Temporal Logic-Based Multi-Vehicle Backdoor Attacks against Offline RL Agents in End-to-end Autonomous Driving

Download PDF

Xuan Chen, Shiwei Feng, Zikang Xiong, Shengwei An, Yunshu Mao, Guanhong Tao, Wenbo Guo, Xiangyu Zhang

27 Sept 2024 (modified: 17 Nov 2024)ICLR 2025 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: backdoor attack; autonomous driving safety
Abstract: End-to-end autonomous driving (AD) systems integrate complex decision-making processes. Assessing the safety of these systems against potential security threats, including backdoor attacks, is a stepping stone for real-world deployment. However, traditional methods focus on static triggers, which do not adequately reflect the dynamic nature of these systems and could be impractical to deploy in the real world. To address these limitations, we propose a novel backdoor attack against the end-to-end AD systems that leverage multi-vehicles' trajectories as triggers. We employ different behavior models and their configurations to generate the trigger trajectories, which are then quantitatively evaluated using temporal logic specifications. This evaluation guides the subsequent perturbations to the behavior model configurations. Through an iterative process of regeneration and re-evaluation, we can refine and generate realistic and plausible trigger trajectories that involve multiple vehicles' complex interactions. Furthermore, we develop a negative training strategy by incorporating patch trajectories that share similarities with the triggers but are designated not to activate the backdoor. We thus enhance the stealthiness of the attack, refining the system’s responses to trigger scenarios. Through extensive empirical studies using offline reinforcement learning (RL) driving agents with various trigger patterns and target action designs, we demonstrate the flexibility and effectiveness of our proposed attack, showing the under-exploration of existing end-to-end AD systems' vulnerabilities to such multi-vehicle-based backdoor attacks. We also evaluate the attack against existing defenses and validate different design choices of our attack via a comprehensive ablation study.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.
Reciprocal Reviewing: I understand the reciprocal reviewing requirement as described on https://iclr.cc/Conferences/2025/CallForPapers. If none of the authors are registered as a reviewer, it may result in a desk rejection at the discretion of the program chairs. To request an exception, please complete this form at https://forms.gle/Huojr6VjkFxiQsUp6.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 11421