception and prediction,

    T.-H. Wang, S. Manivasagam, M. Liang, B. Yang, W. Zeng, and R. Ur- tasun, “V2vnet: Vehicle-to-vehicle communication for joint perception and prediction,” inEuropean conference on computer vision. Springer, 2020, pp. 605–621

    work page 2020

  4. [4]

    When2com: Multi-agent perception via communication graph grouping,

    Y .-C. Liu, J. Tian, N. Glaser, and Z. Kira, “When2com: Multi-agent perception via communication graph grouping,” inProceedings of the IEEE/CVF Conference on computer vision and pattern recognition, 2020, pp. 4106–4115

    work page 2020

  5. [5]

    V2x-vit: Vehicle-to-everything cooperative perception with vision transformer,

    R. Xu, H. Xiang, Z. Tu, X. Xia, M.-H. Yang, and J. Ma, “V2x-vit: Vehicle-to-everything cooperative perception with vision transformer,” inEuropean conference on computer vision. Springer, 2022, pp. 107– 124

    work page 2022

  6. [6]

    Robust real-time multi-vehicle collaboration on asynchronous sensors,

    Q. Zhang, X. Zhang, R. Zhu, F. Bai, M. Naserian, and Z. M. Mao, “Robust real-time multi-vehicle collaboration on asynchronous sensors,” inProceedings of the 29th Annual International Conference on Mobile Computing and Networking, 2023, pp. 1–15

    work page 2023

  7. [7]

    Adversarial attacks on multi-agent communication,

    J. Tu, T. Wang, J. Wang, S. Manivasagam, M. Ren, and R. Urtasun, “Adversarial attacks on multi-agent communication,” inProceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 7768–7777

    work page 2021

  8. [8]

    On data fabrication in collaborative vehicular perception: Attacks and countermeasures,

    Q. Zhang, S. Jin, R. Zhu, J. Sun, X. Zhang, Q. A. Chen, and Z. M. Mao, “On data fabrication in collaborative vehicular perception: Attacks and countermeasures,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 6309–6326

    work page 2024

  9. [9]

    From threat to trust: Exploiting at- tention mechanisms for attacks and defenses in cooperative perception,

    C. Wang, R. Muller, R. Song, J.-P. Monteuuis, J. Petit, Y . Man, R. Gerdes, Z. B. Celik, and M. Li, “From threat to trust: Exploiting at- tention mechanisms for attacks and defenses in cooperative perception,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 7387–7406

    work page 2025

  10. [10]

    CP-FREEZER: Latency attacks against vehicular cooperative perception,

    C. Wang, R. Song, R. Muller, J.-P. Monteuuis, Z. B. Celik, J. Petit, R. Gerdes, and M. Li, “CP-FREEZER: Latency attacks against vehicular cooperative perception,” inAAAI Conference on Artificial Intelligence, 2026

    work page 2026

  11. [11]

    Stealthy data fabrication in collaborative ve- hicular perception,

    Q. Zhang and Z. M. Mao, “Stealthy data fabrication in collaborative ve- hicular perception,” inProceedings of the Sixth Workshop on CPS&IoT Security and Privacy, 2024, pp. 142–149. 14

    work page 2024

  12. [12]

    Pretend benign: A stealthy adversarial attack by exploiting vulnerabilities in cooperative perception,

    H. Lin, D. Pan, Q. Xia, H. Wu, C. Wang, S. Shen, and C. Wen, “Pretend benign: A stealthy adversarial attack by exploiting vulnerabilities in cooperative perception,” inProceedings of the IEEE/CVF International Conference on Computer Vision, 2025, pp. 19 947–19 956

    work page 2025

  13. [13]

    From Stealthy Data Fabrication to Unsafe Driving: Realistic Scenario Attacks on Collaborative Perception

    Q. Zhang, R. Zhang, and Z. M. Mao, “From stealthy data fabrication to unsafe driving: Realistic scenario attacks on collaborative perception,” arXiv preprint arXiv:2605.01301, 2026

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  14. [14]

    Among us: Adversarially robust collaborative perception by consensus,

    Y . Li, Q. Fang, J. Bai, S. Chen, F. Juefei-Xu, and C. Feng, “Among us: Adversarially robust collaborative perception by consensus,” in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2023, pp. 186–195

    work page 2023

  15. [15]

    Made: Ma- licious agent detection for robust multi-agent collaborative perception,

    Y . Zhao, Z. Xiang, S. Yin, X. Pang, Y . Wang, and S. Chen, “Made: Ma- licious agent detection for robust multi-agent collaborative perception,” in2024 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS). IEEE, 2024, pp. 13 817–13 823

    work page 2024

  16. [16]

    Cp- guard+: A new paradigm for malicious agent detection and defense in collaborative perception,

    S. Hu, Y . Tao, Z. Fang, G. Xu, Y . Deng, S. Kwong, and Y . Fang, “Cp- guard+: A new paradigm for malicious agent detection and defense in collaborative perception,”arXiv preprint arXiv:2502.07807, 2025

    work page arXiv 2025

  17. [17]

    Security-aware sensor fusion with mate: the multi-agent trust estimator,

    R. S. Hallyburton and M. Pajic, “Security-aware sensor fusion with mate: the multi-agent trust estimator,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, 2025, pp. 2009–2023

    work page 2025

  18. [18]

    Pla-lidar: Physical laser attacks against lidar-based 3d object detection in autonomous vehicle,

    Z. Jin, X. Ji, Y . Cheng, B. Yang, C. Yan, and W. Xu, “Pla-lidar: Physical laser attacks against lidar-based 3d object detection in autonomous vehicle,” in2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023, pp. 1822–1839

    work page 2023

  19. [19]

    Potential cyberattacks on automated vehi- cles,

    J. Petit and S. E. Shladover, “Potential cyberattacks on automated vehi- cles,”IEEE Transactions on Intelligent transportation systems, vol. 16, no. 2, pp. 546–556, 2014

    work page 2014

  20. [20]

    Opv2v: An open benchmark dataset and fusion pipeline for perception with vehicle-to- vehicle communication,

    R. Xu, H. Xiang, X. Xia, X. Han, J. Li, and J. Ma, “Opv2v: An open benchmark dataset and fusion pipeline for perception with vehicle-to- vehicle communication,” in2022 International Conference on Robotics and Automation (ICRA). IEEE, 2022, pp. 2583–2589

    work page 2022

  21. [21]

    Pixor: Real-time 3d object detection from point clouds,

    B. Yang, W. Luo, and R. Urtasun, “Pixor: Real-time 3d object detection from point clouds,” inProceedings of the IEEE conference on Computer Vision and Pattern Recognition, 2018, pp. 7652–7660

    work page 2018

  22. [22]

    Pointpillars: Fast encoders for object detection from point clouds,

    A. H. Lang, S. V ora, H. Caesar, L. Zhou, J. Yang, and O. Beijbom, “Pointpillars: Fast encoders for object detection from point clouds,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 12 697–12 705

    work page 2019

  23. [23]

    Where2comm: Communication-efficient collaborative perception via spatial confidence maps,

    Y . Hu, S. Fang, Z. Lei, Y . Zhong, and S. Chen, “Where2comm: Communication-efficient collaborative perception via spatial confidence maps,”Advances in neural information processing systems, vol. 35, pp. 4874–4886, 2022

    work page 2022

  24. [24]

    Cooper: Cooperative perception for connected autonomous vehicles based on 3d point clouds,

    Q. Chen, S. Tang, Q. Yang, and S. Fu, “Cooper: Cooperative perception for connected autonomous vehicles based on 3d point clouds,” in2019 IEEE 39th International Conference on distributed computing systems (ICDCS). IEEE, 2019, pp. 514–524

    work page 2019

  25. [25]

    Emp: Edge-assisted multi-vehicle perception,

    X. Zhang, A. Zhang, J. Sun, X. Zhu, Y . E. Guo, F. Qian, and Z. M. Mao, “Emp: Edge-assisted multi-vehicle perception,” inProceedings of the 27th Annual International Conference on Mobile Computing and Networking, 2021, pp. 545–558

    work page 2021

  26. [26]

    A cooperative perception environment for traffic operations and control,

    H. Chen, B. Liu, X. Zhang, F. Qian, Z. M. Mao, and Y . Feng, “A cooperative perception environment for traffic operations and control,” arXiv preprint arXiv:2208.02792, 2022

    work page arXiv 2022

  27. [27]

    F-cooper: Feature based cooperative perception for autonomous vehicle edge computing system using 3d point clouds,

    Q. Chen, X. Ma, S. Tang, J. Guo, Q. Yang, and S. Fu, “F-cooper: Feature based cooperative perception for autonomous vehicle edge computing system using 3d point clouds,” inProceedings of the 4th ACM/IEEE Symposium on Edge Computing, 2019, pp. 88–100

    work page 2019

  28. [28]

    Coopernaut: End-to- end driving with cooperative perception for networked vehicles,

    J. Cui, H. Qiu, D. Chen, P. Stone, and Y . Zhu, “Coopernaut: End-to- end driving with cooperative perception for networked vehicles,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 17 252–17 262

    work page 2022

  29. [29]

    Keypoints-based deep feature fusion for cooperative vehicle detection of autonomous driving,

    Y . Yuan, H. Cheng, and M. Sester, “Keypoints-based deep feature fusion for cooperative vehicle detection of autonomous driving,”IEEE Robotics and Automation Letters, vol. 7, no. 2, pp. 3054–3061, 2022

    work page 2022

  30. [30]

    Robust collaborative 3d object detection in presence of pose errors,

    Y . Lu, Q. Li, B. Liu, M. Dianati, C. Feng, S. Chen, and Y . Wang, “Robust collaborative 3d object detection in presence of pose errors,” arXiv preprint arXiv:2211.07214, 2022

    work page arXiv 2022

  31. [31]

    Jigsawcomm: Joint semantic feature encoding and transmission for communication-efficient cooper- ative perception,

    C. Wang, Z. Li, M. F. Li, and W. Wen, “Jigsawcomm: Joint semantic feature encoding and transmission for communication-efficient cooper- ative perception,”arXiv preprint arXiv:2511.17843, 2025

    work page arXiv 2025

  32. [32]

    Fusioneye: Perception sharing for connected vehicles and its bandwidth-accuracy trade-offs,

    H. Liu, P. Ren, S. Jain, M. Murad, M. Gruteser, and F. Bai, “Fusioneye: Perception sharing for connected vehicles and its bandwidth-accuracy trade-offs,” in2019 16th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON). IEEE, 2019, pp. 1–9

    work page 2019

  33. [33]

    Vips: Real-time perception fusion for infrastructure-assisted autonomous driv- ing,

    S. Shi, J. Cui, Z. Jiang, Z. Yan, G. Xing, J. Niu, and Z. Ouyang, “Vips: Real-time perception fusion for infrastructure-assisted autonomous driv- ing,” inProceedings of the 28th annual international conference on mobile computing and networking, 2022, pp. 133–146

    work page 2022

  34. [34]

    Adversarial Objects Against LiDAR-Based Autonomous Driving Systems

    Y . Cao, C. Xiao, D. Yang, J. Fang, R. Yang, M. Liu, and B. Li, “Adversarial objects against lidar-based autonomous driving systems,” arXiv preprint arXiv:1907.05418, 2019

    work page internal anchor Pith review Pith/arXiv arXiv 1907

  35. [35]

    Invisible for both camera and lidar: Security of multi- sensor fusion based perception in autonomous driving under physical- world attacks,

    Y . Cao, N. Wang, C. Xiao, D. Yang, J. Fang, R. Yang, Q. A. Chen, M. Liu, and B. Li, “Invisible for both camera and lidar: Security of multi- sensor fusion based perception in autonomous driving under physical- world attacks,” in2021 IEEE symposium on security and privacy (SP). IEEE, 2021, pp. 176–194

    work page 2021

  36. [36]

    Physically realizable adversarial examples for lidar object detection,

    J. Tu, M. Ren, S. Manivasagam, M. Liang, B. Yang, R. Du, F. Cheng, and R. Urtasun, “Physically realizable adversarial examples for lidar object detection,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp. 13 716–13 725

    work page 2020

  37. [37]

    {AE- Morpher}: Improve physical robustness of adversarial objects against {LiDAR-based}detectors via object reconstruction,

    S. Zhu, Y . Zhao, K. Chen, B. Wang, H. Ma, and C. Wei, “{AE- Morpher}: Improve physical robustness of adversarial objects against {LiDAR-based}detectors via object reconstruction,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7339–7356

    work page 2024

  38. [38]

    Can we use arbitrary objects to attack lidar perception in autonomous driving?

    Y . Zhu, C. Miao, T. Zheng, F. Hajiaghajani, L. Su, and C. Qiao, “Can we use arbitrary objects to attack lidar perception in autonomous driving?” inProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 1945–1960

    work page 2021

  39. [39]

    Fast, minimum storage ray/triangle inter- section,

    T. M ¨oller and B. Trumbore, “Fast, minimum storage ray/triangle inter- section,” inACM SIGGRAPH 2005 Courses, 2005, pp. 7–es

    work page 2005

  40. [40]

    Slowlidar: In- creasing the latency of lidar-based detection using adversarial examples,

    H. Liu, Y . Wu, Z. Yu, Y . V orobeychik, and N. Zhang, “Slowlidar: In- creasing the latency of lidar-based detection using adversarial examples,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 5146–5155

    work page 2023

  41. [41]

    Categorical Reparameterization with Gumbel-Softmax

    E. Jang, S. Gu, and B. Poole, “Categorical reparameterization with gumbel-softmax,”arXiv preprint arXiv:1611.01144, 2016. APPENDIXA IMPLEMENTATIONDETAILS We evaluate our attack against SOTA collaborative per- ception models spanning both late and intermediate fusion paradigms. For late fusion systems, we target PIXOR [21] and PointPillars [22]. For interm...

    work page internal anchor Pith review Pith/arXiv arXiv 2016