$30 off During Our Annual Pro Sale. View Details »

Magic Tricks for Self-driving Cars

Weilin Xu
August 11, 2018
Research
0
670

Magic Tricks for Self-driving Cars

A highlighted talk at the Defcon 2018 CAAD Village. I conducted this work at Baidu X-Lab in summer 2018 while I was an intern researcher.

Weilin Xu

August 11, 2018
Tweet

Other Decks in Research

See All in Research
論文紹介 / Llama 2: Open Foundation and Fine-Tuned Chat Models
kyoun
4
4.5k
推薦結果への説明付加はいつどんなものが嬉しいか
kuri8ive
0
170
Win ratio その2
shuntaros
0
180
Contextual and Nonstationary Multi-armed Bandits Using the Linear Gaussian State Space Model for the Meta-Recommender System
monochromegane
1
240
旅行記から地図へ:文章から旅の軌跡を取り出して地図上に描く
hiroki13
1
160
Conservation Laws for Gradient Flows
gpeyre
1
710
INTERSPEECH 2023 T5 Part4: Source Separation Based on Deep Source Generative Models and Its Self-Supervised Learning
yoshipon
2
240
The Dark Playground of CICD: Attack Delivery by GitHub Actions
nttcom
0
240
熊本都市交通リノベーション_熊本青年会議所ローカルマニフェスト検証会
trafficbrain
0
360
V&V of Systems Engineering Models and Modeling Languages
ftsrg
0
180
Coco-Nut: 自由記述文による声質制御に向けた多話者音声・声質自由記述ペアデータセット
aya_watanabe
0
210
強い生成 AI 検知システムを実現する Data-Centric なデータセット管理
johannyjm
1
680

Featured

See All Featured
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
The Pragmatic Product Professional
lauravandoore
23
5.4k
The Cult of Friendly URLs
andyhume
71
5.4k
We Have a Design System, Now What?
morganepeng
41
6.5k
What the flash - Photography Introduction
edds
64
11k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
Building Your Own Lightsaber
phodgson
97
5.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.3k
Become a Pro
speakerdeck
PRO
8
3.6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k

Transcript

  1. Magic Tricks for
    Self-driving Cars
    Weilin Xu, Zhenyu Zhong, Yunhan Jia

    View Slide

  2. • This is a proof-of-concept.
    • We are NOT targeting at any autonomous vehicle vendors.
    • Don’t try to fool your neighbor’s car.
    AUTHORS’ WARNING

    View Slide

  3. Autonomous Vehicle Framework
    Radar
    LiDAR
    Camera
    Image: https://medium.com/toyota-ai-ventures/https-medium-com-toyota-ai-ventures-announcingblackmore-7947eacc9e9e
    Camera

    View Slide

  4. Camera-based Obstacle Detection

    View Slide

  5. View Slide

  6. Our Target: YOLOv3
    YOLO v3
    Object Detection Model
    [147 Layers, 62M Parameters]
    Input
    [416x416x3]
    Output
    [3549 Bounding Boxes]
    Image: http://media.nj.com/traffic_impact/photo/all-way-stop-sign-that-flashes-in-montclairjpg-30576ab330660eff.jpg

    View Slide

  7. Trained with the COCO Dataset
    • Common Objects in Context
    • 80 Classes: person, [car, truck, bus], [bicycle, motorcycle], [stop sign,
    traffic light], etc.
    Source: http://cocodataset.org/

    View Slide

  8. car
    0.01%
    YOLOv3 Inference
    116x9
    0
    156x
    198
    373x326
    Anchor
    Boxes
    !"
    = $ %"
    + '"
    !(
    = $ %(
    + '(
    !)
    = *)
    +,-
    Center
    Point
    Object
    Size
    !.
    = *.
    +,/
    *.
    *)
    13 x 13 Grid
    ('"
    , '(
    ) = (11,2)
    Prediction
    Vector
    Bounding Box 80 Class Confidence
    Objectness
    %"
    %(
    %)
    %.
    *567
    '8
    '9 … … ':;
    '<=

    stop sign
    99%
    ×
    car
    0.01%
    car
    0.01%

    View Slide

  9. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  10. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  11. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  12. Threat Model: Image Patch Attack
    Company
    Logo

    View Slide

  13. Attack Algorithms
    • Input Construction
    • Objectives
    • Optimization

    View Slide

  14. Resize
    Perspective
    Transform
    Differentiable Input Construction
    Company
    Logo
    Company
    Logo

    View Slide

  15. Objectives
    • Object Production
    • Object Vanish
    • Object Transformation

    View Slide

  16. Object Production - Coarse
    We want more certain objects on the whole image.
    • Easy to implement.
    • May be difficult to optimize. Company
    Logo

    View Slide

  17. Object Production - Precise
    We want a certain object of a specific size in a specific location.
    Company
    Logo

    View Slide

  18. Object Vanish - Coarse
    We want a certain object class to vanish on the whole image.

    View Slide

  19. Object Transformation - Coarse
    We want certain object class to transform to other class.

    View Slide

  20. Optimization
    • Change of variable
    Convert to tanh() space to encode the [0, 1] interval constraint.
    Friendly to many off-the-shelf optimizers, e.g. Adam.
    • To optimize logits
    Skip sigmoid() to avoid vanishing gradient.
    Carlini, Nicholas, and David Wagner. “Towards Evaluating the Robustness of Neural Networks.”
    IEEE S&P (Oakland) 2016.

    View Slide

  21. But, Image Sensing is not an Identity Function
    Model Input
    [416x416x3]
    § Limited Resolution
    § Distortions
    § Random Noise
    § …
    Digital
    Image
    Scene

    View Slide

  22. Towards Robust Physical Adversarial Examples
    • [Limited Resolution] Smoother patch with the total variation regularization.
    • [Distortions] Color management with the non-printability loss.
    • [Inaccurate Patch] Random transformation during optimization iterations.
    • ……
    Sharif, Mahmood, et al. "Accessorize to a crime: Real and stealthy attacks on state-of-the-art face
    recognition." ACM CCS 2016.

    View Slide

  23. Conclusion
    • Magicians can fool object detection models, so
    can attackers.
    • We should be cautious with self-driving cars that
    rely on computer vision.

    View Slide