Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Magic Tricks for Self-driving Cars

Weilin Xu
August 11, 2018
Research
0
610

Magic Tricks for Self-driving Cars

A highlighted talk at the Defcon 2018 CAAD Village. I conducted this work at Baidu X-Lab in summer 2018 while I was an intern researcher.

Weilin Xu

August 11, 2018
Tweet

Other Decks in Research

See All in Research
小1にルービックキューブを教えてみた 〜群論スポーツの教育とパターン認知〜
itakigawa
0
200
コロナ禍だからこそ考えるオフラインコミュニティの意義 / significance of community
ariaki
0
840
ICH E9 (R1) 臨床試験のための統計的原則〜中間事象に対するストラテジー
shuntaros
1
250
傾向スコアのモデルに含める共変量選択のアプローチ
tomoshige_n
1
900
第20回チャンピオンズミーティング・サジタリウス杯ラウンド2集計 / Umamusume Sagittarius 2022 Round2
kitachan_black
0
770
第21回チャンピオンズミーティング・カプリコーン杯ラウンド2集計 / Umamusume Capricorn 2023 Round2
kitachan_black
0
590
Synthetic Control Method(合成コントロール法)1
masakat0
1
500
ピッチコールの公平性と観客の存在:MLBの投球データ分析
ontime11
0
280
NICOGRAPH 2022 で発表してきました
enkatsu
0
130
物理現象の性質を反映させたグラフニューラルネットワークによる偏微分方程式の学習
yellowshippo
2
760
Phishing Hunging Operations (PHOps)
tatsui
0
2.1k
Analysis and Estimation of News Article Reading Time with Multimodal Machine Learning
upura
0
130

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
233
9.8k
Facilitating Awesome Meetings
lara
34
4.7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
10
1.4k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
BBQ
matthewcrist
75
8.2k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
Mobile First: as difficult as doing things right
swwweet
213
7.9k

Transcript

  1. Magic Tricks for
    Self-driving Cars
    Weilin Xu, Zhenyu Zhong, Yunhan Jia

    View Slide

  2. • This is a proof-of-concept.
    • We are NOT targeting at any autonomous vehicle vendors.
    • Don’t try to fool your neighbor’s car.
    AUTHORS’ WARNING

    View Slide

  3. Autonomous Vehicle Framework
    Radar
    LiDAR
    Camera
    Image: https://medium.com/toyota-ai-ventures/https-medium-com-toyota-ai-ventures-announcingblackmore-7947eacc9e9e
    Camera

    View Slide

  4. Camera-based Obstacle Detection

    View Slide

  5. View Slide

  6. Our Target: YOLOv3
    YOLO v3
    Object Detection Model
    [147 Layers, 62M Parameters]
    Input
    [416x416x3]
    Output
    [3549 Bounding Boxes]
    Image: http://media.nj.com/traffic_impact/photo/all-way-stop-sign-that-flashes-in-montclairjpg-30576ab330660eff.jpg

    View Slide

  7. Trained with the COCO Dataset
    • Common Objects in Context
    • 80 Classes: person, [car, truck, bus], [bicycle, motorcycle], [stop sign,
    traffic light], etc.
    Source: http://cocodataset.org/

    View Slide

  8. car
    0.01%
    YOLOv3 Inference
    116x9
    0
    156x
    198
    373x326
    Anchor
    Boxes
    !"
    = $ %"
    + '"
    !(
    = $ %(
    + '(
    !)
    = *)
    +,-
    Center
    Point
    Object
    Size
    !.
    = *.
    +,/
    *.
    *)
    13 x 13 Grid
    ('"
    , '(
    ) = (11,2)
    Prediction
    Vector
    Bounding Box 80 Class Confidence
    Objectness
    %"
    %(
    %)
    %.
    *567
    '8
    '9 … … ':;
    '<=

    stop sign
    99%
    ×
    car
    0.01%
    car
    0.01%

    View Slide

  9. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  10. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  11. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  12. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  13. Attack Algorithms
    • Input Construction
    • Objectives
    • Optimization

    View Slide

  14. Resize
    Perspective
    Transform
    Differentiable Input Construction
    Company
    Logo
    Company
    Logo

    View Slide

  15. Objectives
    • Object Production
    • Object Vanish
    • Object Transformation

    View Slide

  16. Object Production - Coarse
    We want more certain objects on the whole image.
    • Easy to implement.
    • May be difficult to optimize. Company
    Logo

    View Slide

  17. Object Production - Precise
    We want a certain object of a specific size in a specific location.
    Company
    Logo

    View Slide

  18. Object Vanish - Coarse
    We want a certain object class to vanish on the whole image.

    View Slide

  19. Object Transformation - Coarse
    We want certain object class to transform to other class.

    View Slide

  20. Optimization
    • Change of variable
    Convert to tanh() space to encode the [0, 1] interval constraint.
    Friendly to many off-the-shelf optimizers, e.g. Adam.
    • To optimize logits
    Skip sigmoid() to avoid vanishing gradient.
    Carlini, Nicholas, and David Wagner. “Towards Evaluating the Robustness of Neural Networks.”
    IEEE S&P (Oakland) 2016.

    View Slide

  21. But, Image Sensing is not an Identity Function
    Model Input
    [416x416x3]
    § Limited Resolution
    § Distortions
    § Random Noise
    § …
    Digital
    Image
    Scene

    View Slide

  22. Towards Robust Physical Adversarial Examples
    • [Limited Resolution] Smoother patch with the total variation regularization.
    • [Distortions] Color management with the non-printability loss.
    • [Inaccurate Patch] Random transformation during optimization iterations.
    • ……
    Sharif, Mahmood, et al. "Accessorize to a crime: Real and stealthy attacks on state-of-the-art face
    recognition." ACM CCS 2016.

    View Slide

  23. Conclusion
    • Magicians can fool object detection models, so
    can attackers.
    • We should be cautious with self-driving cars that
    rely on computer vision.

    View Slide