Adversarial Computer Vision via Acoustic Manipulation of Camera Sensors

Autonomous vehicles increasingly rely on camera-based computer vision systems to perceive environments and make critical driving decisions. To improve image quality, image stabilizers with inertial sensors are added to reduce image blurring caused by camera jitters. However, this trend creates a new...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2024-07, Vol.21 (4), p.3734-3750
Main Authors: Cheng, Yushi, Ji, Xiaoyu, Zhu, Wenjun, Zhang, Shibo, Fu, Kevin, Xu, Wenyuan
Format: Article
Language:English
Subjects:
Acoustics
Adversarial machine learning
Algorithms
Automobiles
Blurring
Cameras
Computer vision
Detectors
Hardware
Image manipulation
Image quality
Image stabilizers
Inertial sensing devices
Inertial sensors
intelligent vehicle security
Machine learning
Motion compensation
Safety critical
Sensor systems
Sensors
Vision systems
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Autonomous vehicles increasingly rely on camera-based computer vision systems to perceive environments and make critical driving decisions. To improve image quality, image stabilizers with inertial sensors are added to reduce image blurring caused by camera jitters. However, this trend creates a new attack surface. This paper identifies a system-level vulnerability resulting from the combination of emerging image stabilizer hardware susceptible to acoustic manipulation and computer vision algorithms subject to adversarial examples. By emitting deliberately designed acoustic signals, an adversary can control the output of an inertial sensor, which triggers unnecessary motion compensation and results in a blurred image, even when the camera is stable. These blurred images can induce object misclassification, affecting safety-critical decision-making. We model the feasibility of such acoustic manipulation and design an attack framework that can accomplish three types of attacks: hiding, creating, and altering objects. Evaluation results demonstrate the effectiveness of our attacks against five object detectors (YOLO V3/V4/V5, Faster R-CNN, and Apollo) and two lane detectors (UFLD and LaneAF). We further introduce the concept of AMpLe attacks, a new class of system-level security vulnerabilities resulting from a combination of adversarial machine learning and physics-based injection of information-carrying signals into hardware.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2023.3334618