微信服务号

微信订阅号

2025年4月3日 13:39 星期四
首页 > 过刊浏览>2025年第36卷第4期 >1859-1880. DOI:10.13328/j.cnki.jos.007272
PDF HTML阅读 XML下载 导出引用 引用提醒
智能网联汽车自动驾驶安全: 威胁、攻击与防护
作者:
中图分类号:

TP393

基金项目:

国家自然科学基金(61931019)


Autonomous Driving Security of Intelligent Connected Vehicles: Threats, Attacks, and Defenses
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [119]
    • | | | |
  • 文章评论
    摘要:

    智能网联汽车在国家发展战略中占有重要地位, 是关系汽车产业革新、大国核心竞争力的关键技术, 自动驾驶是智能网联汽车发展的最终目标, 智能网联汽车自动驾驶(以下称“自动驾驶汽车”)的安全问题直接影响人民生命财产安全、国家公共安全, 但目前还缺少对其的系统性研究. 深度剖析自动驾驶面临的安全威胁能对其安全防护和保障提供指导, 促进其大规模应用. 通过整理学术界与工业界对自动驾驶安全的相关研究工作, 分析和总结自动驾驶所面临的安全问题. 首先介绍自动驾驶汽车架构、安全的特殊性, 其次从模型视角出发, 全过程地梳理自动驾驶的物理域输入、信息域输入和驾驶模型这3个方面可能存在的9个攻击作用点及其攻击方式与安全防护手段, 最后通过对近7年相关研究论文数据的统计分析, 总结自动驾驶安全研究的现状, 讨论未来的研究方向.

    Abstract:

    Intelligent connected vehicles (ICVs) hold a significant strategic position within the national developmental framework, epitomizing a critical technological facet underpinning automotive industry innovations and serving as a nucleus of core national competitiveness. The culmination of ICV development resides in the realization of autonomous driving capabilities, herein termed “autonomous vehicles”. Security ramifications intrinsic to autonomous vehicles bear direct implications for public security, individual safety, and property integrity. However, a comprehensive, methodologically rigorous investigation of these security dimensions remains conspicuously absent. A comprehensive examination of the security threats germane to autonomous vehicles, thus, serves as a compass guiding security fortifications and engendering widespread adoption. By collating pertinent research endeavors from both academia and industry, this study undertakes a methodical and comprehensive analysis of the security issues intrinsic to autonomous driving. Inceptive discourse elaborates on the architectural contours of autonomous vehicles, interlaced with the nuances of their security considerations. Subsequently, embracing a model-centric vantage point, the analysis meticulously delineates nine prospective attack vectors across the tripartite domains of physical inputs, informational inputs, and the driving model itself. Each vector is expounded alongside its associated attack modalities and corresponding security mitigations. Finally, through quantitative analysis of research literature encompassing the last septennium, the prevailing terrain of autonomous vehicle security scholarship is scrutinized, thereby crystallizing latent trajectories for future research endeavors.

    参考文献
    [1] 张行, 孙航. GB/T 40429—2021《汽车驾驶自动化分级》分析. 中国汽车, 2022, (5): 3–5, 7.
    Zhang X, Sun H. Analysis of GB/T 40429–2021 “Classification of automotive driving automation”. China Automotive, 2022, (5): 3–5, 7 (in Chinese).
    [2] Pham M, Xiong KQ. A survey on security attacks and defense techniques for connected and autonomous vehicles. Computers & Security, 2021, 109: 102269.
    [3] Humayed A, Lin JQ, Li FJ, Luo B. Cyber-physical systems security—A survey. IEEE Internet of Things Journal, 2017, 4(6): 1802–1831.
    [4] Hataba M, Sherif A, Mahmoud M, Abdallah M, Alasmary W. Security and privacy issues in autonomous vehicles: A layer-based survey. IEEE Open Journal of the Communications Society, 2022, 3: 811–829.
    [5] Ren K, Wang Q, Wang C, Qin Z, Lin XD. The security of autonomous driving: Threats, defenses, and future directions. Proc. of the IEEE, 2020, 108(2): 357–372.
    [6] Jo HJ, Choi W. A survey of attacks on controller area networks and corresponding countermeasures. IEEE Trans. on Intelligent Transportation Systems, 2022, 23(7): 6123–6141.
    [7] Talpur A, Gurusamy M. Machine learning for security in vehicular networks: A comprehensive survey. IEEE Communications Surveys & Tutorials, 2022, 24(1): 346–379.
    [8] Chen YJ, Zhu XT, Gong XL, Yi XJ, Li SY. Data poisoning attacks in Internet-of-Vehicle networks: Taxonomy, state-of-the-art, and future directions. IEEE Trans. on Industrial Informatics, 2023, 19(1): 20–28.
    [9] Deng Y, Zheng X, Zhang TY, Chen C, Lou GN, Kim M. An analysis of adversarial attacks and defenses on autonomous driving models. In: Proc. of the 2020 IEEE Int’l Conf. on Pervasive Computing and Communications (PerCom). Austin: IEEE, 2020. 1–10.
    [10] Tang SC, Zhang ZY, Zhang Y, Zhou JX, Guo Y, Liu S, Guo SJ, Li YF, Ma L, Xue YX, Liu Y. A survey on automated driving system testing: Landscapes and trends. ACM Trans. on Software Engineering and Methodology, 2023, 32(5): 124.
    [11] Cao YL, Xiao CW, Cyr B, Zhou YM, Park W, Rampazzi S, Chen QA, Fu K, Mao ZM. Adversarial sensor attack on LiDAR-based perception in autonomous driving. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 2267–2281. [doi: 10.1145/3319535.3339815]
    [12] Cho KT, Kang GS. Error handling of in-vehicle networks makes them vulnerable. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security. Vienna: ACM, 2016. 1044–1055. [doi: 10.1145/2976749.2978302]
    [13] Burns A, McDermid J, Dobson J. On the meaning of safety and security. The Computer Journal, 1992, 35(1): 3–15.
    [14] Int’l Electrotechnical Commission. IEC/TS 62351-1 Power systems management and associated information exchange—Data and communications security. Part 1: Communication network and system security—Introduction to security issues. 2007. https://webstore.iec.ch/en/publication/6903
    [15] Pirayesh H, Zeng HC. Jamming attacks and anti-jamming strategies in wireless networks: A comprehensive survey. arXiv:2101.00292, 2021.
    [16] He KX, Qin KJ, Wang CY, Fang XY. Research on cyber security test method for GNSS of intelligent connected vehicle. In: Proc. of the 2020 Int’l Conf. on Computer Information and Big Data Applications (CIBDA). Guiyang: IEEE, 2020. 200–203.
    [17] Swinney CJ, Woods JC. GPS jamming signal classification with CNN feature extraction in low signal-to-noise environments. Int’l Journal on Cyber Situational Awareness, 2021, 6(1): 1–21.
    [18] Elghamrawy H, Karaim M, Korenberg M, Noureldin A. High-resolution spectral estimation for continuous wave jamming mitigation of GNSS signals in autonomous vehicles. IEEE Trans. on Intelligent Transportation Systems, 2022, 23(7): 7881–7895.
    [19] Aydogdu C, Keskin MF, Carvajal GK, Eriksson O, Hellsten H, Herbertsson H, Nilsson E, Rydstrom M, Vanas K, Wymeersch H. Radar interference mitigation for automated driving: Exploring proactive strategies. IEEE Signal Processing Magazine, 2020, 37(4): 72–84.
    [20] Kunert M. The EU project MOSARIM: A general overview of project objectives and conducted work. In: Proc. of the 9th European Radar Conf. Amsterdam: IEEE, 2012. 1–5.
    [21] Goppelt M, Blöcher HL, Menzel W. Analytical investigation of mutual interference between automotive FMCW radar sensors. In: Proc. of the 2011 German Microwave Conf. Darmstadt: IEEE, 2011. 1–4.
    [22] Schmidt LM, Kontes G, Plinge A, Mutschler C. Can you trust your autonomous car? Interpretable and verifiably safe reinforcement learning. In: Proc. of the 2021 IEEE Intelligent Vehicles Symp. (IV). Nagoya: IEEE, 2021. 171–178. [doi: 10.1109/IV48863.2021.9575328]
    [23] Bilik I, Longman O, Villeval S, Tabrikian J. The rise of radar for autonomous vehicles: Signal processing solutions and future research directions. IEEE Signal Processing Magazine, 2019, 36(5): 20–31.
    [24] Xu WY, Yan C, Jia WB, Ji XY, Liu JH. Analyzing and enhancing the security of ultrasonic sensors for autonomous vehicles. IEEE Internet of Things Journal, 2018, 5(6): 5015–5029.
    [25] Petit J, Stottelaar B, Feiri M, Kargl F. Remote attacks on automated vehicles sensors: Experiments on camera and LiDAR. 2015. https://api.semanticscholar.org/CorpusID:39608826
    [26] Yan C, Xu WY, Liu JH. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicles. 2016. https://cyansec.com/files/articles/16DEFCON-Sensor.pdf
    [27] Son Y, Shin H, Kim D, Park Y, Noh J, Choi K, Choi J, Kim Y. Rocking drones with intentional sound noise on gyroscopic sensors. In: Proc. of the 24th USENIX Security Symp. Washington: USENIX Association, 2015.
    [28] Trippel T, Weisse O, Xu WY, Honeyman P, Fu K. WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In: Proc. of the 2017 IEEE European Symp. on Security and Privacy (EuroS&P). Paris: IEEE, 2017. 3–18.
    [29] Warner JS, Johnston RG. A simple demonstration that the global positioning system (GPS) is vulnerable to spoofing. The Journal of Security Administration, 2002, 25: 19–28.
    [30] Volpe JA. Vulnerability assessment of the transportation infrastructure relying on the global positioning system. 2001. https://rosap.ntl.bts.gov/view/dot/8435
    [31] Humphreys TE, Ledvina BM, Psiaki ML, O’Hanlon BW, Kintner PM Jr. Assessing the spoofing threat: Development of a portable GPS civilian spoofer. In: Proc. of the 21st Int’l Technical Meeting of the Satellite Division of the Institute of Navigation. Savanna, 2008.
    [32] Nighswander T, Ledvina B, Diamond J, Brumley R, Brumley D. GPS software attacks. In: Proc. of the 2012 ACM Conf. on Computer and Communications Security. Raleigh: ACM, 2012. 450–461. [doi: 10.1145/2382196.2382245]
    [33] Shin H, Kim D, Kwon Y, Kim Y. Illusion and dazzle: Adversarial optical channel exploits against lidars for automotive applications. In: Proc. of the 19th Int’l Conf. on Cryptographic Hardware and Embedded Systems. Taipei: Springer, 2017. 445–467.
    [34] Mehmood S, Malik AN, Qureshi IM, Khan MZU, Zaman F. A novel deceptive jamming approach for hiding actual target and generating false targets. Wireless Communications and Mobile Computing, 2021, 2021: 8844630.
    [35] Buller W, Wilson B, Garbarino J, Kelly J, Subotic N, Thelen B, Belzowski B. Radar congestion study. Technical Report, DOT HS 812 632, Washington: U.S. Department of Transportation, National Highway Traffic Safety Administration, 2018.
    [36] Alland S, Stark W, Ali M, Hegde M. Interference in automotive radar systems: Characteristics, mitigation techniques, and current and future research. IEEE Signal Processing Magazine, 2019, 36(5): 45–59.
    [37] Kim G, Mun J, Lee J. A peer-to-peer interference analysis for automotive chirp sequence radars. IEEE Trans. on Vehicular Technology, 2018, 67(9): 8110–8117.
    [38] Zeng KX, Liu SN, Shu YC, Wang D, Li HY, Dou YZ, Wang G, Yang YL. All your GPS are belong to us: Towards stealthy manipulation of road navigation systems. In: Proc. of the 27th USENIX Conf. on Security Symp. Baltimore: USENIX Association, 2018. 1527–1544.
    [39] Zhu Y, Miao CL, Hajiaghajani F, Huai MD, Su L, Qiao CM. Adversarial attacks against LiDAR semantic segmentation in autonomous driving. In: Proc. of the 19th ACM Conf. on Embedded Networked Sensor Systems. Coimbra: Association for Computing Machinery, 2021. 329–342. [doi: 10.1145/3485730.3485935]
    [40] Cao YL, Bhupathiraju SH, Naghavi P, Sugawara T, Mao ZM, Rampazzi S. You can’t see me: Physical removal attacks on LiDAR-based autonomous vehicles driving frameworks. In: Proc. of the 32nd USENIX Security Symp. Anaheim: USENIX Association, 2023. 2993–3010.
    [41] Ma C, Wang NF, Chen QA, Shen C. SlowTrack: Increasing the latency of camera-based perception in autonomous driving using adversarial examples. In: Proc. of the 38th AAAI Conf. on Artificial Intelligence. Vancouver: AAAI, 2024. 4062–4070.
    [42] Zhu Y, Miao CL, Xue HF, Li ZX, Yu YN, Xu WY, Su L, Qiao CM. TileMask: A passive-reflection-based attack against mmWave radar object detection in autonomous driving. In: Proc. of the 2023 ACM SIGSAC Conf. on Computer and Communications Security. Copenhagen: ACM, 2023. 1317–1331. [doi: 10.1145/3576915.3616661]
    [43] Cao YL, Wang NF, Xiao CW, Yang DW, Fang J, Yang RG, Chen QA, Liu MY, Li B. Invisible for both Camera and LiDAR: Security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In: Proc. of the 2021 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2021. 176–194. [doi: 10.1109/SP40001.2021.00076]
    [44] Shen JJ, Won JY, Chen ZY, Chen QA. Drift with devil: Security of multi-sensor fusion based localization in high-level autonomous driving under GPS spoofing (extended version). In: Proc. of the 29th USENIX Security Symp. USENIX Association, 2020. 931–948.
    [45] Narain S, Ranganathan A, Noubir G. Security of GPS/INS based on-road location tracking systems. arXiv:1808.03515, 2018.
    [46] Shao BJ, Wan TQ, Liao FY, Kim BJ, Chen JW, Guo JM, Ma SJ, Ahn JH, Chai Y. Highly trustworthy in-sensor cryptography for image encryption and authentication. ACS Nano, 2023, 17(11): 10291–10299.
    [47] Matsumura R, Sugawara T, Sakiyama K. A secure LiDAR with AES-based side-channel fingerprinting. In: Proc. of the 6th Int’l Symp. on Computing and Networking Workshops (CANDARW). Takayama: IEEE, 2018. 479–482. [doi: 10.1109/CANDARW.2018.00092]
    [48] Dang YC, Benzaïd C, Yang B, Taleb T. Deep learning for GPS spoofing detection in cellular-enabled UAV systems. In: Proc. of the 2021 Int’l Conf. on Networking and Network Applications. Lijiang: IEEE, 2022. 501–506. [doi: 10.1109/NaNA53684.2021.00093]
    [49] Kapoor P, Vora A, Kang KD. Detecting and mitigating spoofing attack against an automotive radar. In: Proc. of the 88th IEEE Vehicular Technology Conf. (VTC-Fall). Chicago: IEEE, 2018. 1–6. [doi: 10.1109/VTCFall.2018.8690734]
    [50] Qayyum A, Usama M, Qadir J, Al-Fuqaha A. Securing connected & autonomous vehicles: Challenges posed by adversarial machine learning and the way forward. IEEE Communications Surveys & Tutorials, 2020, 22(2): 998–1026.
    [51] Lee S, Lee DH. From attack to identification: MEMS sensor fingerprinting using acoustic signals. IEEE Internet of Things Journal, 2022, 10(6): 5447–5460.
    [52] Man YM, Muller R, Li M, Celik ZB, Gerdes R. That person moves like a car: Misclassification attack detection for autonomous systems using spatiotemporal consistency. In: Proc. of the 32nd USENIX Conf. on Security Symp. Anaheim: USENIX Association, 2023. 6929–6946.
    [53] Hall DL, Llinas J. An introduction to multisensor data fusion. Proc. of the IEEE, 1997, 85(1): 6–23.
    [54] Chandrasekaran B, Gangadhar S, Conrad JM. A survey of multisensor fusion techniques, architectures and methodologies. In: Proc. of the 2017 Annual IEEE Region 3 Technical, Professional, and Student Conf. Concord: IEEE, 2017. 1–8.
    [55] Liu JS, Park J. “Seeing is not always believing”: Detecting perception error attacks against autonomous vehicles. IEEE Trans. on Dependable and Secure Computing, 2021, 18(5): 2209–2223.
    [56] Kai J, Schäfer M, Moser D, Lenders V, Pöpper C, Schmitt J. Crowd-GPS-Sec: Leveraging crowdsourcing to detect and localize GPS spoofing attacks. In: Proc. of the 2018 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2018. 1018–1031.
    [57] Thilak KD, Amuthan A. DoS attack on VANET routing and possible defending solutions—A survey. In: Proc. of the 2016 Int’l Conf. on Information Communication and Embedded Systems (ICICES). Chennai: IEEE, 2016. 1–7. [doi: 10.1109/ICICES.2016.7518892]
    [58] Petit J. Analysis of ECDSA authentication processing in VANETs. In: Proc. of the 3rd Int’l Conf. on New Technologies, Mobility and Security. Cairo: IEEE, 2009. 1–5. [doi: 10.1109/NTMS.2009.5384696]
    [59] Kumar S, Mann KS. Prevention of DoS attacks by detection of multiple malicious nodes in VANETs. In: Proc. of the 2019 Int’l Conf. on Automation, Computational and Technology Management. London: IEEE, 2019. 89–94. [doi: 10.1109/ICACTM.2019.8776846]
    [60] Patel KN, Jhaveri RH. Isolating packet dropping misbehavior in VANET using ant colony optimization. Int’l Journal of Computer Applications, 2015, 120(24): 5–9.
    [61] Kamel J, Haidar F, Jemaa IB, Kaiser A, Lonc B, Urien P. A misbehavior authority system for Sybil attack detection in C-ITS. In: Proc. of the 10th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conf. (UEMCON). New York: IEEE, 2019. 1117–1123. [doi: 10.1109/UEMCON47517.2019.8993045]
    [62] Xu YY, Lei M, Li M, Zhao MJ, Hu B. A new anti-jamming strategy based on deep reinforcement learning for MANET. In: Proc. of the 89th IEEE Vehicular Technology Conf. (VTC2019-Spring). Kuala Lumpur: IEEE, 2019. 1–5.
    [63] Narayanadoss AR, Truong-Huu T, Mohan PM, Gurusamy M. Crossfire attack detection using deep learning in software defined ITS networks. In: Proc. of the 89th IEEE Vehicular Technology Conf. (VTC2019-Spring). Kuala Lumpur: IEEE, 2019. 1–6.
    [64] Gruebler A, McDonald-Maier KD, Alheeti KMA. An intrusion detection system against black hole attacks on the communication network of self-driving cars. In: Proc. of the 6th Int’l Conf. on Emerging Security Technologies (EST). Braunschweig: IEEE, 2015. 86–91. [doi: 10.1109/EST.2015.10]
    [65] Ali S, Nand P, Tiwari S. Detection of wormhole attack in vehicular ad-hoc network over real map using machine learning approach with preventive scheme. Journal of Information Technology Management, 2022, 14: 159–179.
    [66] Khanapuri E, Chintalapati T, Sharma R, Gerdes R. Learning-based adversarial agent detection and identification in cyber physical systems applied to autonomous vehicular platoon. In: Proc. of the 5th IEEE/ACM Int’l Workshop on Software Engineering for Smart Cyber-physical Systems (SEsCPS). Montreal: IEEE, 2019. 39–45. [doi: 10.1109/SEsCPS.2019.00014]
    [67] Sargolzaei A, Crane CD, Abbaspour A, Noei S. A machine learning approach for fault detection in vehicular cyber-physical systems. In: Proc. of the 15th IEEE Int’l Conf. on Machine Learning and Applications (ICMLA). Anaheim: IEEE, 2016. 636–640.
    [68] Othmane LB, Weffers H, Mohamad MM, Wolf M. A survey of security and privacy in connected vehicles. In: Benhaddou D, Al-Fuqaha A, eds. Wireless Sensor and Mobile Ad-hoc Networks: Vehicular and Space Applications. New York: Springer, 2015. 217–247.
    [69] Ali I, Lawrence T, Li FG. An efficient identity-based signature scheme without bilinear pairing for vehicle-to-vehicle communication in VANETs. Journal of Systems Architecture, 2020, 103: 101692.
    [70] Ali Alheeti KM, Gruebler A, McDonald-Maier K. Intelligent intrusion detection of grey hole and rushing attacks in self-driving vehicular networks. Computers, 2016, 5(3): 16.
    [71] Lu XZ, Xiao L, Xu TW, Zhao YF, Tang YL, Zhuang WH. Reinforcement learning based PHY authentication for VANETs. IEEE Trans. on Vehicular Technology, 2020, 69(3): 3068–3079.
    [72] Gomides TS, Kranakis E, Lambadaris I, Viniotis Y. Optimal control for platooning in vehicular networks. In: Proc. of the 2023 IEEE Int’l Conf. on Communications. Rome: IEEE, 2023. 6597–6602. [doi: 10.1109/ICC45041.2023.10279610]
    [73] Xu H, Ji JQ, Zhu K, Wang R. Deep reinforcement learning for resource allocation in multi-platoon vehicular networks. In: Proc. of the 16th Int’l Conf. on Wireless Algorithms, Systems, and Applications. Nanjing: Springer, 2021. 402–416. [doi: 10.1007/978-3-030-86130-8_32]
    [74] Chang S, Qi Y, Zhu HZ, Zhao JZ, Shen XM. Footprint: Detecting Sybil attacks in urban vehicular networks. IEEE Trans. on Parallel and Distributed Systems, 2012, 23(6): 1103–1114.
    [75] Lu RX, Lin XD, Liang XH, Shen XM. A dynamic privacy-preserving key management scheme for location-based services in VANETs. IEEE Trans. on Intelligent Transportation Systems, 2012, 13(1): 127–139.
    [76] Junaidi DR, Ma MD, Su R. Secure vehicular platoon management against Sybil attacks. Sensors, 2022, 22(22): 9000.
    [77] Gu PWL, Khatoun R, Begriche Y, Serhrouchni A. Support vector machine (SVM) based Sybil attack detection in vehicular networks. In: Proc. of the 2017 IEEE Wireless Communications and Networking Conf. (WCNC). San Francisco: IEEE, 2017. 1–6.
    [78] Gong J, Murguia C, Bayuwindra A, Cao JD. Resilient controller synthesis against DoS attacks for vehicular platooning in spatial domain. arXiv:2307.15874, 2023.
    [79] Ravindran R, Santora MJ, Jamali MM. Multi-object detection and tracking, based on DNN, for autonomous vehicles: A review. IEEE Sensors Journal, 2021, 21(5): 5668–5677.
    [80] Krizhevsky A, Sutskever I, Hinton GE. ImageNet classification with deep convolutional neural networks. Communications of the ACM, 2017, 60(6): 84–90.
    [81] Bijjahalli S, Sabatini R, Gardi A. Advances in intelligent and autonomous navigation systems for small UAS. Progress in Aerospace Sciences, 2020, 115: 100617.
    [82] Waymo LLC. Waymo safety report: On the road to fully self-driving. 2017. https://storage.googleapis.com/sdc-prod/v1/safety-report/waymo-safety-report-2017-10.pdf
    [83] Bojarski M, Del Testa D, Dworakowski D, Firner B, Flepp B, Goyal P, Jackel LD, Monfort M, Muller U, Zhang JK, Zhang X, Zhao J, Zieba K. End to end learning for self-driving cars. arXiv:1604.07316, 2016.
    [84] Muñoz-González L, Biggio B, Demontis A, Paudice A, Wongrassamee V, Lupu EC, Roli F. Towards poisoning of deep learning algorithms with back-gradient optimization. In: Proc. of the 10th ACM Workshop on Artificial Intelligence and Security. Dallas: ACM, 2017. 27–38. [doi: 10.1145/3128572.3140451]
    [85] Suciu O, Mărginean R, Kaya Y, Daumé H III, Dumitraş T. When does machine learning FAIL? Generalized transferability for evasion and poisoning attacks. In: Proc. of the 27th USENIX Conf. on Security Symp. Baltimore: USENIX Association, 2018. 1299–1316.
    [86] Shafahi A, Huang WR, Najibi M, Suciu O, Studer C, Dumitras T, Goldstein T. Poison frogs! Targeted clean-label poisoning attacks on neural networks. In: Proc. of the 32nd Int’l Conf. on Neural Information Processing Systems. Montréal: Curran Associates Inc., 2018. 6106–6116.
    [87] Zhu C, Huang WR, Li HD, Taylor G, Studer C, Goldstein T. Transferable clean-label poisoning attacks on deep neural nets. In: Proc. of the 36th Int’l Conf. on Machine Learning. Long Beach: PMLR, 2019. 7614–7623.
    [88] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R. Intriguing properties of neural networks. arXiv:1312.6199, 2014.
    [89] Creswell A, White T, Dumoulin V, Arulkumaran K, Sengupta B, Bharath AA. Generative adversarial networks: An overview. IEEE Signal Processing Magazine, 2018, 35(1): 53–65.
    [90] Dumford J, Scheirer W. Backdooring convolutional neural networks via targeted weight perturbations. In: Proc. of the 2020 IEEE Int’l Joint Conf. on Biometrics (IJCB). Houston: IEEE, 2020. 1–9. [doi: 10.1109/IJCB48548.2020.9304875]
    [91] Rudd EM, Rozsa A, Günther M, Boult TE. A survey of stealth malware attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Communications Surveys & Tutorials, 2017, 19(2): 1145–1172.
    [92] Costales R, Mao CZ, Norwitz R, Kim B, Yang JF. Live Trojan attacks on deep neural networks. In: Proc. of the 2020 IEEE/CVF Conf. on Computer Vision and Pattern Recognition Workshops. Seattle: IEEE, 2020. 3460–3469. [doi: 10.1109/CVPRW50498.2020.00406]
    [93] Zhang QX, Ma WC, Wang YJ, Zhang YY, Shi ZW, Li YZ. Backdoor attacks on image classification models in deep neural networks. Chinese Journal of Electronics, 2022, 31(2): 199–212.
    [94] Tang RX, Du MN, Liu NH, Yang F, Hu X. An embarrassingly simple approach for Trojan attack in deep neural networks. In: Proc. of the 26th ACM SIGKDD Int’l Conf. on Knowledge Discovery & Data Mining. ACM, 2020. 218–228.
    [95] Li YC, Hua JY, Wang HY, Chen CY, Liu YX. DeepPayload: Black-box backdoor attack on deep learning models through neural payload injection. In: Proc. of the 43rd IEEE/ACM Int’l Conf. on Software Engineering (ICSE). Madrid: IEEE, 2021. 263–274.
    [96] Tramèr F, Zhang F, Juels A, Reiter MK, Ristenpart T. Stealing machine learning models via prediction APIs. In: Proc. of the 25th USENIX Conf. on Security Symp. Austin: USENIX Association, 2016. 601–618.
    [97] Truong JB, Maini P, Walls RJ, Papernot N. Data-free model extraction. In: Proc. of the 2021 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Nashville: IEEE, 2021. 4769–4778.
    [98] Shokri R, Stronati M, Song CZ, Shmatikov V. Membership inference attacks against machine learning models. In: Proc. of the 2017 IEEE Symp. on Security and Privacy (SP). San Jose: IEEE, 2017. 3–18.
    [99] Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures. In: Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. Denver: ACM, 2015. 1322–1333.
    [100] Zhu LG, Liu ZJ, Han S. Deep leakage from gradients. In: Proc. of the 33rd Int’l Conf. on Neural Information Processing Systems. Vancouver: Curran Associates Inc., 2019. 14774–14784.
    [101] Lin SC, Zhang YQ, Hsu CH, Skach M, Haque ME, Tang LJ, Mars J. The architectural implications of autonomous driving: Constraints and acceleration. In: Proc. of the 23rd Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. Williamsburg: ACM, 2018. 751–766. [doi: 10.1145/3173162.3173191]
    [102] Cheng ZY, Wu BY, Zhang ZY, Zhao JJ. TAT: Targeted backdoor attacks against visual object tracking. Pattern Recognition, 2023, 142: 109629.
    [103] Zhang KY, Song X, Zhang CH, Yu S. Challenges and future directions of secure federated learning: A survey. Frontiers of Computer Science, 2022, 16(5): 165817.
    [104] McMahan B, Moore E, Ramage D, Hampson S, Aguera y Arcas B. Communication-efficient learning of deep networks from decentralized data. In: Proc. of the 20th Int’l Conf. on Artificial Intelligence and Statistics. Fort Lauderdale: PMLR, 2017. 1273–1282.
    [105] Peri N, Gupta N, Huang WR, Fowl L, Zhu C, Feizi S, Goldstein T, Dickerson JP. Deep K-NN defense against clean-label data poisoning attacks. In: Proc. of the 16th European Conf. on Computer Vision. Glasgow: Springer, 2020. 55–70. [doi: 10.1007/978-3-030-66415-2_4]
    [106] Rosenfeld E, Winston E, Ravikumar P, Kolter JZ. Certified robustness to label-flipping attacks via randomized smoothing. In: Proc. of the 37th Int’l Conf. on Machine Learning. Virtual Event: JMLR.org, 2020. 8230–8241.
    [107] 肖鹏, 李媛媛, 李晓红. 车载MOST网络防火墙的设计与实现. 微计算机信息, 2009, 25(21): 57–58, 61.
    Xiao P, Li YY, Li XH. Design and implementation of firewall based on MOST. Science and Technology & Innovation, 2009, 25(21): 57–58, 61 (in Chinese with English abstract).
    [108] 吴贻淮. 基于神经网络的车载CAN网络入侵检测系统的研究 [硕士学位论文]. 成都: 成都信息工程大学, 2018.
    Wu YH. Research on vehicle CAN network intrusion detection system based on neural networks [MS. Thesis]. Chengdu: Chengdu University of Information Engineering, 2018 (in Chinese).
    [109] Wei K, Li J, Ding M, Ma C, Yang HH, Farokhi F, Jin S, Quek TQS, Vincent Poor H. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Trans. on Information Forensics and Security, 2020, 15: 3454–3469.
    [110] Wang JX, Guo S, Xie X, Qi H. Protect privacy from gradient leakage attack in federated learning. In: Proc. of the 2022 IEEE Conf. on Computer Communications. London: IEEE, 2022. 580–589. [doi: 10.1109/INFOCOM48880.2022.9796841]
    [111] Phong LT, Aono Y, Hayashi T, Wang LH, Moriai S. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Trans. on Information Forensics and Security, 2018, 13(5): 1333–1345.
    [112] Manzoor SI, Jain S, Singh Y, Singh H. Federated learning based privacy ensured sensor communication in IoT networks: A taxonomy, threats and attacks. IEEE Access, 2023, 11: 42248–42275.
    [113] Bolte JA, Bar A, Lipinski D, Fingscheidt T. Towards corner case detection for autonomous driving. In: Proc. of the 2019 IEEE Intelligent Vehicles Symp. (IV). Paris: IEEE, 2019. 438–445. [doi: 10.1109/IVS.2019.8813817]
    [114] Klischat M, Liu EI, Holtke F, Althoff M. Scenario factory: Creating safety-critical traffic scenarios for automated vehicles. In: Proc. of the 23rd IEEE Int’l Conf. on Intelligent Transportation Systems (ITSC). Rhodes: IEEE, 2020. 1–7.
    [115] Kim S, Liu M, Rhee JJ, Jeon Y, Kwon Y, Kim CH. DriveFuzz: Discovering autonomous driving bugs through driving quality-guided fuzzing. In: Proc. of the 2022 ACM SIGSAC Conf. on Computer and Communications Security. Los Angeles: ACM, 2022. 1753–1767. [doi: 10.1145/3548606.3560558]
    [116] Feng S, Sun HW, Yan XT, Zhu HJ, Zou ZX, Shen SY, Liu HX. Dense reinforcement learning for safety validation of autonomous vehicles. Nature, 2023, 615(7953): 620–627.
    相似文献
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

郗来乐,林声浩,王震,谢天鸽,孙玉砚,朱红松,孙利民.智能网联汽车自动驾驶安全: 威胁、攻击与防护.软件学报,2025,36(4):1859-1880

复制
分享
文章指标
  • 点击次数:191
  • 下载次数: 472
  • HTML阅读次数: 4
  • 引用次数: 0
历史
  • 收稿日期:2024-01-05
  • 最后修改日期:2024-06-03
  • 在线发布日期: 2024-12-18
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19780495位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号