An Advanced Black-Box Adversarial Attack for Deep Driving Maneuver Classification Models

Abstract

Connected and autonomous vehicles (CAV) have been introduced to increase roadway safety and traffic flow efficiency. In CAV scenarios, an autonomous vehicle shares its current and near-future driving maneuvers in terms of different driving signals (e.g., speed, brake pedal pressure) with its nearby vehicles using wireless communication technologies. Deep neural network (DNN) models are usually used to process the driving maneuver time-series data over other machine learning algorithms due to the high prediction accuracy of DNN models. In this scenario, an attacker can send false driving maneuver signals to fool the DNN model to misclassify an input. The existing black-box adversarial attacks (which are for image datasets) require many queries to the DNN model to check if a generated attack will be successful (hence long time) or high amount of perturbation (low imperceptibility), and thus cannot be applied to the time-sensitive CAV scenarios featured by multi-dimensional time series driving data. In this paper, we present an Advanced black-box Adversarial Attack $({\mathrm {A}}^{3})$ for the deep driving maneuver classification models. We first formulate an optimization problem for the attack generation with continuous search space to reduce the search time. To solve the optimization problem, A3 innovatively combines the binary search and optimization algorithm to improve the time-efficiency of searching the optimal solution. It first uses a binary partition technique to reduce the perturbation search space in solving the problem to improve time-efficiency. It then uses the zeroth-order stochastic gradient descent approach, which is featured by searching a solution faster for high-dimensional datasets, thus further improving time-efficiency. We evaluate the proposed A3 attack in terms of different metrics using two real driving datasets. The experimental results show that the A3 attack requires up to 84.12% fewer queries and 57.67% less perturbation with 94.87% higher success rates than the existing black-box adversarial attacks.