Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars
<p>The flow of creating dummy images. The first two columns, <math display="inline"><semantics> <msub> <mi>x</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>x</mi> <mn>2</mn> </msub> </semantics></math>, are clean random images from different classes. The third and fourth columns, <math display="inline"><semantics> <msub> <mi>s</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>s</mi> <mn>2</mn> </msub> </semantics></math>, are the intermediate transformations of <math display="inline"><semantics> <msub> <mi>x</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>x</mi> <mn>2</mn> </msub> </semantics></math>. The last column is the resultant dummy image generated by the DIG algorithm.</p> "> Figure 2
<p>The proposed pipeline of the adversarial detection framework. The first line of defense starts with the U-net model and ends with the output prediction of the OCSVM model. The components of the second line of defense are the masking operation with KAS algorithm and the verifier model. The final decision of the pipeline for the input image is taken either immediately from the first line of defense or by comparing the predictions of the verifier model and the target (main) model.</p> "> Figure 3
<p>This bar chart shows the Structure Similarity Index (SSIM) of the test set images for each class of the MNIST, CIFAR-10, and GTSRB-8 data sets before and after applying the KAS algorithm at <math display="inline"><semantics> <mrow> <mi>k</mi> <mo>=</mo> <mn>35</mn> <mo>%</mo> </mrow> </semantics></math>.</p> "> Figure 4
<p>SSIM index of the test set images of all classes of MNIST, CIFAR-10, and GTSRB-8 data sets before and after k-means procedure at 10 values of <span class="html-italic">k</span>.</p> "> Figure 5
<p>The detection rates of our proposed method as compared to the best feature squeezer for the FGSM attack on the GTSRB-8 data set with <math display="inline"><semantics> <mi>ε</mi> </semantics></math> values <math display="inline"><semantics> <mrow> <mn>0.01</mn> </mrow> </semantics></math> to <math display="inline"><semantics> <mrow> <mn>0.5</mn> </mrow> </semantics></math>. This figure shows the superiority of our method for all <math display="inline"><semantics> <mi>ε</mi> </semantics></math> values.</p> "> Figure 6
<p>The flow of image processing steps in the proposed framework. The first line of each data set represents a clean sample of each class. The second line is the corresponding segmentation mask by the U-net model. The third and the fourth lines are the segmented and the inverted versions yielded by the KAS algorithm of the masked images.</p> "> Figure 7
<p>Samples of distorted images from the GTSRB-8 data set that are omitted from the train and test sets in our experiments.</p> "> Figure 8
<p>A visual comparison between clean images in the first row and their adversarial counterparts in the second row detected by the OCSVM model’s first line of defense in the adversarial detection framework. The third and the fourth rows are generated masks by the OCSVM for the clean and adversarial images, respectively.</p> "> Figure 9
<p>A visual comparison between clean images in the first row and their adversarial counterparts in the second row detected by the second line of defense, the verifier model, in our adversarial detection framework. The third and fourth rows represent the segmented versions yielded by the KAS Algorithm 1 processing the clean and adversarial images, respectively. The last two rows are the inverted version.</p> ">
:1. Introduction
- 1.
- We propose a segmentation mask verification method (first line of defense): The proposed method verifies the segmentation mask of the input image for adversarial noise instead of directly analyzing the image. This is achieved by utilizing a U-net model to generate segmentation masks, and then a One-Class Support Vector Machine works as an anomaly detector and detects any abnormal (adversarial) masks.
- 2.
- We develop two novel algorithms: the first algorithm generates dummy images simulating non-relevant images to the classification task to enhance the robustness of the verifier model. The second algorithm dynamically segments the input image using the k-means algorithm and produces two versions of the input, the segmented and the inverted images.
- 3.
- Building a verifier model (second line of defense): the verifier model works as an authenticator of the prediction of the main model and dictates the final decision of the input image (after passing the first line of defense) to be flagged as either clean or adversarial.
- 4.
- Enhancing the detection rates of FGSM and BIM attacks: the proposed detection method detects the adversarial attacks with high accuracy, including FGSM and BIM attacks, as opposed to the compared method.
2. Background and Related Works
2.1. Adversarial Attacks
2.1.1. Fast Gradient Sign Method (FGSM)
2.1.2. Jacobian-Based Saliency Map Attack (JSMA)
2.1.3. DeepFool
2.1.4. C&W Attack Algorithm
2.2. Defense Mechanisms Against Adversarial Attacks
2.2.1. Distillation
2.2.2. MagNet
2.2.3. Adversarial Training
2.2.4. GAN-Defense
2.2.5. Feature Squeezing
2.3. Adversarial Attacks Against DNN-Based Autonomous Driving System
2.3.1. Adversarial Traffic Signs
2.3.2. GAN for Generating Adversarial Signs
2.3.3. Attacking End-to-End Autonomous Driving Cars
2.3.4. Adversarial Attacks Against LIDAR System
3. Methodology
3.1. U-Net Model for Mask Segmentation
3.2. One Class Support Vector Machine
3.3. Image Segmentation and KAS Algorithm
Algorithm 1 k-means Adaptive Segmentation (KAS) |
Require: Masked Gray-scale Image x Ensure: Segmented and Inverted images (, )
3.4. Adversarial Detection Mechanism Using the Verifier Model
Algorithm 2 Dummy Image Generation (DIG) |
Require: Labeled Image data set Ensure: Dummy Image (, )
3.5. Adversarial Detection Pipeline
4. Experimental Setup
4.1. Data Sets and Preprocessing
- MNIST data set: the MNIST data set is a grayscale data set of handwritten digits (0–9). We divide the data set into 60,000 images for training and 10,000 for testing. The objects of interest in these images (the digits) are centered with high grayscale values, while the background pixels are mostly zero, as shown in the first row in Figure 6. To generate segmentation masks, all pixels greater than 1 were considered as the foreground, and zero pixels were treated as the background.
- CIFAR-10 data set: This data set consists of RGB images divided into 10 different classes (airplane, automobile, bird, cat, deer, dog, frog, horse, ship, truck), with 50,000 images for training and 10,000 for testing. Since no pre-existing segmentation masks were available, we manually created segmentation masks for 200 images per class as a training set and 25 images for testing using the CVAT tool [71]. We extended this data set to 1000 images per class by applying data augmentation techniques (random cropping, horizontal flip, Hue-Saturation-Value adjustment, and Random Brightness–Contrast) from the Albumentations Library [72]. These augmented masks were used to fine-tune a pre-trained YOLO-V8-Seg model for each class separately, generating 5000 segmentation masks per class. Figure 6 shows some images from each class with their respective segmentation masks. For classes like Cat and Deer, we collected additional images from Roboflow [73,74] to improve the mask quality. We manually checked the sanity for most of the generated masks for each class, including rectifying and recreating the wrong ones.
- GTSRB-8 data set (Speed-Limits Subset): The German Traffic Sign Recognition Benchmark (GTSRB) is an RGB data set with 43 traffic sign classes. We selected a subset consisting of speed-limit signs (8 classes) as depicted in Figure 6. This data set contains 8140 images for training and 3142 for testing. We manually created 200 segmentation masks for training and 20 masks for testing, using the CVAT tool. Images that were noisy or indiscernible were manually removed to ensure the data set quality. Figure 7 shows some noisy samples of the GTSRB-8 data set that were omitted.
4.2. Target DNN Models
4.3. U-Net Model Setup
4.4. The Configuration of the Proposed Adversarial Detection Method
- OCSVM Model: The first line of defense in the pipeline is the OCSVM model trained on the segmentation masks generated by the U-net model. Using the Sklearn library, we configured the OCSVM model with default parameters shown in Table 4. Also, Table 4 outlines that the OCSVM models demonstrated high accuracy across all data sets. The segmentation masks, as shown in the second row of each data set in Figure 6, were used to isolate the object of interest from the background in each image, and the masked images were converted to grayscale for the KAS algorithm, as shown in the third row of each data set in Figure 6.
- KAS algorithm: The KAS algorithm involves three key processes to generate the segmented and inverted versions, depicted in the third and fourth rows of each data set in Figure 6, of the masked input image, as illustrated in Algorithm 1:
- ¯
- Denoising: Instead of averaging only nearby pixels, the non-local-mean filter [40] identifies multiple similar patches within a larger area of the image and replaces the central patch with the averaged values of those similar patches. Since the noise is assumed to have a mean value of zero, this averaging process effectively reduces noise while maintaining the sharpness of the edges, preserving the integrity of the image structure. A non-local-mean filter with a filtering window and a researching window of with a filter strength of 1 was applied to denoise and normalize the similar regions of the image, preparing it for segmentation. We followed the feature squeezing setting in choosing these parameters except for the filter strength, where we chose it to be lower to reduce the blurring effect of the filter. The filter parameters are denoted by a-b-c, where a is the filtering window, b is the searching window, and c is the filter strength.
- ¯
- k-means Clustering: After denoising with the non-local-mean filter, the masked filtered image is segmented using the k-means algorithm into k regions, where k was set to of the number of grayscale shades in the image. This approach dynamically determines the number of clusters for each image, allowing more flexible segmentation and making it harder for the attackers to adapt this dynamic mechanism.
- ¯
- Median Filtering: The segmented image was further smoothed and denoised using a median filter. As a result, the inverted and segmented images were produced, as shown in the last two rows for each data set in Figure 6.
- Verifier Model: The second line of defense is the verifier model. The verifier model shares the same architecture as the main target model, as shown in Table 2, but with a single-channel input layer (grayscale) for the verifier model instead of a three-channel input (RGB) of the target. Moreover, an additional class was introduced to the verifier’s output to classify unrelated or noisy inputs. The additional class consists of a set of dummy images generated using the DIG algorithm and augmented in the training process of the verifier model. Table 5 reports the test accuracy of the verifier models for the three data sets. We trained each verifier on the segmented and inverted data set generated by the KAS algorithm with the augmented dummy class generated by the DIG algorithm. For the MNIST and GTSRB-8 data sets, the verifier models reached performance levels comparable to the target models. However, the verifier for CIFAR-10 experienced an drop in accuracy compared to the target model’s accuracy, achieving test accuracy even after 300 epochs of training.
4.5. Adversarial Attack Configuration
4.6. Inverted Along with Segmented Image
4.7. The Robustness of the Proposed Method Against a Wide Range of Perturbation Values
4.8. Choosing the Number of Segments k for the KAS Algorithm
5. Results and Discussion
6. Conclusions
Author Contributions
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
- Yang, J.; Ni, Q.; Luo, G.; Cheng, Q.; Oukhellou, L.; Han, S. A Trustworthy Internet of Vehicles: The DAO to Safe, Secure, and Collaborative Autonomous Driving. IEEE Trans. Intell. Veh. 2023, 8, 4678–4681. [Google Scholar] [CrossRef]
- Tian, F.; Li, Z.; Wang, F.Y.; Li, L. Parallel Learning-Based Steering Control for Autonomous Driving. IEEE Trans. Intell. Veh. 2023, 8, 379–389. [Google Scholar] [CrossRef]
- Natan, O.; Miura, J. End-to-End Autonomous Driving with Semantic Depth Cloud Mapping and Multi-Agent. IEEE Trans. Intell. Veh. 2023, 8, 557–571. [Google Scholar] [CrossRef]
- Nawaz, M.; Tang, J.K.T.; Bibi, K.; Xiao, S.; Ho, H.P.; Yuan, W. Robust Cognitive Capability in Autonomous Driving Using Sensor Fusion Techniques: A Survey. IEEE Trans. Intell. Transp. Syst. 2024, 25, 3228–3243. [Google Scholar] [CrossRef]
- Wang, X.; Li, K.; Chehri, A. Multi-Sensor Fusion Technology for 3D Object Detection in Autonomous Driving: A Review. IEEE Trans. Intell. Transp. Syst. 2024, 25, 1148–1165. [Google Scholar] [CrossRef]
- Zeng, L.; Zhang, K.; Han, Q.; Chen, S.; Ye, L.; Wang, R.; Lei, J.; Xie, Q. Research of Path Planning Model Based on Hotspots Evaluation. In Proceedings of the 2019 IEEE Intelligent Vehicles Symposium (IV), Paris, France, 9–12 June 2019; pp. 2429–2434. [Google Scholar]
- Zhang, D.; Liang, J.; Lu, S.; Guo, K.; Wang, Q.; Xiong, R.; Miao, Z.; Wang, Y. PEP: Policy-Embedded Trajectory Planning for Autonomous Driving. IEEE Robot. Autom. Lett. 2024, 9, 11361–11368. [Google Scholar] [CrossRef]
- Poddar, S.D.; M, M.; P, R.; N, P. A comprehensive Study on Security Threats in Autonomous Vehicles: Safeguarding the Future. In Proceedings of the 2024 1st International Conference on Cognitive, Green and Ubiquitous Computing (IC-CGU), Bhubaneswar, India, 1–2 March 2024; pp. 1–6. [Google Scholar] [CrossRef]
- Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguing Properties of Neural Networks. arXiv 2013, arXiv:1312.6199. [Google Scholar]
- Xiang, C.; Qi, C.R.; Li, B. Generating 3D Adversarial Point Clouds. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, CA, USA, 15–20 June 2019; pp. 9136–9144. [Google Scholar]
- Sitawarin, C.; Bhagoji, A.N.; Mosenia, A.; Chiang, M.; Mittal, P. Darts: Deceiving Autonomous Cars with Toxic Signs. arXiv 2018, arXiv:1802.06430. [Google Scholar]
- Morgulis, N.; Kreines, A.; Mendelowitz, S.; Weisglass, Y. Fooling a Real Car with Adversarial Traffic Signs. arXiv 2019, arXiv:1907.00374. [Google Scholar]
- Sato, T.; Shen, J.; Wang, N.; Jia, Y.J.; Lin, X.; Chen, Q.A. Demo: Security of Deep Learning based Automated Lane Centering under Physical-World Attack. In Proceedings of the 2021 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 27 May 2021; p. 244. [Google Scholar] [CrossRef]
- Wu, H.; Yunas, S.; Rowlands, S.; Ruan, W.; Wahlström, J. Adversarial Driving: Attacking End-to-end Autonomous Driving. In Proceedings of the 2023 IEEE Intelligent Vehicles Symposium (IV), Anchorage, AK, USA, 4–7 June 2023; pp. 1–7. [Google Scholar]
- Yufeng, L.; Fengyu, Y.; Qi, L.; Jiangtao, L.; Chenhong, C. Light can be dangerous: Stealthy and Effective Physical-world Adversarial Attack by Spot Light. Comput. Secur. 2023, 132, 103345. [Google Scholar]
- Sato, T.; Bhupathiraju, S.H.; Clifford, M.; Sugawara, T.; Chen, Q.A.; Rampazzi, S. WIP: Infrared Laser Reflection Attack Against Traffic Sign Recognition Systems. In Proceedings of the ISOC Symposium on Vehicle Security and Privacy (VehicleSec), San Diego, CA, USA, 27 February 2023. [Google Scholar]
- Yan, C.; Xu, Z.; Yin, Z.; Mangard, S.; Ji, X.; Xu, W.; Zhao, K.; Zhou, Y.; Wang, T.; Gu, G.; et al. Rolling Colors: Adversarial Laser Exploits against Traffic Light Recognition. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, 10–12 August 2022; pp. 1957–1974. [Google Scholar]
- Duan, R.; Ma, X.; Wang, Y.; Bailey, J.; Qin, A.K.; Yang, Y. Adversarial Camouflage: Hiding Physical-World Attacks with Natural Styles. In Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA, 13-19 June 2020; pp. 997–1005. [Google Scholar] [CrossRef]
- Wang, W.; Yao, Y.; Liu, X.; Li, X.; Hao, P.; Zhu, T. I Can See The Light: Attacks on Autonomous Vehicles Using Invisible Lights. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual, 15–19 November 2021; pp. 1930–1944. [Google Scholar]
- Sayles, A.; Hooda, A.; Gupta, M.; Chatterjee, R.; Fernandes, E. Invisible Perturbations: Physical Adversarial Examples Exploiting the Rolling Shutter Effect. In Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Nashville, TN, USA, 20–25 June 2021; pp. 14661–14670. [Google Scholar] [CrossRef]
- Zhong, Y.; Liu, X.; Zhai, D.; Jiang, J.; Ji, X. Shadows can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Natural Phenomenon. In Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), New Orleans, LA, USA, 18–24 June 2022; pp. 15324–15333. [Google Scholar] [CrossRef]
- Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; Vladu, A. Towards Deep Learning Models Resistant to Adversarial Attacks. arXiv 2017, arXiv:1706.06083. [Google Scholar]
- Kurakin, A.; Goodfellow, I.J.; Bengio, S. Adversarial Examples in The Physical World. In Artificial Intelligence Safety and Security; Chapman and Hall/CRC: Boca Raton, FL, USA, 2018; pp. 99–112. [Google Scholar]
- Samangouei, P.; Kabkab, M.; Chellappa, R. Defense-gan: Protecting Classifiers against Adversarial Attacks Using Generative Models. arXiv 2018, arXiv:1805.06605. [Google Scholar]
- Xu, W.; Evans, D.; Qi, Y. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. In Proceedings of the 2018 Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, USA, 18–21 February 2018. [Google Scholar]
- Lin, W.A.; Balaji, Y.; Samangouei, P.; Chellappa, R. Invert and Defend: Model-based Approximate Inversion of Generative Adversarial Networks for Secure Inference. arXiv 2019, arXiv:1911.10291. [Google Scholar]
- Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and Harnessing Adversarial Examples. arXiv 2014, arXiv:1412.6572. [Google Scholar]
- Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z.B.; Swami, A. The Limitations of Deep Learning in Adversarial Settings. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany, 21–24 March 2016; pp. 372–387. [Google Scholar]
- Simonyan, K.; Vedaldi, A.; Zisserman, A. Visualising Image Classification Models and Saliency Maps. Deep. Inside Convolutional Netw. 2014, 2, 2. [Google Scholar]
- Moosavi-Dezfooli, S.M.; Fawzi, A.; Frossard, P. Deepfool: A Simple and Accurate Method to Fool Deep Neural Networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 2574–2582. [Google Scholar]
- Carlini, N.; Wagner, D. Towards Evaluating The Robustness of Neural Networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (sp), San Jose, CA, USA, 22–26 May 2017; pp. 39–57. [Google Scholar]
- Kingma, D.P.; Ba, J. Adam: A Method for Stochastic Optimization. arXiv 2014, arXiv:1412.6980. [Google Scholar]
- Hinton, G.; Vinyals, O.; Dean, J. Distilling The Knowledge In a Neural Network. arXiv 2015, arXiv:1503.02531. [Google Scholar]
- Papernot, N.; McDaniel, P.; Wu, X.; Jha, S.; Swami, A. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016; pp. 582–597. [Google Scholar]
- Meng, D.; Chen, H. Magnet: A Two-pronged Defense against Adversarial Examples. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 135–147. [Google Scholar]
- Vincent, P.; Larochelle, H.; Bengio, Y.; Manzagol, P.A. Extracting and Composing Robust Features with Denoising Autoencoders. In Proceedings of the 25th International Conference on Machine Learning, Helsinki, Finland, 5–9 July 2008; pp. 1096–1103. [Google Scholar]
- Robey, A.; Latorre, F.; Pappas, G.J.; Hassani, H.; Cevher, V. Adversarial Training Should Be Cast as a Non-Zero-Sum Game. arXiv 2023, arXiv:2306.11035. [Google Scholar]
- Mirza, M.; Xu, B.; Warde-Farley, D.; Ozair, S.; Courville, A.; Bengio, Y.; Goodfellow, I.J.; Pouget-Abadie, J. Generative Adversarial Nets. Proc. Adv. Neural Inf. Process. Syst. 2014, 27, 2672–2680. [Google Scholar]
- Arjovsky, M.; Chintala, S.; Bottou, L. Wasserstein Generative Adversarial Networks. In Proceedings of the International Conference on Machine Learning, Sydney, Australia, 6–11 August 2017; pp. 214–223. [Google Scholar]
- Buades, A.; Coll, B.; Morel, J.M. Non-Local Means Denoising. Image Process. Line 2011, 1, 208–212. [Google Scholar] [CrossRef]
- Wang, X.; Hu, J.; Wei, C.; Li, L.; Li, Y.; Du, M. A Novel Lane-Change Decision-Making with Long-Time Trajectory Prediction for Autonomous Vehicle. IEEE Access 2023, 11, 137437–137449. [Google Scholar] [CrossRef]
- Nie, J.; Yan, J.; Yin, H.; Ren, L.; Meng, Q. A Multimodality Fusion Deep Neural Network and Safety Test Strategy for Intelligent Vehicles. IEEE Trans. Intell. Veh. 2021, 6, 310–322. [Google Scholar] [CrossRef]
- Athalye, A.; Engstrom, L.; Ilyas, A.; Kwok, K. Synthesizing Robust Adversarial Examples. In Proceedings of the International Conference on Machine Learning, Stockholm, Sweden, 10–15 July 2018; pp. 284–293. [Google Scholar]
- Jia, W.; Lu, Z.; Zhang, H.; Liu, Z.; Wang, J.; Qu, G. Fooling The Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples against Traffic Sign Recognition Systems. arXiv 2022, arXiv:2201.06192. [Google Scholar]
- Kurakin, A.; Goodfellow, I.; Bengio, S. Adversarial Machine Learning at Scale. arXiv 2016, arXiv:1611.01236. [Google Scholar]
- Xiao, C.; Li, B.; Zhu, J.Y.; He, W.; Liu, M.; Song, D. Generating Adversarial Examples with Adversarial Networks. arXiv 2018, arXiv:1801.02610. [Google Scholar]
- Eykholt, K.; Evtimov, I.; Fernandes, E.; Li, B.; Rahmati, A.; Xiao, C.; Prakash, A.; Kohno, T.; Song, D. Robust Physical-world Attacks on Deep Learning Visual Classification. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, 18–23 June 2018; pp. 1625–1634. [Google Scholar]
- Lu, J.; Sibai, H.; Fabry, E.; Forsyth, D. No Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles. arXiv 2017, arXiv:1707.03501. [Google Scholar]
- Kong, Z.; Guo, J.; Li, A.; Liu, C. Physgan: Generating Physical-world-resilient Adversarial Examples for Autonomous Driving. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA, 13–19 June 2020; pp. 14254–14263. [Google Scholar]
- Udacity. Udacity Steering Wheel Dataset. 2020. Available online: (accessed on 22 December 2024).
- Pan, X.; You, Y.; Wang, Z.; Lu, C. Virtual to Real Reinforcement Learning for Autonomous Driving. arXiv 2017, arXiv:1704.03952. [Google Scholar]
- Geiger, A.; Lenz, P.; Stiller, C.; Urtasun, R. Vision Meets Robotics: The Kitti Dataset. Int. J. Robot. Res. 2013, 32, 1231–1237. [Google Scholar] [CrossRef]
- Bojarski, M.; Del Testa, D.; Dworakowski, D.; Firner, B.; Flepp, B.; Goyal, P.; Jackel, L.D.; Monfort, M.; Muller, U.; Zhang, J.; et al. End to End Learning for Self-driving Cars. arXiv 2016, arXiv:1604.07316. [Google Scholar]
- Shah, S.; Dey, D.; Lovett, C.; Kapoor, A. Airsim: High-fidelity Visual and Physical Simulation for Autonomous Vehicles. In Proceedings of the Field and Service Robotics: Results of the 11th International Conference, Zurich, Switzerland, 12–15 September 2017; Springer: Berlin/Heidelberg, Germany, 2018; pp. 621–635. [Google Scholar]
- Dosovitskiy, A.; Ros, G.; Codevilla, F.; Lopez, A.; Koltun, V. CARLA: An Open Urban Driving Simulator. In Proceedings of the Conference on Robot Learning, Mountain View, CA, USA, 13–15 November 2017; pp. 1–16. [Google Scholar]
- Macenski, S.; Foote, T.; Gerkey, B.; Lalancette, C.; Woodall, W. Robot Operating System 2: Design, Architecture, and Uses in The Wild. Sci. Robot. 2022, 7, eabm6074. [Google Scholar] [CrossRef]
- Cao, Y.; Xiao, C.; Yang, D.; Fang, J.; Yang, R.; Liu, M.; Li, B. Adversarial Objects against Lidar-based Autonomous Driving Systems. arXiv 2019, arXiv:1907.05418. [Google Scholar]
- Petit, J.; Stottelaar, B.; Feiri, M.; Kargl, F. Remote Attacks on Automated Vehicles Sensors: Experiments on Camera and Lidar. Black Hat Eur. 2015, 11, 995. [Google Scholar]
- Shin, H.; Kim, D.; Kwon, Y.; Kim, Y. Illusion and Dazzle: Adversarial Optical Channel Exploits against Lidars for Automotive Applications. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2017: 19th International Conference, Taipei, Taiwan, 25–28 September 2017; Springer: Berlin/Heidelberg, Germany, 2017; pp. 445–467. [Google Scholar]
- Ronneberger, O.; Fischer, P.; Brox, T. U-net: Convolutional Networks for Biomedical Image Segmentation. In Proceedings of the Medical Image Computing and Computer-Assisted Intervention—MICCAI 2015: 18th International Conference, Munich, Germany, 5–9 October 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 234–241. [Google Scholar]
- Shin, H.J.; Eom, D.H.; Kim, S.S. One-class Support Vector Machines—An Application in Machine Fault Detection and Classification. Comput. Ind. Eng. 2005, 48, 395–408. [Google Scholar] [CrossRef]
- Wang, C.; Sun, Y.; Lv, S.; Wang, C.; Liu, H.; Wang, B. Intrusion Detection System Based on One-class Support Vector Machine and Gaussian Mixture Model. Electronics 2023, 12, 930. [Google Scholar] [CrossRef]
- Bishop, C.M.; Nasrabadi, N.M. Pattern Recognition and Machine Learning; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4. [Google Scholar]
- Akbari, M.; Liang, J.; Han, J. DSSLIC: Deep Semantic Segmentation-based Layered Image Compression. In Proceedings of the ICASSP 2019-2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Brighton, UK, 12–17 May 2019; pp. 2042–2046. [Google Scholar]
- Li, F.; Zhang, H.; Xu, H.; Liu, S.; Zhang, L.; Ni, L.M.; Shum, H.Y. Mask dino: Towards a Unified Transformer-based Framework for Object Detection and Segmentation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, BC, Canada, 22–23 December 2023; pp. 3041–3050. [Google Scholar]
- Dhanachandra, N.; Manglem, K.; Chanu, Y.J. Image Segmentation Using K-means Clustering Algorithm and Subtractive Clustering Algorithm. Procedia Comput. Sci. 2015, 54, 764–771. [Google Scholar] [CrossRef]
- LeCun, Y. The MNIST Database of Handwritten Digits. 1998. Available online: (accessed on 22 December 2024).
- Krizhevsky, A.; Hinton, G. Learning Multiple Layers of Features from Tiny Images; University of Toronto: Toronto, ON, Canada, 2009. [Google Scholar]
- Stallkamp, J.; Schlipsing, M.; Salmen, J.; Igel, C. The German Traffic Sign Recognition Benchmark: A Multi-class Classification Competition. In Proceedings of the The 2011 International Joint Conference on Neural Networks, San Jose, CA, USA, 31 July–5 August 2011; pp. 1453–1460. [Google Scholar]
- Papernot, N.; McDaniel, P.; Goodfellow, I. Transferability in Machine Learning: From Phenomena to Black-box Attacks Using Adversarial Samples. arXiv 2016, arXiv:1605.07277. [Google Scholar]
- CVAT. Online Annotation Tool. Available online: (accessed on 5 August 2024).
- Buslaev, A.; Iglovikov, V.I.; Khvedchenya, E.; Parinov, A.; Druzhinin, M.; Kalinin, A.A. Albumentations: Fast and Flexible Image Augmentations. arXiv 2018, arXiv:1809.06839. [Google Scholar] [CrossRef]
- Segmentation. Cat2 Dataset. 2023. Available online: (accessed on 7 August 2024).
- Recognition of Sheep Dataset. 2023. Available online: (accessed on 9 January 2025).
- Carlini, N. Robust Evasion Attacks against Neural Network to Find Adversarial Examples. Available online: (accessed on 16 August 2024).
- Huang, G.; Liu, Z.; Van Der Maaten, L.; Weinberger, K.Q. Densely Connected Convolutional Networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, HI, USA, 21–26 July 2017; pp. 4700–4708. [Google Scholar]
- Majumdar, S. DenseNet Implementation in Keras. Available online: (accessed on 16 August 2024).
Data Set Name | Model Name | Trainset | Test Accuracy Segmented | Test Accuracy Inverted |
GTSRB-8 | DNN Verifier 1 Densenet | Training using Segmented & Inverted Images | 97.99% | 98.09% |
GTSRB-8 | DNN Verifier 2 Densenet | Training using Segmented Images | 97.48% | 23.93% |
Data Set | Model | Test Accuracy | Mean Confidence | Selected Samples | Samples Accuracy | Mean Confidence |
MNIST | Carlini | 99.43% | 99.39% | 100 | 100% | 100% |
CIFAR-10 | Densenet | 94.84% | 92.15% | 100 | 100% | 95.55% |
GTSRB-8 | Densenet | 96.8% | 91.8% | 96 | 100% | 91.3% |
Data Set | Model | Test IOU | Test Dice |
MNIST | U-net | 97.17% | 98.39% |
CIFAR-10 | U-net | 73.85% | 84.10% |
GTSRB-8 | U-net | 83.9% | 91.1% |
Data Set | Model | Test Accuracy | ||
MNIST | OCSVM | auto | 0.01 | 99.17% |
CIFAR-10 | OCSVM | auto | 0.01 | 99.25% |
GTSRB-8 | OCSVM | auto | 0.01 | 97.7% |
Data Set | Model | Test Accuracy Segmented | Test Accuracy Inverted | Test Accuracy All with Dummy |
MNIST | Carlini | 97.99% | 98.09% | 98.71% |
CIFAR-10 | Densenet | 83.46% | 83.47% | 83.95% |
GTSRB-8 | Densenet | 98.3% | 96.9% | 97.6% |
Distance Metric | Attack | Mode | Cost (s) | Success Rate | Prediction Confidence | Distortion | |||
MNIST | FGSM | Untargeted | 0.001 | 46% | 94.76% | 0.302 | 5.916 | 0.561 | |
BIM | Untargeted | 0.005 | 92% | 99.82% | 0.302 | 4.820 | 0.523 | ||
CW∞ | Next | 64.887 | 100% | 99.99% | 0.261 | 4.277 | 0.496 | ||
LL | 64.635 | 100% | 99.98% | 0.279 | 4.666 | 0.510 | |||
DeepFool | Untargeted | 0.077 | 100% | 89.16% | 2.174 | 0.532 | 0.732 | ||
CW2 | Next | 0.310 | 99% | 99.99% | 0.689 | 2.878 | 0.458 | ||
LL | 0.376 | 100% | 99.99% | 0.733 | 3.209 | 0.458 | |||
CW0 | Next | 84.928 | 100% | 99.99% | 0.995 | 4.737 | 0.051 | ||
LL | 84.874 | 100% | 99.99% | 0.997 | 5.172 | 0.060 | |||
JSMA | Next | 0.544 | 63% | 64.92% | 1.000 | 4.814 | 0.049 | ||
LL | 0.677 | 45% | 64.54% | 1.000 | 5.619 | 0.064 | |||
CIFAR-10 | FGSM | Untargeted | 0.013 | 86% | 96.93% | 0.016 | 0.864 | 0.998 | |
BIM | Untargeted | 0.083 | 92% | 98.75% | 0.008 | 0.367 | 0.994 | ||
CW∞ | Next | 327.833 | 100% | 98.82% | 0.012 | 0.443 | 0.988 | ||
LL | 311.504 | 100% | 97.38% | 0.014 | 0.521 | 0.994 | |||
DeepFool | Untargeted | 0.254 | 97% | 83.79% | 0.028 | 0.235 | 0.993 | ||
CW2 | Next | 7.907 | 100% | 97.90% | 0.033 | 0.284 | 0.753 | ||
LL | 9.070 | 100% | 97.21% | 0.040 | 0.352 | 0.847 | |||
CW0 | Next | 498.414 | 100% | 98.21% | 0.640 | 2.041 | 0.018 | ||
LL | 449.072 | 100% | 97.60% | 0.693 | 2.479 | 0.024 | |||
JSMA | Next | 8.219 | 100% | 42.61% | 0.897 | 4.992 | 0.078 | ||
LL | 10.641 | 98% | 39.17% | 0.896 | 5.599 | 0.098 | |||
GTSRB-8 | FGSM | Untargeted | 0.031 | 89.58% | 95.66% | 0.016 | 1.730 | 1.000 | |
BIM | Untargeted | 0.128 | 86.46% | 96.34% | 0.008 | 0.733 | 0.999 | ||
CW∞ | Next | 297.163 | 100% | 97.44% | 0.012 | 0.892 | 0.974 | ||
LL | 330.601 | 97.92% | 97.54% | 0.015 | 1.183 | 0.995 | |||
DeepFool | Untargeted | 0.158 | 97.92% | 90.93% | 0.054 | 0.591 | 0.999 | ||
CW2 | Next | 23.537 | 100% | 97.32% | 0.048 | 0.544 | 0.574 | ||
LL | 23.854 | 100% | 96.95% | 0.059 | 0.760 | 0.727 | |||
CW0 | Next | 457.162 | 100% | 97.86% | 0.682 | 2.788 | 0.012 | ||
LL | 574.574 | 100% | 97.56% | 0.770 | 3.970 | 0.025 | |||
JSMA | Next | 135.021 | 93.75% | 33.45% | 0.891 | 8.820 | 0.040 | ||
LL | 166.015 | 95.83% | 29.54% | 10.300 | 0.904 | 0.050 |
Configuration | Attacks | Attacks | Attacks | Overall Detection Rate | False Positive Rate | |||||||||||
Detector | Parameters | Threshold | FGSM | BIM | CW∞ | Deep Fool | CW2 | CW0 | JSMA | |||||||
Next | LL | Next | LL | Next | LL | Next | LL | |||||||||
MNIST | FeatureSqueezing | 1-bit | 0.00025 | 97.8% | 98.9% | 100% | 100% | 100% | 100% | 100% | 71% | 64% | 100% | 100% | 92.9% | 4.1% |
FeatureSqueezing | 2-bit | 0.00008 | 73.9% | 8.6% | 94% | 98% | 100% | 95.9% | 95% | 63% | 76% | 100% | 100% | 81.5% | 3.9% | |
FeatureSqueezing Best Combination | Median-Filter 1-bit | 0.00275 | 97.8% | 97.8% | 100% | 100% | 100% | 100% | 100% | 93% | 95% | 100% | 100% | 98.4% | 4% | |
Segmentation Our Method | Median-Filter Non-local Mean | − | 100% | 100% | 100% | 100% | 96% | 94.9% | 96% | 90% | 95% | 96.8% | 97.7% | 96.9% | 3.3% | |
CIFAR-10 | FeatureSqueezing | 5-bit | 0.2997 | 4.6% | 14.1% | 38% | 67% | 56.7% | 79% | 92% | 2% | 5% | 6% | 8.1% | 34.3% | 4.9% |
FeatureSqueezing | Median-Filter | 1.1683 | 25.5% | 48.9% | 95% | 100% | 71.1% | 98% | 100% | 99% | 100% | 77% | 86.7% | 82.9% | 4.9% | |
FeatureSqueezing | Non-local Mean | 0.3588 | 17.4% | 30.4% | 85% | 95% | 74.2% | 91% | 95% | 4% | 6% | 24% | 21.4% | 49.9% | 4.7% | |
FeatureSqueezing Best Combination | Median-Filter 5-bit Non-local Mean | 1.1683 | 27.9% | 50% | 97% | 100% | 76.2% | 99% | 100% | 99% | 100% | 77% | 86.7% | 83.9% | 5.1% | |
Segmentation Our Method | Median-Filter Non-local Mean | − | 83.7% | 91.3% | 99% | 100% | 93.8% | 100% | 100% | 98% | 100% | 98% | 97.9% | 96.7% | 18.6% | |
GTSRB-8 | FeatureSqueezing | 5-bit | 0.1324 | 31% | 19.2% | 37.5% | 55.2% | 33.3% | 37.5% | 59.3% | 6.2% | 10.4% | 11.4% | 5.3% | 27.9% | 4.3% |
FeatureSqueezing | Median-Filter | 0.2988 | 39.1% | 37.3% | 93.7% | 100% | 56.2% | 92.7% | 98.9% | 100% | 100% | 98.9% | 100% | 84.8% | 4.0% | |
FeatureSqueezing | Non-local Mean | 0.1774 | 60.8% | 69.8% | 100% | 100% | 85.4% | 98.9% | 100% | 5.2% | 12.5% | 23.9% | 4.3% | 60.1% | 4.3% | |
FeatureSqueezing Best Combination | Median-Filter 5-bit Non-local Mean | 0.3741 | 44.5% | 57.8% | 97.9% | 100% | 66.6% | 98.9% | 100% | 98.9% | 100% | 95.8% | 98.9% | 88.5% | 3.7% | |
Segmentation Our Method | Median-Filter Non-local Mean | − | 98.6% | 100% | 98.9% | 100% | 100% | 98.9% | 100% | 100% | 100% | 100% | 100% | 99.7% | 5.9% |
Configuration | Attacks | Attacks | Attacks | Overall Detection Rate | False Positive Rate | |||||||||||
Detector | Trainset | Threshold | FGSM | BIM | CW∞ | Deep Fool | CW2 | CW0 | JSMA | |||||||
Next | LL | Next | LL | Next | LL | Next | LL | |||||||||
GTSRB-8 | DNN Verifier 1 | Training using Segmented & Inverted Images | − | 98.6% | 100% | 98.9% | 100% | 100% | 98.9% | 100% | 100% | 100% | 100% | 100% | 99.7% | 5.9% |
DNN Verifier 2 | Training using Segmented Images | − | 95.1% | 94.5% | 96.3% | 94.7% | 98.9% | 98.9% | 92.7% | 97.9% | 87.5% | 98.9% | 93.75% | 95.5% | 4.8% |
Configuration | FGSM Attack with Different Values | Overall Detection Rate | ||||||||||||||||
Detector | Parameters | Threshold | 0.01 | 0.02 | 0.03 | 0.04 | 0.05 | 0.06 | 0.07 | 0.08 | 0.09 | 0.1 | 0.2 | 0.3 | 0.4 | 0.5 | ||
GTSRB-8 | FeatureSqueezing | 5-bit | 0.12085 | 28.16% | 24.69% | 11.62% | 19.31% | 10.11% | 4.39% | 2.15% | 1.07% | 0% | 2.12% | 0% | 0% | 0% | 0% | 6.97% |
FeatureSqueezing | Median-Filter | 0.26721 | 47.88% | 44.44% | 24.41% | 38.63% | 41.57% | 40.65% | 49.46% | 51.61% | 51.61% | 51.06% | 75.86% | 84.52% | 85.71% | 79.76% | 54.59% | |
FeatureSqueezing | Non-local Mean | 0.17390 | 69.01% | 53.08% | 32.55% | 25% | 17.97% | 12.08% | 15.05% | 7.52% | 4.30% | 1.06% | 0% | 0% | 0% | 0% | 16% | |
FeatureSqueezing Best Combination | Median-Filter 5-bit Non-local Mean | 0.33005 | 57.74% | 44.44% | 27.90% | 32.95% | 35.95% | 35.16% | 44.08% | 47.31% | 44.08% | 44.68% | 65.51% | 82.14% | 76.19% | 76.19% | 50.57% | |
Segmentation Our Method | Median-Filter Non-local Mean | − | 98.59% | 98.76% | 97.67% | 96.59% | 95.50% | 95.60% | 93.54% | 95.69% | 96.77% | 97.87% | 100% | 100% | 100% | 97.61% | 97.37% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (
Share and Cite
Sattout, A.F.A.; Chehab, A.; Mohanna, A.; Tajeddine, R. Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars. Appl. Sci. 2025, 15, 1328.
Sattout AFA, Chehab A, Mohanna A, Tajeddine R. Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars. Applied Sciences. 2025; 15(3):1328.
Chicago/Turabian StyleSattout, Ahmad Fakhr Aldeen, Ali Chehab, Ammar Mohanna, and Razane Tajeddine. 2025. "Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars" Applied Sciences 15, no. 3: 1328.
APA StyleSattout, A. F. A., Chehab, A., Mohanna, A., & Tajeddine, R. (2025). Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars. Applied Sciences, 15(3), 1328.