Fraud attack detection method, apparatus, device, and storage medium
By using multi-vehicle collaborative identification and abnormal object confirmation, and leveraging regional candidate networks and assistance detection request responses, the problem of LiDAR being vulnerable to deception attacks has been solved, thus improving the driving safety of autonomous vehicles.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CITY UNIV OF HONG KONG SHENZHEN RES INST
- Filing Date
- 2022-05-24
- Publication Date
- 2026-06-09
AI Technical Summary
In existing technologies, lidar is susceptible to deception attacks, which can cause autonomous vehicles to mistakenly believe that there are objects nearby, thereby affecting driving safety.
By collaboratively identifying multiple autonomous vehicles, anomalies in point cloud data are identified using a regional candidate network. Deception attacks are confirmed by assisting in the detection of requests and responses. The authenticity of anomalies is judged by the spatial range of points and similarity thresholds, thereby improving the accuracy of deception attack detection.
This improves the detection accuracy of lidar deception attacks, ensuring that autonomous driving systems can make more rational decisions and enhance driving safety.
Smart Images

Figure CN117152708B_ABST
Abstract
Description
Technical Field
[0001] This specification relates to the field of autonomous driving technology, and in particular to a method, apparatus, device, and storage medium for detecting deception attacks. Background Technology
[0002] LiDAR (Light Detection and Ranging) is an indispensable driving environment sensor in the perception module of autonomous driving systems, providing real-time three-dimensional (3D) data of the vehicle's surroundings. Due to its active beam emission, LiDAR is less affected by ambient light (e.g., low light) compared to cameras, and the object detection module of autonomous driving systems can directly utilize the 3D data collected by LiDAR for object recognition. In recent years, some researchers have proposed using physical devices to insert points to deceive LiDAR. Due to the inherent limitations of object detection models, these attacks can often mislead the autonomous driving system of a victim vehicle into believing that an object is nearby by inserting a small number of points, causing it to brake suddenly or otherwise compromise driving safety. Summary of the Invention
[0003] The purpose of the embodiments in this specification is to provide a deception attack detection method, apparatus, device, and storage medium to improve the detection accuracy of deception attacks against lidar.
[0004] To achieve the above objectives, in one aspect, embodiments of this specification provide a method for detecting deception attacks, including:
[0005] Obtain the point cloud data currently collected by the LiDAR of this vehicle;
[0006] Identify whether there are abnormal objects in the point cloud data;
[0007] When an abnormal object is found in the point cloud data, a request for assistance in detection, carrying the point cloud data and spatial location of the abnormal object, is broadcast to surrounding vehicles.
[0008] Receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request;
[0009] The presence of a deception attack on the lidar is determined based on the assistance detection response.
[0010] In the deception attack detection method of this specification embodiment, identifying whether there are abnormal objects in the point cloud data includes:
[0011] The point cloud data is input into a region candidate network to predict a set of object candidate boxes;
[0012] Determine whether the number of points of the candidate objects within each candidate box in the object candidate box set is within the point count space range;
[0013] When the number of points of a candidate object within a candidate box is not within the specified point space range, it is determined whether there are other candidate boxes within the distance range from the candidate object to the lidar.
[0014] If there are no other object candidate boxes within the distance range of the candidate object to the lidar, then the object is confirmed as an abnormal object.
[0015] In the deception attack detection method of this specification, the point space range includes the point space located between the first regression curve and the second regression curve.
[0016] The first regression curve is the regression curve of the minimum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions.
[0017] The second regression curve is the regression curve of the maximum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions.
[0018] In the deception attack detection method of this specification embodiment, the step of determining whether the lidar is under deception attack based on the assisted detection response includes:
[0019] When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object does not exist at the spatial location at the corresponding acquisition time, it is confirmed that the abnormal object is a fake object and there is a deception attack against the lidar.
[0020] When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time, it is confirmed that the lidar is not under deception attack and the abnormal object is a real object.
[0021] In the deception attack detection method of this specification embodiment, the step of determining whether the lidar is under deception attack based on the assisted detection response further includes:
[0022] When multiple assistance detection responses are received within a specified time, a vote is taken on the detection conclusions among the multiple assistance detection responses;
[0023] The voting results will determine whether the lidar is susceptible to deception attacks.
[0024] In the deception attack detection method of this specification embodiment, after determining whether the lidar is under deception attack based on the assisted detection response, it further includes:
[0025] If the abnormal object is confirmed to be a fake object, indicating a deception attack against the lidar, the detection result for the fake object is discarded.
[0026] On the other hand, the embodiments of this specification also provide another method for detecting deception attacks, including:
[0027] Receive assistance detection requests sent by surrounding vehicles; the assistance detection request carries point cloud data and spatial location of the abnormal object.
[0028] Determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time.
[0029] Generate an assist detection response based on the judgment result;
[0030] Return the assisted detection response.
[0031] In the deception attack detection method of this specification, the step of generating an assist detection response based on the judgment result includes:
[0032] When the point cloud data collected by the vehicle's lidar at a corresponding time contains an object located at the spatial location and whose similarity to the abnormal object reaches a similarity threshold, it is confirmed that the abnormal object exists at the spatial location at the corresponding time of collection.
[0033] Otherwise, confirm that the abnormal object does not exist at the spatial location at the corresponding acquisition time.
[0034] In the deception attack detection method of the embodiments of this specification, the similarity includes structural similarity.
[0035] On the other hand, embodiments of this specification also provide a deception attack detection device, including:
[0036] The acquisition module is used to acquire the point cloud data currently collected by the vehicle's lidar.
[0037] The identification module is used to identify whether there are abnormal objects in the point cloud data;
[0038] The broadcast module is used to broadcast an assistance detection request, carrying the point cloud data and spatial location of the abnormal object, to surrounding vehicles when an abnormal object is found in the point cloud data.
[0039] A receiving module is used to receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request;
[0040] A determination module is used to determine whether the lidar is subjected to a spoofing attack based on the assisted detection response.
[0041] On the other hand, the embodiments of this specification also provide another deception attack detection device, including:
[0042] The receiving module is used to receive assistance detection requests sent by surrounding vehicles; the assistance detection request carries point cloud data and spatial location of the abnormal object.
[0043] The judgment module is used to determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time.
[0044] The generation module is used to generate an assist detection response based on the judgment result;
[0045] The return module is used to return the assisted detection response.
[0046] On the other hand, embodiments of this specification also provide a computer device, including a memory, a processor, and a computer program stored in the memory, wherein the computer program, when run by the processor, executes instructions for the above-described method.
[0047] On the other hand, embodiments of this specification also provide a computer storage medium storing a computer program thereon, which, when run by the processor of a computer device, executes instructions for the above-described method.
[0048] On the other hand, embodiments of this specification also provide a computer program product, which includes a computer program that, when run by a processor, executes instructions for the methods described above.
[0049] As can be seen from the technical solutions provided in the embodiments of this specification above, in these embodiments, when any autonomous vehicle identifies an abnormal object based on the point cloud data currently collected by its own LiDAR, it can broadcast an assistance detection request carrying the point cloud data and spatial location corresponding to the abnormal object to surrounding vehicles. On this basis, when it receives the assistance detection response returned by the surrounding vehicles in response to the assistance detection request, it can further verify whether its own LiDAR is being spoofed, thereby improving the detection accuracy of LiDAR spoofing attacks. This allows the autonomous driving system to make more reasonable decisions based on the accurate detection results, which is beneficial to improving the driving safety of autonomous vehicles. Attached Figure Description
[0050] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. In the drawings:
[0051] Figure 1 Flowcharts of deception attack detection methods in some embodiments of this specification are shown;
[0052] Figure 2 This specification illustrates a schematic diagram of using two vehicles to detect spoofing attacks in some embodiments of this specification;
[0053] Figure 3 It shows Figure 1 The flowchart shown in the embodiment is for identifying whether there are abnormal objects in the point cloud data;
[0054] Figure 4 Flowcharts of deception attack detection methods in other embodiments of this specification are shown;
[0055] Figure 5 Flowcharts of deception attack detection methods in other embodiments of this specification are shown;
[0056] Figure 6 This specification shows a structural block diagram of a deception attack detection device in some embodiments;
[0057] Figure 7 Block diagrams of deception attack detection devices in other embodiments of this specification are shown;
[0058] Figure 8 A structural block diagram of a computer device in some embodiments of this specification is shown.
[0059] [Explanation of Labels in the Attached Image]
[0060] 10. The first vehicle;
[0061] 20. The second vehicle;
[0062] 61. Acquisition Module;
[0063] 62. Identification module;
[0064] 63. Broadcast module;
[0065] 64. Receiving module;
[0066] 65. Determine the module;
[0067] 71. Receiving module;
[0068] 72. Judgment module;
[0069] 73. Generation Module;
[0070] 74. Return to module;
[0071] 802. Computer equipment;
[0072] 804, Processor;
[0073] 806. Memory;
[0074] 808. Drive mechanism;
[0075] 810. Input / output interfaces;
[0076] 812. Input devices;
[0077] 814. Output devices;
[0078] 816. Presentation equipment;
[0079] 818. Graphical User Interface;
[0080] 820. Network interface;
[0081] 822. Communication link;
[0082] 824. Communication bus. Detailed Implementation
[0083] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.
[0084] Autonomous driving systems rely on the collaborative efforts of artificial intelligence, computer vision, radar, monitoring devices, and navigation and positioning systems to automatically and safely control vehicles (i.e., self-driving vehicles) without any active human intervention. Autonomous driving systems often use lidar (LiDAR) to detect the driving environment around the vehicle. In recent years, researchers have proposed many machine learning models that can accurately measure the depth of objects and detect them using collected data. However, the application of these models introduces new vulnerabilities that may compromise the safety of autonomous vehicles. For example, lidar can be attacked (e.g., by physically deceiving it through insertion points), causing the data provided to the machine learning model to become inaccurate (e.g., generating false object detection results). This could affect the accuracy of object detection in the machine learning model, thereby impacting the safety of the autonomous vehicle. Therefore, accurately detecting deception attacks against lidar has become a pressing technical problem to be solved.
[0085] In view of this, the embodiments of this specification provide a new deception attack detection scheme, which can be applied to multi-vehicle scenarios, i.e., the cooperation of the autonomous driving systems of multiple (e.g., two or more) autonomous vehicles, where multiple autonomous vehicles use LiDAR as the driving environment perception module. When multiple autonomous vehicles are close to each other, the corresponding multiple LiDARs can collect partially overlapping driving environment data, and then collaboratively identify whether the LiDARs have been subjected to a deception attack. Therefore, spacing conditions can be preset. For example, the distance between multiple LiDARs can be set to not exceed a specified distance (e.g., 5 meters, 8 meters, 10 meters, etc.), and the specified distance can be appropriately set according to the actual situation in specific implementation.
[0086] It should be noted that the deception attack detection scheme in the embodiments of this specification can refer to a deception attack using physical devices. This type of attack typically uses a photodiode to receive the laser beam emitted by a lidar, and after a certain time delay, uses a transmitting device to return the laser beam to the lidar's receiver. This achieves the effect of inserting multiple points that were not originally present (i.e., false points) at specified locations in normal point cloud data. This attack method has two characteristics: first, the number of inserted points (0-200) is significantly less than the number of points in a normal object; second, due to limitations in the attack equipment, a deception attacker can generally only attack one vehicle at a time. Therefore, when multiple autonomous vehicles collaboratively identify deception attacks, it can help achieve more accurate identification results.
[0087] This specification provides a method for detecting deception attacks, which can be applied to the autonomous driving system of autonomous vehicles. (See also...) Figure 1 As shown, in some embodiments, the deception attack detection method may include the following steps:
[0088] Step 101: Obtain the point cloud data currently collected by the LiDAR of this vehicle.
[0089] Step 102: Identify whether there are any abnormal objects in the point cloud data.
[0090] Step 103: When an abnormal object is found in the point cloud data, broadcast an assistance detection request carrying the point cloud data and spatial location of the abnormal object to surrounding vehicles.
[0091] Step 104: Receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request.
[0092] Step 105: Determine whether the lidar is under spoofing attack based on the assisted detection response.
[0093] Based on the deception attack detection method of the embodiments of this specification, when any autonomous vehicle identifies an abnormal object based on the point cloud data currently collected by its own LiDAR, it can broadcast an assistance detection request carrying the point cloud data and spatial location of the abnormal object to surrounding vehicles. On this basis, when it receives the assistance detection response returned by the surrounding vehicles in response to the assistance detection request, it can further verify whether its own LiDAR is under deception attack based on the assistance detection response, thereby improving the detection accuracy of deception attacks against LiDAR. This allows the autonomous driving system to make more reasonable decision-making based on the accurate detection results, which is conducive to improving the driving safety of autonomous vehicles.
[0094] For any autonomous vehicle that is in an activated state (e.g., in motion), LiDAR can collect point cloud data in real time to characterize the driving environment surrounding the vehicle. For the autonomous driving system of this vehicle, this autonomous vehicle is referred to as "this vehicle," while other autonomous vehicles located around it are referred to as "surrounding vehicles."
[0095] In some situations, there may be one or more autonomous vehicles around an autonomous vehicle that meet the spacing requirements. For example, Figure 2In the illustrated embodiment, both the first vehicle 10 and the second vehicle 20 are autonomous vehicles. For the first vehicle 10, there is an autonomous vehicle (i.e., the second vehicle 20) surrounding it; and for the second vehicle 20, there is also an autonomous vehicle (i.e., the first vehicle 10) surrounding it. In other cases, there may be no autonomous vehicles meeting the distance requirements around an autonomous vehicle. In this case, the detection result of whether there is a deception attack targeting the LiDAR can be directly determined based on the identification result of whether there are abnormal objects in the point cloud data of the LiDAR. Specifically, if abnormal objects are present, it is considered that there is a deception attack targeting the LiDAR; if no abnormal objects are present, it is considered that there is no deception attack targeting the LiDAR.
[0096] Combination Figure 3 As shown, in some embodiments, identifying whether there are abnormal objects in the point cloud data may include the following steps:
[0097] Step 301: Input the point cloud data into the region candidate network to predict the set of object candidate boxes.
[0098] A Region Proposal Network (RPN) is a pre-trained neural network model that generates object candidate boxes based on point cloud data. These candidate boxes represent regions where objects may exist (i.e., they represent the features of the relationships between points within these regions of point cloud data). They serve as an intermediate result in object detection tasks, with the final result being selected from these candidate boxes. Each candidate box is used to select a region where an object may exist. In a typical driving environment, there are usually regions where multiple objects (such as pedestrians and vehicles) may exist. Therefore, inputting point cloud data into the RPN yields multiple candidate boxes, forming a candidate box set.
[0099] Step 302: Determine whether the number of points of the candidate objects in each candidate box in the object candidate box set is within the point space range.
[0100] The working principle of a lidar system is to emit a laser beam. When the laser beam encounters an obstacle, it is scattered and reflected, and a portion of the light wave is received by the lidar's receiver. The lidar calculates the return time of the laser beam to determine the distance between itself and the obstacle. The lidar continuously rotates, constantly emitting laser pulses to scan the surrounding objects, thereby modeling the surrounding environment. Under this working principle, more laser beams from nearby objects are received, while fewer laser beams from distant objects return due to distance or scattering. This results in a denser distribution of points for objects closer to the lidar and a sparser distribution for objects farther away. In short, due to the characteristics of lidar, the number of points for objects closer to the lidar in the point cloud data is denser, and the number of points for objects farther away is sparser. Therefore, under normal circumstances (e.g., without obstruction or spoofing attacks), the number of points of objects appearing in the lidar's field of view in the point cloud should follow a distribution pattern that decreases with distance from near to far.
[0101] Meanwhile, because objects in the lidar's field of view face the lidar at different angles, the scanned surfaces differ, and the number of points for the same object at the same distance may vary. Therefore, the maximum and minimum point counts for objects at the same distance from the lidar can be pre-modeled based on the angle. This means that a regression curve showing the minimum point count of an object in the lidar's field of view as a function of distance, and a regression curve showing the maximum point count as a function of distance, can be pre-plotted. The space between these two regression curves is the preset point count space range (i.e., the normal point count space range). Research shows that the number of points for fake objects inserted into the point cloud of an attacked vehicle is almost always sparse, not conforming to the expected point count of real objects at their location, i.e., not following the aforementioned distribution pattern. Thus, by pre-setting the point count space range, it is helpful to identify whether the lidar has been subjected to a deception attack.
[0102] In some embodiments, the two regression curves mentioned above can be obtained using simulation modeling with an autonomous driving simulator (such as Carla). Furthermore, since the parameters of the LiDAR in the autonomous driving simulator are adjustable (such as rotation frequency, number of laser beams emitted per second, etc.), this method allows for offline acquisition of regression curves for different LiDAR models (i.e., obtaining the spatial range of point counts for different LiDAR models), thereby making the deception attack detection method of the embodiments in this specification more applicable.
[0103] In most cases, there may be multiple object candidate boxes in the object candidate box set. When there are multiple object candidate boxes in the object candidate box set, it is necessary to check whether the number of points of the candidate objects in each object candidate box is within the point space range.
[0104] Among them, the point cloud data collected by the lidar is a massive collection of points representing the surface characteristics of an object. For each candidate object within the candidate box, the surface of the candidate object is also composed of some points, and the number of these points is the number of points of the candidate object.
[0105] Step 303: When the number of points of a candidate object within a candidate object frame is not within the point space range, determine whether there are other candidate object frames within the distance range from the candidate object to the lidar.
[0106] Step 304: If there are no other object candidate boxes within the distance range of the candidate object to the LiDAR, then the object is confirmed as an abnormal object.
[0107] By determining whether other object candidate boxes exist within the distance range of the candidate object to the LiDAR, it can be used to determine whether the candidate object is occluded. If other object candidate boxes exist within the distance range of the candidate object to the LiDAR, it indicates that the number of points corresponding to the candidate object is less than the normal point count range, due to occlusion (i.e., occluded by candidate objects within the aforementioned other object candidate boxes). Otherwise, the candidate object can be considered an anomalous object. Anomalous objects have a high probability of being false objects. Until further confirmation, they will be temporarily referred to as anomalous objects.
[0108] To improve the accuracy of spoofing attack detection, when an abnormal object is found in the point cloud data, a request for assistance in detection, carrying the point cloud data and spatial location of the abnormal object, can be broadcast to surrounding vehicles to request their assistance in detection (the assistance processing logic for other surrounding vehicles will be described in detail below). In other embodiments, the method of sending the assistance detection request can be replaced by multicast or other communication methods, as needed.
[0109] In autonomous driving scenarios, real-time performance is extremely important. Therefore, a short assistance detection response wait time can be preset. If an assistance detection response is received within this wait time, it can be used to determine whether the LiDAR is being used in a deception attack. Furthermore, the detection conclusion in the assistance detection response may be: the anomalous object exists at the spatial location at the corresponding acquisition time, or the anomalous object does not exist at the spatial location at the corresponding acquisition time.
[0110] As explained above, due to limitations in the attack equipment, a deception attacker can typically only target one vehicle at a time. Therefore, when an autonomous vehicle detects an unusual object at a specific spatial location at a given moment:
[0111] If the abnormal object is inserted by a deception attack, then the surrounding vehicles should not be able to detect the abnormal object at the spatial location at the corresponding acquisition time. Therefore, when an assistance detection response is received within a specified time, and the assistance detection response contains the detection conclusion that the abnormal object does not exist at the spatial location at the corresponding acquisition time, it can be confirmed that the abnormal object is a fake object and there is a deception attack targeting the lidar.
[0112] If the abnormal object is a real object, then the surrounding vehicles should also be able to detect the abnormal object at the spatial location at the corresponding acquisition time. Therefore, when an assistance detection response is received within a specified time, and the assistance detection response contains the detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time, it can be confirmed that the lidar is not under deception attack, that is, the abnormal object is a real object.
[0113] Therefore, determining whether the lidar is under spoofing attack based on the assisted detection response can include the following situations:
[0114] (1) When an assistance detection response is received within a specified time (i.e., the assistance detection response waiting time mentioned above), and the assistance detection response contains the detection conclusion that there is no abnormal object at the spatial location at the corresponding acquisition time, it can be confirmed that the abnormal object is a fake object and there is a deception attack against the lidar.
[0115] (2) When an assist detection response is received within a specified time, and the assist detection response contains the detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time, it can be confirmed that the lidar is not under deception attack, that is, the abnormal object is a real object.
[0116] (3) When multiple assisted detection responses are received within a specified time, a vote is taken on the detection conclusions of the multiple assisted detection responses; the presence of a deception attack on the lidar is determined based on the voting results. When multiple assisted detection responses are received within a specified time, there may be situations where the detection conclusions of the multiple assisted detection responses are not completely consistent. Therefore, a row-based voting method can be used to decide the final detection conclusion. In some embodiments, a majority vote method can be used to decide the final detection conclusion.
[0117] For example, if vehicle A receives multiple assist detection responses within a specified time: assist detection response X returned by vehicle B, assist detection response Y returned by vehicle C, and assist detection response Z returned by vehicle D. If the detection conclusions of assist detection responses X and Y are: the abnormal object exists at the spatial location at the corresponding acquisition time, and the detection conclusion of assist detection response Z is: the abnormal object does not exist at the spatial location at the corresponding acquisition time; then the vote for the detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time is 2 votes, and the vote for the detection conclusion that the abnormal object does not exist at the spatial location at the corresponding acquisition time is 1 vote. Obviously, 2>1. Therefore, it can be confirmed that the final detection conclusion is that the abnormal object exists at the spatial location at the corresponding acquisition time, thus confirming that the abnormal object is a real object, and the corresponding lidar is not subject to deception attack.
[0118] (4) If no assistance detection response is received within the specified time, the abnormal object can be directly identified as a fake object, indicating a deception attack against the lidar.
[0119] This specification provides another method for detecting deception attacks, which can be applied to the autonomous driving system of autonomous vehicles. (See also...) Figure 4 As shown, in some embodiments, the deception attack detection method may include the following steps:
[0120] Step 401: Obtain the point cloud data currently collected by the LiDAR of this vehicle.
[0121] Step 402: Identify whether there are any abnormal objects in the point cloud data.
[0122] Step 403: When an abnormal object is found in the point cloud data, broadcast an assistance detection request carrying the point cloud data and spatial location of the abnormal object to surrounding vehicles.
[0123] Step 404: Receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request.
[0124] Step 405: Determine whether the lidar is under spoofing attack based on the assisted detection response.
[0125] Step 406: If it is confirmed that the abnormal object is a fake object and there is a deception attack against the lidar, discard the detection result of the fake object.
[0126] When the abnormal object is confirmed to be a fake object, indicating a deception attack targeting the lidar, discarding the detection results for the fake object can prevent emergency braking decisions caused by mistaking the fake object for a real object. This improves the driving safety of the autonomous vehicle and avoids unnecessary energy consumption increases due to emergency braking. Discarding the detection results for the fake object can, for example, involve deleting or ignoring the detection results.
[0127] The above-described examples of deception attack detection methods all use the autonomous driving system of the autonomous vehicle sending the assistance detection request as the execution subject. To facilitate a clearer and more complete understanding of the entire deception attack detection processing logic, the following describes another deception attack detection method using the autonomous driving system of the autonomous vehicle returning the assistance detection response as the execution subject. (Reference) Figure 5 As shown, in some embodiments, the deception attack detection method may include the following steps:
[0128] Step 501: Receive assistance detection requests sent by surrounding vehicles; the assistance detection requests carry point cloud data and spatial location information of the abnormal object.
[0129] Considering the dynamic changes in the driving environment, the point cloud data collected by LiDAR at different sampling times is generally different. Therefore, the point cloud data and spatial location carried in the assistance detection request can be accompanied by the corresponding collection timestamp.
[0130] Step 502: Determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time.
[0131] Here, "this vehicle" refers to the autonomous vehicle that received the assistance detection request. For each autonomous vehicle that received the assistance detection request, it can be determined whether there is an object located at the stated spatial position and whose similarity to the abnormal object reaches a similarity threshold in the point cloud data of the vehicle's LiDAR at the corresponding acquisition time, based on the following method:
[0132] (1) Find the point cloud data of the vehicle’s lidar at the corresponding acquisition time based on the acquisition timestamp.
[0133] (2) Input the point cloud data of the vehicle’s lidar at the corresponding acquisition time into the region candidate network to predict a set of object candidate boxes.
[0134] (3) Determine whether there is an object candidate box in the object candidate box set that corresponds to the spatial location in the assisted detection request. If there is an object candidate box that corresponds to the spatial location in the assisted detection request, proceed to the next similarity judgment; otherwise, it can be confirmed that there is no abnormal object at the spatial location at the corresponding acquisition time.
[0135] (4) When a candidate bounding box for an object exists that corresponds to a spatial location in the assisted detection request, the candidate object in that bounding box is compared with the abnormal object in the assisted detection request for similarity. If the similarity reaches a similarity threshold, it can be confirmed that the abnormal object exists at the spatial location at the corresponding acquisition time; otherwise, it can be considered that the abnormal object does not exist at the spatial location at the corresponding acquisition time. In some embodiments, the similarity comparison can be implemented, for example, using the Structure Similarity (SSIM) algorithm.
[0136] Step 503: Generate an assist detection response based on the judgment result.
[0137] Step 504: Return to the assisted detection response.
[0138] This allows autonomous vehicles that send assistance detection requests to use the assistance detection response to further determine whether an abnormal object is a fake object, thereby improving the accuracy of deception attack detection.
[0139] Although the process described above includes multiple operations that occur in a specific order, it should be clearly understood that these processes may include more or fewer operations, which may be executed sequentially or in parallel (e.g., using parallel processors or a multithreaded environment).
[0140] With the above Figure 1 Corresponding to the deception attack detection method shown, this specification also provides a deception attack detection device, which can be configured on the aforementioned autonomous driving system. (See reference...) Figure 6 As shown, the deception attack detection device may include:
[0141] The acquisition module 61 can be used to acquire the point cloud data currently collected by the LiDAR of this vehicle;
[0142] The identification module 62 can be used to identify whether there are abnormal objects in the point cloud data;
[0143] The broadcast module 63 can be used to broadcast an assistance detection request carrying the point cloud data and spatial location of the abnormal object to surrounding vehicles when there is an abnormal object in the point cloud data.
[0144] The receiving module 64 can be used to receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request;
[0145] The determination module 65 can be used to determine whether the lidar is under spoofing attack based on the assisted detection response.
[0146] In some embodiments of the deception attack detection device, identifying whether there are abnormal objects in the point cloud data includes:
[0147] The point cloud data is input into a region candidate network to predict a set of object candidate boxes;
[0148] Determine whether the number of points of the candidate objects within each candidate box in the object candidate box set is within the point count space range;
[0149] When the number of points of a candidate object within a candidate box is not within the specified point space range, it is determined whether there are other candidate boxes within the distance range from the candidate object to the lidar.
[0150] If there are no other object candidate boxes within the distance range of the candidate object to the lidar, then the object is confirmed as an abnormal object.
[0151] In some embodiments of the deception attack detection device, the point space range includes the point space located between the first regression curve and the second regression curve;
[0152] The first regression curve is the regression curve of the minimum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions.
[0153] The second regression curve is the regression curve of the maximum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions.
[0154] In some embodiments of the spoofing attack detection apparatus, determining whether the lidar is under spoofing attack based on the assisted detection response includes:
[0155] When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object does not exist at the spatial location at the corresponding acquisition time, it is confirmed that the abnormal object is a fake object and there is a deception attack against the lidar.
[0156] When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time, it is confirmed that the lidar is not under deception attack and the abnormal object is a real object.
[0157] In some embodiments of the deception attack detection apparatus, the step of determining whether the lidar is under deception attack based on the assisted detection response further includes:
[0158] When multiple assistance detection responses are received within a specified time, a vote is taken on the detection conclusions among the multiple assistance detection responses;
[0159] The voting results will determine whether the lidar is susceptible to deception attacks.
[0160] Some embodiments of the deception attack detection device also include a decision module, which is used to discard the detection result of the fake object when the determination module determines whether the lidar is being deceived based on the assisted detection response, and the abnormal object is confirmed to be a fake object and a deception attack against the lidar exists.
[0161] With the above Figure 5 Corresponding to the deception attack detection method shown, this specification also provides another deception attack detection device, which can be configured on the aforementioned autonomous driving system. (See reference...) Figure 7 As shown, the deception attack detection device may include:
[0162] The receiving module 71 can be used to receive assistance detection requests sent by surrounding vehicles; the assistance detection request carries point cloud data and spatial location of the abnormal object.
[0163] The judgment module 72 can be used to determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time.
[0164] The generation module 73 can be used to generate an assist detection response based on the judgment result;
[0165] Return module 74 can be used to return the assisted detection response.
[0166] In some embodiments of the deception attack detection apparatus, the step of generating an assist detection response based on the judgment result includes:
[0167] When the point cloud data collected by the vehicle's lidar at a corresponding time contains an object located at the spatial location and whose similarity to the abnormal object reaches a similarity threshold, it is confirmed that the abnormal object exists at the spatial location at the corresponding time of collection.
[0168] Otherwise, confirm that the abnormal object does not exist at the spatial location at the corresponding acquisition time.
[0169] In some embodiments of the deception attack detection apparatus, the similarity includes structural similarity.
[0170] For ease of description, the above devices are described in terms of function, divided into various units. Of course, in implementing this specification, the functions of each unit can be implemented in one or more software and / or hardware components.
[0171] Embodiments of this specification also provide a computer device. For example... Figure 8 As shown, in some embodiments of this specification, the computer device 802 may include one or more processors 804, such as one or more central processing units (CPUs) or graphics processing units (GPUs), each of which may implement one or more hardware threads. The computer device 802 may also include any memory 806 for storing information of any kind, such as code, settings, data, etc. In one specific embodiment, a computer program is stored on the memory 806 and can run on the processor 804. When the computer program is run by the processor 804, it can execute instructions of the deception attack detection method described in any of the above embodiments. Non-limitingly, for example, the memory 806 may include any type of RAM, any type of ROM, flash memory, hard disk, optical disk, etc. More generally, any memory can use any technology to store information. Further, any memory can provide volatile or non-volatile retention of information. Further, any memory may represent a fixed or removable component of the computer device 802. In one case, when the processor 804 executes associated instructions stored in any memory or combination of memories, the computer device 802 can perform any operation of the associated instructions. The computer device 802 also includes one or more drive mechanisms 808 for interacting with any memory, such as a hard disk drive mechanism, an optical disk drive mechanism, etc.
[0172] Computer device 802 may also include an input / output interface 810 (I / O) for receiving various inputs (via input device 812) and providing various outputs (via output device 814). A specific output mechanism may include a presentation device 816 and an associated graphical user interface 818 (GUI). In other embodiments, the input / output interface 810 (I / O), input device 812, and output device 814 may be omitted, and the device may function solely as a computer device within a network. Computer device 802 may also include one or more network interfaces 820 for exchanging data with other devices via one or more communication links 822. One or more communication buses 824 couple the components described above together.
[0173] Communication link 822 can be implemented in any way, such as via a local area network, a wide area network (e.g., the Internet), a point-to-point connection, or any combination thereof. Communication link 822 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
[0174] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), computer-readable storage media, and computer program products according to some embodiments of this specification. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processor to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processor, create a mechanism for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0175] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processor to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0176] These computer program instructions may also be loaded onto a computer or other programmable data processor, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable device for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0177] In a typical configuration, a computer device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0178] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0179] Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can store information using any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by computer equipment. As defined in this specification, computer-readable media does not include transient media, such as modulated data signals and carrier waves.
[0180] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, the embodiments of this specification can take the form of entirely hardware embodiments, entirely software embodiments, or embodiments combining software and hardware aspects. Furthermore, the embodiments of this specification can take the form of computer program products implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0181] The embodiments described in this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a specific task or implement a specific abstract data type. The embodiments of this specification can also be practiced in distributed computing environments where tasks are performed by remote processors connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0182] It should also be understood that, in the embodiments of this specification, the term "and / or" is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. Additionally, the character " / " in this document generally indicates that the preceding and following related objects have an "or" relationship.
[0183] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0184] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of the embodiments of this specification. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0185] The above description is merely an embodiment of this application and is not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
Claims
1. A method for detecting deception attacks, characterized in that, include: Obtain the point cloud data currently collected by the LiDAR of this vehicle; Identify whether there are abnormal objects in the point cloud data caused by deception attacks, and the abnormal objects are fake objects; When there are abnormal objects in the point cloud data caused by a deception attack, broadcast an assistance detection request carrying the point cloud data and spatial location of the abnormal object to surrounding vehicles. The system receives an assistance detection response from the surrounding vehicles in response to the assistance detection request. The assistance detection response includes a detection conclusion drawn by the surrounding vehicles after independently verifying whether the abnormal object exists at the spatial location based on the point cloud data they have collected. The presence of a deception attack on the lidar is determined based on the assistance detection response.
2. The deception attack detection method as described in claim 1, characterized in that, The process of identifying whether there are abnormal objects in the point cloud data due to spoofing attacks includes: The point cloud data is input into a region candidate network to predict a set of object candidate boxes; Determine whether the number of points of the candidate objects within each candidate box in the object candidate box set is within the point count space range; When the number of points of a candidate object within a candidate box is not within the specified point space range, it is determined whether there are other candidate boxes within the distance range from the candidate object to the lidar. If there are no other object candidate boxes within the distance range of the candidate object to the lidar, then the object is confirmed as an abnormal object.
3. The deception attack detection method as described in claim 2, characterized in that, The range of the point space includes the point space located between the first regression curve and the second regression curve; The first regression curve is the regression curve of the minimum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions. The second regression curve is the regression curve of the maximum value of the number of object points in the field of view of the lidar as a function of detection distance under normal conditions.
4. The deception attack detection method as described in claim 1, characterized in that, The step of determining whether the lidar is under spoofing attack based on the assisted detection response includes: When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object does not exist at the spatial location at the corresponding acquisition time, it is confirmed that the abnormal object is a fake object and there is a deception attack against the lidar. When an assistance detection response is received within a specified time, and the assistance detection response contains a detection conclusion that the abnormal object exists at the spatial location at the corresponding acquisition time, it is confirmed that the lidar is not under deception attack and the abnormal object is a real object.
5. The deception attack detection method as described in claim 4, characterized in that, The step of determining whether the lidar is under spoofing attack based on the assisted detection response further includes: When multiple assistance detection responses are received within a specified time, a vote is taken on the detection conclusions among the multiple assistance detection responses; The voting results will determine whether the lidar is susceptible to deception attacks.
6. The deception attack detection method as described in claim 4, characterized in that, After determining whether the lidar is under spoofing attack based on the assisted detection response, the method further includes: If the abnormal object is confirmed to be a fake object, indicating a deception attack against the lidar, the detection result for the fake object is discarded.
7. A method for detecting deception attacks, characterized in that, include: Receive assistance requests for detection from surrounding vehicles; The request for assistance in detection includes point cloud data and spatial location information of the abnormal object. The abnormal object is a fake object generated by a deception attack and identified by the surrounding vehicles based on point cloud data collected by their own lidar. Determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time. An assist detection response is generated based on the judgment result; the assist detection response includes: the detection conclusion obtained by the surrounding vehicles after independently verifying whether the abnormal object exists at the spatial location based on the point cloud data they have collected; Return the assisted detection response.
8. The deception attack detection method as described in claim 7, characterized in that, The step of generating an assist detection response based on the judgment result includes: When the point cloud data collected by the vehicle's lidar at a corresponding time contains an object located at the spatial location and whose similarity to the abnormal object reaches a similarity threshold, it is confirmed that the abnormal object exists at the spatial location at the corresponding time of collection. Otherwise, confirm that the abnormal object does not exist at the spatial location at the corresponding acquisition time.
9. The deception attack detection method as described in claim 7, characterized in that, The similarity includes structural similarity.
10. A deception attack detection device, characterized in that, include: The acquisition module is used to acquire the point cloud data currently collected by the vehicle's lidar. The identification module is used to identify whether there are abnormal objects in the point cloud data caused by deception attacks, and the abnormal objects are fake objects; The broadcast module is used to broadcast a request for assistance in detecting point cloud data and spatial location corresponding to the abnormal object to surrounding vehicles when there is an abnormal object in the point cloud data caused by a deception attack. The receiving module is used to receive the assistance detection response returned by the surrounding vehicles in response to the assistance detection request; the assistance detection response includes: the detection conclusion obtained by the surrounding vehicles after independently verifying whether the abnormal object exists at the spatial location based on the point cloud data they have collected. A determination module is used to determine whether the lidar is subjected to a spoofing attack based on the assisted detection response.
11. A deception attack detection device, characterized in that, include: The receiving module is used to receive assistance detection requests sent by surrounding vehicles; The request for assistance in detection includes point cloud data and spatial location information of the abnormal object. The abnormal object is a fake object generated by a deception attack and identified by the surrounding vehicles based on point cloud data collected by their own lidar. The judgment module is used to determine whether there is an object located at the spatial location and whose similarity to the abnormal object reaches the similarity threshold in the point cloud data of the vehicle's lidar at the corresponding acquisition time. The generation module is used to generate an assist detection response based on the judgment result; the assist detection response includes: the detection conclusion obtained by the surrounding vehicles after independently verifying whether the abnormal object exists at the spatial location based on the point cloud data they have collected; The return module is used to return the assisted detection response.
12. A computer device comprising a memory, a processor, and a computer program stored in the memory, characterized in that, When the computer program is run by the processor, it executes the instructions of the method according to any one of claims 1-9.
13. A computer storage medium having a computer program stored thereon, characterized in that, When the computer program is run by the processor of the computer device, it executes the instructions of the method according to any one of claims 1-9.
14. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, performs instructions according to any one of claims 1-9.