Taking into account information across the temporal domain helps to improve environment perception in autonomous driving. However, it has not been studied so far whether temporally fused neural networks are vulnerable to deliberately generated perturbations, i.e. adversarial attacks, or whether temporal history is an inherent defense against them. In this work, we study whether temporal feature networks for object detection are vulnerable to universal adversarial attacks. We evaluate attacks of two types: imperceptible noise for the whole image and locally-bound adversarial patch. In both cases, perturbations are generated in a white-box manner using PGD. Our experiments confirm, that attacking even a portion of a temporal input suffices to fool the network. We visually assess generated perturbations to gain insights into the functioning of attacks. To enhance the robustness, we apply adversarial training using 5-PGD. Our experiments on KITTI and nuScenes datasets demonstrate, that a model robustified via K-PGD is able to withstand the studied attacks while keeping the mAP-based performance comparable to that of an unattacked model.
翻译:考虑到整个时间域的信息有助于改善自主驾驶过程中的环境认知,然而,迄今尚未研究暂时引信神经网络是否容易受到故意造成的干扰,即对抗性攻击,或时间历史是否是对这些网络的固有防御。在这项工作中,我们研究物体探测时间特征网络是否易受普遍对抗性攻击的伤害。我们评估了两种类型的攻击:整个图像的不可感知噪音和当地受当地约束的对抗性攻击。在这两种情况下,扰动是以白箱方式产生的,使用PGD。我们的实验证实,攻击哪怕是时间输入的一部分,也足以欺骗网络。我们通过视觉评估产生了扰动,以了解攻击的功能。为了加强强力,我们应用了5-PGD的对抗性训练。我们对KITTI和nuScenes数据集的实验表明,一个通过K-PGD得到强化的模型能够承受研究的攻击,同时保持以MAP为基础的模型的性能与未受攻击的模型相似。