Adversarial Objects Against LiDAR-Based Autonomous Driving Systems

by   Yulong Cao, et al.

Deep neural networks (DNNs) are found to be vulnerable against adversarial examples, which are carefully crafted inputs with a small magnitude of perturbation aiming to induce arbitrarily incorrect predictions. Recent studies show that adversarial examples can pose a threat to real-world security-critical applications: a "physical adversarial Stop Sign" can be synthesized such that the autonomous driving cars will misrecognize it as others (e.g., a speed limit sign). However, these image-space adversarial examples cannot easily alter 3D scans of widely equipped LiDAR or radar on autonomous vehicles. In this paper, we reveal the potential vulnerabilities of LiDAR-based autonomous driving detection systems, by proposing an optimization based approach LiDAR-Adv to generate adversarial objects that can evade the LiDAR-based detection system under various conditions. We first show the vulnerabilities using a blackbox evolution-based algorithm, and then explore how much a strong adversary can do, using our gradient-based approach LiDAR-Adv. We test the generated adversarial objects on the Baidu Apollo autonomous driving platform and show that such physical systems are indeed vulnerable to the proposed attacks. We also 3D-print our adversarial objects and perform physical experiments to illustrate that such vulnerability exists in the real world. Please find more visualizations and results on the anonymous website:



page 2

page 7

page 8

page 11

page 12

page 13

page 14


Generating 3D Adversarial Point Clouds

Machine learning models especially deep neural networks (DNNs) have been...

DeepBillboard: Systematic Physical-World Testing of Autonomous Driving Systems

Deep Neural Networks (DNNs) have been widely applied in many autonomous ...

Finding Physical Adversarial Examples for Autonomous Driving with Fast and Differentiable Image Compositing

There is considerable evidence that deep neural networks are vulnerable ...

Generating Adversarial Fragments with Adversarial Networks for Physical-world Implementation

Although deep neural networks have been widely applied in many applicati...

Too Afraid to Drive: Systematic Discovery of Semantic DoS Vulnerability in Autonomous Driving Planning under Physical-World Attacks

In high-level Autonomous Driving (AD) systems, behavioral planning is in...

Enhancing ML Robustness Using Physical-World Constraints

Recent advances in Machine Learning (ML) have demonstrated that neural n...

Adversarial Attack for Asynchronous Event-based Data

Deep neural networks (DNNs) are vulnerable to adversarial examples that ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Machine learning, especially deep neural networks (DNNs), have achieved great successes in various domains, (Collobert and Weston, 2008; He et al., 2016; Deng et al., 2013; Silver et al., 2016). Several safety-critical applications such as autonomous vehicles (AV) have also adopted machine learning models and achieved promising performance. However, recent studies show that machine learning models are vulnerable to adversarial attacks Goodfellow et al. (2014); Carlini and Wagner (2017a); Xiao et al. (2018b, d, a); Sun et al. (2018). In these attacks, small perturbations are sufficient to cause various well-trained models to output “adversarial" prediction. In this paper we aim to explore similar vulnerabilities in today’s autonomous driving systems.

Such adversarial attacks have been largely explored in the image domain. In addition, to demonstrate such attacks pose a threat in the real world, some studies propose to generate physical stickers or printable textures that can confuse a classifier to recognize a stop sign 

Athalye and Sutskever (2017); Evtimov et al. (2017). However, an autonomous driving system is not merely an image-based classifier. For perception, most autonomous driving detection systems are equipped with LiDAR (Light Detection And Ranging) or RADAR (Radio Detection and Ranging) devices which are capable of directly probing the surrounding 3D environment with laser beams. This raises the doubt of whether texture perturbation in previous work will affect LiDAR-scanned point clouds. In addition, the LiDAR-based detection system consists of multiple non-differentiable steps, rather than a single end-to-end network, which largely limits the use of gradient-based end-to-end attacks. These two key obstacles not only invalidate previous image-based approaches, but also raise several new challenges when we want to construct an adversarial object: 1) LiDAR-based detection system projects 3D shape to a point cloud using physical LiDAR equipment. The point cloud is then fed into the machine learning detection system. Therefore, how shape perturbation affects the scanned point cloud is not clear. 2) The preprocessing of the LiDAR point clouds is non-differentiable, preventing the naive use of gradient-based optimizers. 3) The perturbation space is limited due to multiple aspects. First, we need to ensure the perturbed object can be reconstructed in the real world. Second, a valid LiDAR scan of an object is a constrained subset of point cloud, making the perturbation space much smaller compared to perturbing the point cloud without any constraint Xiang et al. (2018).

In this paper, we propose LiDAR-Adv to address the above issues and generate adversarial object against real-world LiDAR system as shown in Figure 1. We first simulate a differentiable LiDAR renderer to bridge the perturbations from 3D objects to LiDAR scans (or point cloud). Then we formulate 3D feature aggregation with a differentiable proxy function. Finally, we devise different losses to ensure the smoothness of the generated 3D adversarial objects. To better demonstrate the flexibility of the proposed attack approach, we evaluate our attacking approach under two different attacking scenarios: 1) Hiding Object: synthesizing an “adversarial object” that will not be detected by the detector. 2) Changing Label: synthesizing an “adversarial object” that is recognized as a specified adversarial target by the detector. We also compare LiDAR-Adv with the evolution algorithm in the blackbox setting.

To evaluate the real-world impact of LiDAR-Adv, we 3D print out the generated adversarial objects and test them on the Baidu Apollo autonomous driving platform, an industry-level system which is not only highly adopted for research purpose but also actively used in industries. We show that with 3D perception and a production-level multi-stage detector, we are able to mislead the autonomous driving system to achieve different adversarial targets.

To summarize, our contributions are as follows: (1) We propose LiDAR-Adv, an end-to-end approach to generate physically plausible adversarial objects against LiDAR-based autonomous driving detection systems. To the best of our knowledge, this is the first work to exploit adversarial objects for such systems. (2)We experiment on Apollo, an industry-level autonomous driving platform, to illustrate the effectiveness and robustness of the attacks in practice. We also compare the objects generated by LiDAR-Adv with evolution algorithm to show that LiDAR-Adv can provide smoother objects. (3) We conduct physical experiments by 3D-printing the optimized adversarial object and show that it can consistently mislead the LiDAR system equipped in a moving car.

Figure 1: Overview of LiDAR-Adv. The first row shows that a normal box will be detected by the LiDAR-based detection system; while the generated adversarial object with similar size in row 2 cannot be detected.

2 Related work

Image-space adversarial attacks Adversarial examples have been heavily explored in 2D image domains Goodfellow et al. (2014); Carlini and Wagner (2017b); Papernot et al. (2016); Moosavi-Dezfooli et al. (2016); Xiao et al. (2018b). Various works Evtimov et al. (2017); Kurakin et al. (2016); Athalye and Sutskever (2017) start to study robust physical adversarial examples. Evtimov et al. (2017) has created printable 2D stickers to attach to a stop sign and cause a detector to predict wrong labels. Following this line, there are also works Xiao et al. (2018c); Liu et al. (2018) aiming to optimize the 3D shapes to show that even the surface geometry itself can produce adversarial behaviors.

In this work, we exploit the object surfaces to generate adversarial objects, and one fundamental challenge that differentiates our work from the previous ones is: the sensor in a LiDAR-based system directly probes the 3D environment as the input, bypassing surface textures of the adversarial objects. This means we may only rely on shape geometry to perform any attacks. On the other hand, compared to prior works that have shown successes on attacking single models, it is worth noting that the victim model which we experiment on (Apollo), is not merely an end-to-end deep learning model but an industry-level autonomous driving platform that consists of multiple non-differentiable parts.

Adversarial point clouds  Xiang et al. (2018) show a proof of concept, that models taking raw 3D point clouds as input Qi et al. (2017) can be vulnerable to adversarial point clouds. However, this approach is only evaluated with a single digital model. It is not clear that the generated point clouds can form plausible 3D shape surfaces, or it can be reconstructed through LiDAR scans. While in our approach, though the victim model takes point clouds as input similarly, these point clouds have to satisfy extra constraints such as: all points have to be the intersections of the laser beams and the object surfaces. We address this challenge by proposing a differentiable renderer which simulates the reconstructed laser beams projecting onto object surfaces. As we will show later, when the object moves, the point cloud changes in accordance with the laser hits, and how to enforce the robustness against such LiDAR scans is non-trivial.

3 LiDAR-based Detection

In this section, we provide the details of the LiDAR-based detection system that are directly related to our proposed adversarial attacks. Refer to the online repository111 for more details.

An overview of the system is shown in Fig. 2. First, a LiDAR sensor scans the 3D environment and obtains a raw point cloud of the scene. Next, the point cloud goes through preprocessing, and is fed to a detection model. Finally, post-processing is applied to the detection output to obtain the detection predictions.

LiDAR. A LiDAR sensor scans the surrounding environment and generates a point cloud of with 3D coordinates () and intensity . First, a sensor fires off an array of laser beams consecutive in horizontal and vertical directions. It then captures the light intensity reflecting back, and calculates the time that photons have traveled along each beam (Time of Flight). The distance and the coordinate of the surface points along the beam can be computed. These points then form a raw point cloud of the object surfaces in the environment. LiDAR sensors are supposedly robust to object surface textures, as the Time of Flight is not easily affected by texture change. Though it also detects the intensity of reflected lights, it is unclear how adversarial algorithms designed for natural lighting in image space can be adapted to invisible laser beams used as light sources. Therefore, image-based adversarial attacks may have limited effects on such LiDAR-based detection system.

Figure 2: Overview of LiDAR-based detection on AV.
Preprocessing phase.

The previous raw point cloud goes through a preprocessing phase to form a feature map of (see Sec. B). The raw point cloud is first transformed and filtered based on a High Definition Map (HDMap) to attain a ROI point cloud . This point cloud is then sliced into vertical cells at . This “hard” assignment of points into cells will introduce piecewise zero gradients for counting and max w.r.t. the input. After slicing, in each cell, the information of the points are aggregated to generate a feature of size 8 for this cell, including heights, intensity, point counts etc. (detailed in Sec. B). This feature map will then be fed into a machine learning model.

In this procedure, many operations (e.g. max height, count) introduce zero gradients due to the “hard” assignment, so the end-to-end optimization-based attack algorithms are not directly applicable.

Machine learning model.

Deep Neural Networks (DNNs) are used to process the feature map, and then output the metrics for each one of the cells. The metrics are listed in Sec. B.

Post-processing phase.

The post-processing phase aggregates previous outputs from the machine learning model and recognizes the detected objects. The Post-processing can be roughly divided into 3 major sequential components: clustering, box building and tracking. The clustering process composes obstacle candidates using both the model output metrics and ROI point cloud generated from the preprocessing phase. In the clustering process, cells with higher objectness confidence (greater than 0.5 by default) are used for constructing clusters by building a connected graph using center offset. The obstacle candidates are produced by selecting the clusters with two constraints: (1) the average confidence

of cells in the cluster needs to be greater than 0.1 (2) the number of points in the ROI point cloud that are assigned to the cluster is greater than 3. The class probabilities of the obstacle candidate are calculated by summing up class probabilities of all cells in the cluster. The box builder then reconstructs the bounding boxes including the height, width, length of the obstacle candidates from the point cloud assigned to the candidate. Finally, the tracker integrates multiple frames of processed results to generate tracked objects as the output of the LiDAR-based detection, together with additional information such as object id, speed etc.

Note that in this paper, we only consider a single frame for the adversarial attacks as a demonstration of feasibility. For the case of multiple frames, it can be treated as enhancing robustness against object motions, and such robustness against different locations is shown in later experiments (§ 5.4).

4 Generating Adversarial Object Against LiDAR-based Detection

In this section, we will formulate the problem first and describe the adversarial goals and challenges. We then describe our whitebox method LiDAR-Adv which aims to tackle the challenges and fulfill diverse adversarial goals. Finally, we propose an evolution-based attack method for blackbox settings.

4.1 Methodology overview

Given a 3D object in a scene, as stated in the background, after the scene is scanned by a LiDAR sensor, a point cloud is then generated based on so that For preprocessing, this point cloud is sliced and aggregated to generate , which is a

feature vector, and we call this aggregation process as

: . Then a machine learning model maps this 2D feature to , where (see Sec. B for concrete output meanings). is then post-processed by a clustering process to generate the confidence and label of detected obstacles so that An adversarial attacker aims to manipulate the object to achieve the adversarial goals. Here we define two types of adversarial goals: 1) Hiding object: Hide an existing object by manipulating ; 2) Changing label: Change the label of the detected object to a specified target .

To achieve the above adversarial goals in LiDAR-based detection is non-trivial, and there are the following challenges: 1) Multiple pre/post-processing stages. Unlike the adversarial attacks on traditional image-space against machine learning tasks such as classification and object detection, the LiDAR-based detection here is not a single end-to-end learning model, It consists of the differentiable learning model and several non-differentiable parts including preprocessing and post-processing. Thus, the direct gradient based attacks are not directly applicable. 2) Manipulation constraints. Instead of directly manipulating the point cloud as in Xiang et al. (2018), we manipulate the 3D shape of given the limitation of LiDAR. The points in are the intersections of laser beams and object surfaces and cannot move freely, so the perturbations on each point may affect each other. Keeping the shape plausible and smooth adds additional constraints Xiao et al. (2018c). 3) Limited Manipulation Space. Consider the practical size of the object versus the size of the scene that is processed by LiDAR, the 3D manipulation space is rather small ( in our experiments), as shown in Fig. 1.

Given the above challenges, we design an end-to-end attacking pipeline. In order to facilitate gradient-based algorithms, we implement an approximated differentiable renderer , which simulates the functionality of LiDAR, to intersect a set of predefined rays with the 3D object surface () consisting of vertices and faces . The points at the intersections form the raw point cloud . After preprocessing, the point cloud is then fed to a preprocessing function to generate the feature map . The feature map is then taken as input for a machine learning model to obtain the output metrics .

The whole progress can be symbolized as . Note that by differentiating the renderer , the whole process is differentiable w.r.t. . In this way, we can manipulate to generate adversarial via our designed objective function operating on the final output .

4.2 Approximate differentiable renderer

LiDAR simulation

The renderer simulates the physics of a LiDAR sensor that probes the objects in the scene by casting laser beams. The renderer first takes a mesh as input, and compute the intersections of a set of predefined ray directions to the meshes in the scene to generate point cloud . After depth testing, the distance along each beam is then captured, representing the surface point of a mesh that it first encounters, as if a LiDAR system receives a reflection from an object surface. Knowing ray directions of the beams, the exact positions of the intersection points can be inferred from the distance, in the form of point clouds .

Real background from a road scene

We render our synthetic object onto a realistically captured point cloud. First, we obtain the 3D scan of a road scene, using the LiDAR sensor Riegl VMX-1HA mounted on a car. Then, we obtain the laser beam directions by computing the normalized vectors from the origin (LiDAR) pointing to the scanned points. This fixed set of ray directions are then used for rendering our synthetic objects throughout the paper. Note that we can also manually set ray directions given sensor specifications, but it will be less real, because it may not model the noises and fluctuations that occur in a real LiDAR sensor.

Hybrid rendering of synthetic objects onto a realistic background

Given the ray directions reconstructed from the background point cloud, a subset will intersect with the object, forming the point cloud for the object of interest. The corresponding background points are then removed since these background points are occluded by the foreground object. In this way, we obtain a semi-real synthetic point cloud scene: the background points come from the captured real data; the foreground points are physically accurate simulated based on the collected real data.

4.3 Differentiable proxy function for feature aggregation

As in Section 3, in the preprocessing of Apollo, it aggregates the point cloud into hardcoded 2D features, including count, max height, mean height, intensity and non-empty. These operations are non-differentiable. In order to apply end-to-end optimizers to for our synthetic object , we need to flow the gradient through the feature aggregation step, with the help of our proxy functions.

Given a point cloud with coordinate , and we hope to count the number of points falling into the cells of a 3D grid . For a point with location, we increase the count of 8 cells: the centers of these 8 cells form a cube, and the point is inside this cube. Specifically, we increase the count of 8 cells using trilinear weights:


where are the indices of the 8-pixel neighbors at location and represents the distance. The count feature is the value computed for each grid . Note that this feature is no longer an integer and can have non-zero gradients w.r.t. the point coordinates.

We then use this “soft count” feature to further compute “mean height” and “max height” features. For simplicity, we first define a constant height matrix , where . This matrix stores the height of each cell. Next, we can formulate the mean height and max height using soft count :


where to prevent zero denominators. Note that the function is non-differentiable, so we approximate the gradient using during back propagation. The feature intensity has the similar formulation of height so we omit them here. The feature non-empty is formulated as .

We denote the above trilinear approximator as , in constrast to the original non-differentiable preprocessing step . A visualization of output of our compared to the original is shown in Sec. C. Since our approximation introduces differences in counting, is not strictly equal to , resulting in different values of the final model prediction. We observe that this difference will raise new challenges to transfer the adversarial object generated based on to . To solve this problem, we reduce the difference between and , by replacing the L1 distance in Eq. 1 with where . We name this approximation “tanh approximator” and denote it . We observe that the input difference between and the original is largely reduced compared to , allowing for smaller errors of the model predictions and better transferability. To extend our approximator and further reduce the gap betweer and

, we interpolate the distance:

, where is a hyper-parameter balancing the accuracy of approximation and the availability of gradients.

4.4 Objective functions

Our objective is to generate a synthetic adversarial object from an original object by perturbing its vertices, such that the LiDAR-based detection model will make incorrect predictions. We first optimize against the semi-real simulator detection model .


The objective function consists of two losses. is the adversarial loss to achieve the target goals while the is the distance loss to keep the properties of the “realistic" adversarial 3D object . We optimize the objective function by manipulating the vertices. The distance loss is defined as follows:


where represents the displacement between the adversarial vertex and pristine vertex .

is the hyperparameter balancing these two losses. The first losses 

Xiao et al. (2018c) is a Laplacian loss preserving the smoothness of the perterbation applied on the adversarial object . The second part is the distance loss to limit the magnitude of perturbation.

Objective: hide the inserted adversarial object

As introduced in the background section, the existence of the object highly depends on the “positiveness” metric. denotes a function extracting metric from the model given an object . is the mask of the target object’s bounding box. Our adversarial loss is represented as follows:

Objective: changing label

In order to change the predicted label of the object, it needs to increase the logits of the target label and decrease the logits of the ground-truth label. Moreover, it also needs to preserve the high positiveness. Based on this, our adversarial loss is written as


In order to ensure that adversarial behaviors still exist when the settings are slightly different, we create robust adversarial objects that can perform successful attacks within a range of settings, such as different object orientations, different positions to the LiDAR sensor etc. To achieve such goal, we sample a set of physical transformations to optimize the loss expectation. In reality, we create a victim set by rendering the object at different positions and orientations. Instead of optimizing an adversarial object by attacking single position and orientation, we generate an universal adversarial object to attack all positions and orientations in the victim set .

4.5 Blackbox Attack

In reality, it is possible that the attackers do not have complete access to the internal model parameters, i.e. the model is a black box. Therefore, in this subsection, we also develop an evolution-based approach to perform blackbox attack.

In evolution, a set of individuals represent the solutions in the search space, and the fitness score defines how good the individuals are. In our case, the individuals are mesh vertices of our adversarial object, and the fitness score is . We initialize mesh vertices using the benign object . For each iteration, new population of

mesh vertices are generated by adding random perturbations, drawn from a Gaussian distribution

, to each mesh vertices in the old population. mesh vertices with top fitness scores will remain for the next iteration, while the others will be replaced. We iterate the process until we find a valid solution or reach a maximum number of steps.

5 Experiments

In this section, we first expose the vulnerability of the LiDAR-based detection system via the evolution-based blackbox algorithm by achieving the goal of “hiding object”, because missing obstacles can cause accidents in real life. We then show the qualitative results and quantitative results of LiDAR-Adv under whitebox settings. In addition, we also show that LiDAR-Adv can achieve other adversarial goals such as “changing label”. Moreover, the point clouds are continuously captured in real life, so attacks in a single static frame may not have much effect in real-world cases. Therefore, in our experiments, we generate a universal robust adversarial object against a victim dataset which consists of different orientations and positions. We 3D-print such universal adversarial object and conduct the real-world drive-by experiments, to show that they indeed can pose a threat on road.

5.1 Experimental setup

We conduct the evaluation on the perception module of Baidu Apollo Autonomous Driving platform (V2.0). We initialize the adversarial object as a resampled 3D cube-shaped CAD model using MeshLab Cignoni et al. (2008). For rendering, we implement a fully differential LiDAR simulator with predefined laser beam ray directions extracted from a real scene captured by the Velodyne HDL-64E sensor, as stated in § 4.2. It has around 2000 angles in the azimuth angle and around 60 angles in the elevation angle. We use Adam optimizers Kingma and Ba (2014), and choose as in Eq. 3 using binary search. For the evolution-based blackbox algorihtm , we choose , and .

5.2 Vulnerability analysis

Here, we first show the existence of the vulnerability using our evolution-based blackbox attacks, with the goal of “hiding object”. We generate adversarial objects in different size (50cm and 75cm in edge length). For each object, we select 45 different position and orientation pairs for evaluation, and the results are shown in Table 1. The results indicate that the LiDAR-based detection system is vulnerable. The visualization of the adversarial object is shown in Figure 3(a) and (c).

5.3 LiDAR-Adv with different adversarial goals

(a) 50cm: Evo.
(b) LiDAR-Adv
(c) 75cm: Evo.
(d) LiDAR-Adv
Figure 3: Adversarial meshes of different sizes can fool the detectors even with more LiDAR hits. We generate the object with LiDAR-Adv and evolution-based method (Evo.).

After showing the vulnerability of the LiDAR-based detection system, here we focus on whitebox settings to explore what a powerful adversary can do, since “the design of a system should not require secrecy” (Shannon, 1949). Therefore, we evaluate the effectiveness of our whitebox attack LiDAR-Adv with the goal of “hidding object”. We also evaluate the feasibility of LiDAR-Adv to achieve another goal of “changing label”.

Hiding object
Attacks Object size 50cm 75cm LiDAR-Adv 32/45 (71%) 23/45 (51%) Evolution-based 28/45 (62%) 16/45 (36%)
Table 1: Attack success rate of LiDAR-Adv and evolution based method under different settings.

We follow the same settings as in the above sections, and Table 1 shows the results. We find that LiDAR-Adv can achieve 71% attack success rate with size 50cm. The attack success rate is consistently higher than the evolution-based blackbox attacks. Figure 3 (b) and (c) show the visualizations of the adversarial objects. We visually observe that the adversarial objects generated by LiDAR-Adv are smoother than that of evolution.

Changing label

The result shown in Figure 4 indicates that we can successfully change the label of the object. We also experiment with different initial shapes and target labels. More details can be found in Sec. D.

(a) 3D mesh    (Benign) (b) Predictions (Benign) (c) 3D Mesh    (Adv.) (d) Predictions (Adv.)
Figure 4: The adversarial mesh generated by LiDAR-Adv is mis-detected as a “Pedestrian”.

5.4 LiDAR-Adv on generating robust physical adversarial objects

To ensure the generated LiDAR-Adv preserves adversarial behaviors under various physical conditions, we optimize the object by sampling a set of physical transformations such as possible positions and orientations. We show that the generated robust adversarial object is able to achieve the attack goal of hiding object with a high success rate in Table 2. An interesting phenomenon is that some attack performance under the unseen settings is even better than that within the controlled environment. This implies that our adversarial objects are robust enough to generalize to unseen settings.

Controlled Setting Unseen Setting
Distance (cm) & Orientation (°) Attack Distance (cm) Orientation (°)
0-50 50-100 0-5 0-10
41/45 96/100 91/100 10/10 9/10
43/45 96/100 90/100 8/10 10/10
Table 2: Attack success rates of LiDAR-Adv at different positions and orientations under both controlled and unseen settings.

Furthermore, we evaluate the generated robust adversarial object in the physical world by 3D printing the generated object. We collect the point cloud data using a Velodyne HDL-64E sensor with a real car driving by and evaluate the collected traces on the LiDAR perceptual module of Baidu Apollo. As shown in Figure 4(a), we find that the adversarial object is not detected around the target position among all 36 different frames. To compare, the box object (in Figure 4(b)) is detected in 12 frames among all 18 frames. The number of total frames is different due to the different vehicle speed. More details can be found in Sec. D.

(a) Adversarial object
Figure 5: Results of physical attack. Our 3D-printed robust adversarial object by LiDAR-Adv is not detected by the LiDAR-based detection system in a moving car. Row 1 shows the point cloud data collected by LiDAR sensor, and Row 2 presents the corresponding images captured by a dash camera.

   (b) Benign object

6 Conclusion

We show that LiDAR-based detection systems for autonomous driving are vulnerable against adversarial attacks. By integrating our proxy differentiable approximator, we are able to generate robust physical adversarial objects. We show that the adversarial objects are able to attack the Baidu Apollo system at different positions with various orientations. We also show LiDAR-Adv can generate much smoother object than evolution based attack algorithm. Our findings raise great concerns about the security of LiDAR systems in AV, and we hope this work will shed light on potential defense methods.


Appendix A Differential Renderer

LiDAR Simulation

The renderer simulates the physics of a LiDAR sensor that probes the objects in the scene by casting laser rays: , with representing the direction of the -th ray. Given a shape with the surface as input, the renderer computes the intersections of rays to the mesh faces in the scene. For each ray , the intersection coordinate are computed through depth testing (assuming the center of the rays is at origin, i.e. the reference frame of LiDAR):

Object insertion

Notice that we have a predefined set of rays . To obtain these rays, one can refer to the specifications of a LiDAR device. In our paper, we directly compute the directions from the captured background point cloud , so that the rays are close to real world cases:


With this, Eq. (7) becomes:


This means when rays intersect with an object, the corresponding background points blocked by the above-ground parts of the object are removed during depth testing; if the object is below the ground, the intersections leave those corresponding background points intact also due to depth testing. In this way, we obtain a semi-real synthetic point cloud scene: the background points come from the captured real data; the foreground points are physically accurate simulations based on the captured real data.

Appendix B Background

b.1 LiDAR perception system

Detailed machine learning model input features and machine learning model output metrics are shown in Table C and Table D.

Feature Description
Max height Maximum height of points in the cell.
Max intensity Intensity of the highest point in the cell.
Mean height Mean height of points in the cell.
Mean intensity Mean intensity of points in the cell.
Count Number of points in the cell.
Direction Angle of the cell’s center with respect to the origin.
Distance Distance between the cell’s center and the origin.
Non-empty Binary value indicating whether the cell is empty or occupied.

Table C:

Machine learning model input features extracted in the preprocessing phase.

Metric Description
Center offset () Offset to predicted center of the cluster the cell belongs to.
Objectness () The probability of a cell belonging to an obstacle.
Positiveness () The confidence score of the detection.
Object height () The predicted object height.
th Class Probability () The probability of the cell being from class (vehicle, pedestrian, etc.).

Table D: Output metrics of the segmentation model.

Appendix C Generating Adversarial Object Against LiDAR Perception

c.1 Gradient of proxy functions

Figure F visualizes the improvement of our tanh approximator compared to the trilinear approximator in terms of the count feature and the objectness metric. Given object , represents the aggregated feature of the point cloud . represents the model output with respect to metric . We observe that our approximator will introduce errors due to our approximation, which will finally leads to model output difference. However, the error of the approximator has been largely decreased by using a more accurate approximator . This reduces the error in model output, as can be seen in Figure F.









Figure F: The performance of trilinear approximator and tanh approximator. The format represents the 2D count feature calculated by trilinear approximator ; represents visualization of the “objectiveness ” metric in the output of model using trilinear approximator with; - represents the approximator ’s error of . The same notation for tanh approximiator

Appendix D Additional results

d.1 Changing label

We conduct experiments with 3 pristine meshes (cuba, sphere, tetrahedron) and set the target label to the other 4 labels except for the original label. The results are shown in Table E, showing that our LiDAR-Adv has a high chance to trick the detector to output target labels, regardless of different pristine meshes that it starts from.

Cube Sphere Tetrahedron Cylinder Overall
Attack Success Rate 75% 100% 75% 50% 75%
Table E: The attack success rate of the adversarial objects generating using LiDAR-Adv, starting from different types of pristine meshes. The target labels are the other four labels different from the original predictions.

d.1.1 LiDAR-Adv on generating robust physical adversarial objects

In this subsection, we add additional results to evaluate the robustness of the generated objects against different positions and different angles. By doing so, it can provide insight on the performance of our adversarial object in real-world settings, before we 3D-print the object.

(a) Benign frame
(b) Adv (-10°)
(c) Adv (0°)
(d) Adv (10°)
Figure G: The visualization of adversarial object with different angles. In the benign frame (a), the system is able to detect the cube. When we replace the cube with our adversarial object, the system fails to detect the object at all three angles. We visualize the mesh along with the point clouds in a close-up view in (b), (c) and (d).
Angle -10° -5° 10°
Objectness (Confid.) Model
Table F: Robust Adversarial Object against different angles. The original confidence is x. Our success rate is 100%. (✓represents no object detected)
LiDAR-Adv against different angles

We generate the adversarial objects by attacking for 9 angles simultaneously and evaluate the attack success rate among these angles. Our approach achieves 100% attack success rate (Table F) both on our approximate model and the Apollo system. This indicates that our designed differentiable proxy functions are accurate enough to transfer the adversarial behavior to Apollo. Figure G shows qualitative results of the adversarial object from different close-up views. We can observe that the adversarial example is smooth and can be easily reconstructed in the real-world.

Figure H: Our adversarial object can successfully attack the detection system, while placed at different positions. The red spheres mark the locations we place the adversarial object.
Figure I: The optimized robust adversarial objects from 6 principal views and a particular view, compared with the original pristine object.
Position Objectness (Confid.) Position Objectness (Confid.) Position Objectness (Confid.)
Ours Apollo Ours Apollo Ours Apollo
(-50, -50) (0, -50) (50, -50)
(-50, 0) (0, 0 ) (50, -50)
(-50, 50) (0, 50) (50, 50)
Table G: Robust Adversarial Object against different positions. The original object can be detected by Apollo. Our success rate is 100%. (✓represents no object detected)
LiDAR-Adv against different positions

Similarly, we generate a single robust adversarial object against different positions simultaneously, as is shown in Figure H. We select 9 positions and use our algorithm to generate a universal robust adversarial example against different positions. Figure I shows 7 views of the generated object from different angles, compared to the original object. This adversarial example is smooth from all views. It shows that our approach is able to achieve the goal while keeping the shape plausible, so we can easily print the obect to perform physical attack. Table G show the detailed results of our adversarial object against these 9 positions: it can successfully attack the system among these 9 positions.

d.2 Physical experiments

(a) the road where we perform the physical experiment
(b) the benign object for comparison
(c) the car used to collect the dashcam videos and the point clouds
(d) our adversarial object
Figure J: Our physical experiment setting. We 3D-print the generated adversarial object at 1:1, and drive a car mounted with LiDAR and dashcams to collect the scanned point clouds and the reference videos.

We 3D-print our robust adversarial object at 1:1, and drive a real car mounted with LiDAR and dashcams. The adversarial object is put on the road, and a car drives by, collecting scanned point clouds and the reference dashcam videos. For comparison, we also put the benign object, which is a box of same size at the same location and follow the same protocol when collecting the point clouds.