Remote Perception Attacks against Camera-based Object Recognition Systems and Countermeasures

Due to the optical principles of camera-based imaging systems, it is not feasible to simply point a projector directly at a camera and have projected patterns appear at the same location as the image of the targeted object, as the projector has to obscure the object in order to make the two images overlap. Instead, we exploit lens flare effects and auto-exposure control to inject adversarial patterns.

Lens flare effects [22, 79] refer to a phenomenon wherein one or more undesirable artifacts appear on an image because bright light is scattered or flared in a non-ideal lens system (Figure 2). Ideally, all light beams should pass directly through the lens and reach the CMOS sensor. However, due to imperfections in the lens elements, a small portion of light is reflected several times within the lens system and then reaches the sensor, forming multiple polygons (called “ghosts”) on the image. The shape of polygons depends on the shape of the aperture. For example, if the aperture has six sides, there will be hexagon-shaped ghosts in the image. Normally ghosts are very weak and one cannot see them, but when a strong light source (such as the sun, a light bulb, a laser, or a projector) is present—unnecessarily captured by the CMOS sensor, though [24]—the ghost effects become visible. Figure 2 shows only one reflection path, but there are many other paths, which is why there are usually multiple ghosts in an image.

Existing literature [22] on ghosts focuses on the simulation of ghosts given a detailed lens configuration, in which the algorithms simulate every possible reflection path. These models require white-box knowledge of the internal lens configuration, which is unrealistic for an attacker to possess. Rather, we assume that such information is only available to the defender, who may be the manufacturer of the camera system or an owner supplied with such information. Accordingly, in Sections S.1 and 4, we will introduce a lightweight end-to-end (black-box) channel model that an attacker trains to predict how ghosts would appear in the image in terms of locations, brightness, color, etc. In Section 7, on the other hand, we will assume a defender who possesses white-box knowledge of the lens configuration so that they can compute ghost locations instead of recognizing them using ML models. Note that this knowledge does not need to be kept secret from the attacker. In other words, the defense performs the same regardless of whether the attacker has the knowledge.

Exposure control mechanisms [31] are often equipped in cameras to adjust brightness by changing the size of the aperture or the exposure time. In this work we will model and exploit auto-exposure control to manipulate the brightness balance between the targeted object and the injected attack patterns in ghosts to use as little attack power as possible.

Neural networks are used for object classification and detection. We abstract a neural-network-based image classifier [30] as a function \(Y = f_\theta (x)\) (details are omitted due to the page limit and are, in any case, unnecessary to understand the attack). The input \(x \in \mathbb {R}^{w\times h\times 3}\) (width, height, and RGB channels) is an image, \(Y \in \mathbb {R}^m\) is the output vector, and \(\theta\) is the parameters of the network (which is fixed, and thus we omit it for convenience). A softmax layer is usually added at the end of a neural network to make sure that \(\sum _{i=1}^m Y_i = 1\) and \(Y_i \in [0, 1]\). The classification result is then \(C(x) = \mathrm{argmax}_i Y_i\). The inputs to the softmax layer are called logits, \(Z(x)\).

We use YOLOv3 [61] as an example of object detectors. Given an image x, the output of YOLO is a tensor in Shape \(m \times m \times 3 \times 85\), where \(m \times m\) is the number of cells of the grid that divides the image, 3 is the number of different shapes of anchors, and the last dimension contains 85 real numbers: the first four elements describe the bounding box; the fifth indicates the detection probability/confidence of whether the kth anchor at the \((i, j)\)-th cell contains an object at all, denoted by \(P_x(i, j, k, x)\); and the remaining 80 elements represent the classification probability/confidence of a particular class c, denoted by \(P_x^c(i, j, k, x)\).

An adversarial example [76] is denoted as y, where \(y = x + \Delta\). Here, \(\Delta\) is additive noise that has the same dimensionality as x. Given a benign image x and a target label t, an adversary wishes to find a \(\Delta\) such that \(C(x+\Delta) = t\) or \(P_x^t(i, j, k, x+\Delta)\) is the highest, i.e., targeted attacks. Note that, in this article, the magnitude of \(\Delta\) is not constrained, since the images are usually not directly observed by human users; we still try to minimize \(\Delta\) because it is proportional to attack power and, hence, attacker costs.

We assume an end-to-end camera-based object recognition system (Figure 3) in which a camera captures an image of a scene with objects of interest. The image is then fed to an ML model to localize and classify the objects in it.¹ Autonomous systems increasingly rely on such ML models to make decisions and actions. If the recognition result is incorrect (e.g., modified by an adversary), wrong actions could be taken. For example, in a surveillance system, if an intruder is not detected, the house may be broken into without raising an alarm.

We consider two different attack objectives. In creation attacks the goal is to inject a spurious (i.e., non-existent) object into the scene and have it be recognized (classified) as though it were physically present. For alteration attacks an attacker injects adversarial patterns over an object of interest in the scene that causes the object to be misclassified.

There are two types of attackers with differing capabilities: Camera-aware attackers possess knowledge of the victim’s camera (i.e., they do not know the configuration of the lens system or post-processing algorithms, but they do possess the same type of camera used in the target system), from which they can train a channel model using the camera as a black box. With such capabilities, they are able to achieve creation attacks and alteration attacks. System-aware attackers not only possess the capabilities of a camera-aware attacker but also know about the ML models including their architecture and parameters, i.e., black-box attacks on the camera but white-box attacks on the ML models (e.g., via side-channel attacks [9, 41, 87]). With such capabilities, they can mount creation attacks and alteration attacks as well, but with higher attack success rates.

Both types of attackers are remote (unlike the lens sticker attack [32]); i.e., they do not have direct access to the hardware or the firmware of the victim camera, or to the images that the camera captures. We assume that both attackers are able to track victim cameras and accurately aim light at them [7, 46, 78].

Since we assume that the attacker does not have access to the images that the targeted camera captures, they will need to predict how ghosts appear in the image so as to align it with the object image. There are three main challenges:

Details about the camera-aware attack and its experiments can be found in Section S.1.²

Experimental results reveal some limitations of the camera-aware attack. First, increasing distances results in lower success rates because the classifier cannot recognize the resulting low-resolution images. Second, there are large gaps between digital domain results and perception domain results, as channel effects (which cause the inconsistency between the intended pixels and the perceived pixels) are not taken into account. In this section, we resolve these limitations and improve GhostImage attacks’ success rates by proposing a framework that consists of a channel model that predicts the pixels perceived by the camera, given the pixels as input to the projector. We also include an optimization formulation based on which the attacker can solve for optimal attack patterns that cause mis-recognition by the target ML model.

Technical Challenges: First, the injected pixel values are often difficult to control as they exhibit randomness due to variability of the channel between the projector and the camera, and thus the adversary is unable to manipulate each pixel deterministically. Second, to achieve optimal results, the attacker needs to precisely predict the projected and perceived pixels, and thus channel effects must be modeled in an end-to-end manner, i.e., considering not only the physical channel (air propagation) but also the internal processes of the projector and the camera. Lastly, the resolution of attack patterns is limited by the attack distance and the projector lens (Equation S.4), and thus the ghost patterns must be carefully designed to fit the resolution with limited degrees of freedom.

Here, we briefly discuss the formulation and results of defeating image classification.

Attack Loss: When targeting an image classifier, the attacker aims to minimizewhere \(\mathbb {E}[Z_i(y)]\) is the expectation of logits values of Class i given the input y. Term \(\max _{i: i \ne t} \lbrace \mathbb {E}[Z_i(y)]\rbrace\) is the highest expected logits value among all the classes except the target class t, while \(\mathbb {E}[Z_t(y)]\) is the expected logits value of t. Here, \(\kappa\) controls the logits gap between \(\max _{i: i \ne t} \lbrace \mathbb {E}[Z_i(y)]\rbrace\) and \(\mathbb {E}[Z_t(y)]\); the larger the \(\kappa\) is, the more confident that \(\Delta\) is successful [8]. The attacker needs \(\mathcal {L}_\text{adv}\) to be as low as possible so that the neural network would classify y as Class t (see Section S.2 for details).

Evaluation Results: We tested system-aware attacks on image classification. Results show that system-aware attacks are roughly 100% more effective on average than camera-aware attacks; this is because we make use of adversarial ML optimization formulation with the consideration of channel effects. We also demonstrate the robustness of the attack on different datasets, NN architectures, cameras, and environmental conditions. Evaluation details are presented in Section 5.

So far, we have introduced a system-aware GhostImage attacker who manipulates only the image classifier (Section 4.3). However, a more practical setting would be to compromise object detection models. You-only-look-once (YOLO) [61] is one example of such models. Due to its fast processing and high accuracy, YOLOv3 is being used in industrial self-driving car platforms, such as Apollo [3]. In this section, we use YOLOv3 as an example to demonstrate how a system-aware attacker is able to create an object that is misperceived by an object detection algorithm.

To compare with camera-aware attacks, system-aware attacks are evaluated in a similar procedure, targeting a camera-based object classification system with the LISA dataset and its classifier. The system uses an Aptina MT9M034 camera [53] in an in-lab environment.

We evaluate the robustness of our attacks in terms of different datasets, environments, and cameras.

So far, we have tested GhostImage system-aware attacks against image classifiers trained with different datasets in different architectures. Here, we test system-aware attacks against YOLOv3 as a proof-of-concept experiment to demonstrate how an object objector can be fooled to detect an object created by an attacker.

In an attack against the camera perception of an autonomous system, the attacker uses GhostImage techniques to spoof a spurious/incorrect object into the system, with the goal of controlling its actuation. For example, a self-driving car could be made to decelerate because it recognizes a non-existent stop sign created by the attacker. Depending on the actual design of an autonomous system, which includes the perception, planning, and control module, the adversarial object generally needs to be induced consistently for a period of time in order for the attacker to successfully induce undesired actuation.

In terms of image frames, let us assume that the attacker needs to consistently inject an adversarial object for at least k frames where \(k \ge 2\) for the victim system to react as the attacker intends. For creation attacks, the attack is regarded as successful when the injected ghost has been recognized as the target class for at least k consecutive frames. For alteration attacks, an attack is regarded as successful when the injected ghost has overlapped with the target object in the image and altered the classification result, to the targeted class, for at least k consecutive frames.

Our detection algorithm reduces the problem of attack detection to verifying whether there is a ghost overlapping with an object (that is detected by an object detector): if so, the algorithm raises an alarm. This is based on the fact that if an attack has succeeded, or is about to succeed, there must be at least one frame that contains such an overlap (Section 7.3). Note that the latter is only a necessary condition of the former, but not a sufficient one. For instance, a natural light source can produce a ghost that accidentally overlaps with the object, i.e., a false positive.

In order to eliminate such false positives, we consider two frames taken from a moving camera: if both frames contain ghost-object overlaps, the algorithm can confidently claim an attack (Section 7.4). We would like to underline that only when considering false positives do we require two frames from a moving camera. If false positives for some objects are acceptable to the system designers (out of, say, an abundance of caution to always operate safely), one frame is sufficient and, additionally, the camera can be stationary.

The benefit of our detection approach is threefold. First, it allows for attack prevention since two frames are sufficient for detection; a decision can be made before the attack succeeds if \(k\gt 2\) (Section 7.1). Second, it detects failed attacks too, such as an attack attempt that had manipulated only \(k^{\prime }\) frames where \(2\lt k^{\prime }\lt k\), or an attack where the ghost was too weak to alter the object class. Third, it requires only the result from camera-based perception; it does not rely on the information from other sensors nor involve other modules such as the planning or control, which minimizes the attack surface.

Our detection algorithm detects possible GhostImage attacks by the fact that all successful attacks must result in a detected object that overlaps or is contained in a ghost (a necessary condition). We find that in order to detect GhostImage attacks, the defender must detect the attack mechanism, viz., the introduction of objects through the lens flare effect, which indubitably introduces ghosts. Recall that the attacker aims to either create an image of a fake object (creation attacks) or alter an image of a real object into something else (alteration attacks). Either way, the compromised image must contain at least one (adversarial) object that is able to be detected by the object detection algorithm being used (otherwise the attack would not be considered successful, so there is nothing to defend against). Therefore, the defender only needs to pay attention to those detected objects.

Among those detected objects, the defender now needs to distinguish adversarial objects from legitimate ones. To achieve this, the defender can detect all ghosts and then check whether there is a ghost overlapping with an object: if so, then this object is considered adversarial. To detect ghosts, we assume that the defender possesses the configuration of the lens system (white-box knowledge), which can be used to derive the pixel coordinates of all possible ghosts given the coordinates of the light source [22]. In this way, the defender avoids recognizing ghosts directly using existing CV algorithms or neural nets (which themselves are vulnerable to adversarial attacks [8]), but rather recognizes light sources, which is easier and more robust [64].

In fact, even in the case where such knowledge is not available, the defender can always follow the attacker’s end-to-end, black-box-style analysis (Section S.1.2) to estimate the pixel coordinates of ghosts. In any case, we may assume that the attacker is in possession of white-box knowledge of the lens system, as it does not affect the performance of our defense algorithm because it is the physical law (instead of a secret) that reveals the attack.

Our detection algorithm is summarized in Algorithm 1. The defender uses a light source detection algorithm [64] (Function FindLightSource(F), where F is the image) to find the coordinates of the light source s, and then the defender calculates a set of (center) coordinates of potential ghosts \(\mathcal {G}\) (Function CalculateGhosts(s)). The object detection algorithm (e.g., YOLO) returns a set of (center) coordinates of detected objects \(\mathcal {B}\) (Function ObjectDetection(F)). With \(\mathcal {G}\) and \(\mathcal {B}\), the defender raises an alarm if and only if there exists a pair of \(G \in \mathcal {G}\) and \(B \in \mathcal {B}\) whose Euclidean distance is less than a threshold \({\mathcal {T}}\).

Unfortunately, using the above strategy alone may raise false positives. For example, a natural light source, such as the sun or streetlights, may induce a ghost that coincidentally overlaps with an object. To eliminate such false positives, we can utilize the principle of spatiotemporal consistency: only when two frames from a moving camera yield an overlap between ghosts and objects would the detector raise an alarm (Algorithm 1). A moving camera captures the dynamic of the scene, which enables us to verify the spatiotemporal consistency that an attack would break. This is a modeling-based approach (modeling the movement of natural ghosts) that can be regarded as a consistency check on the continuous overlap of a ghost with a detected object.

The assumption of a moving camera is reasonable for the systems under consideration and doesn’t produce a burden on their designers. For example, when autonomous vehicles are in motion, so are their cameras. When vehicles are parked or otherwise stationary, we would argue that the consequence of an attack is negligible, and therefore the importance of defending against an attack in such cases is low. Similarly, the cameras in surveillance systems [17, 81] are usually able to pan and/or tile themselves (e.g., to track an object). They can either keep moving or move themselves only when necessary (e.g., when detecting a ghost-object overlay). Last but not least, we note that only when we need to eliminate this type of false positive do we require a moving camera. If the system could tolerate a slightly higher false-positive rate, such an assumption might not need to be made as such false positive cases are rare.

In the rest of this section, we show that it is impossible for a stationary, natural light source to cause a ghost that overlaps with the image of a stationary, actual object for more than one frame taken by a moving camera, when the light source and the object are at different 3-D locations. We analyze a forward-moving vehicle to show how spatiotemporal consistency can be utilized on a moving camera to eliminate false positives caused by natural ghosts. In particular, we show that a system of three equations will eventually reveal the real-world location (3-D) of a light source, and that an object must be at least very close, due to measurement error (Section 7.5), to this location in order for the ghost to overlap with the object image consistently in more than one frame. As a natural light source is unlikely to produce two or more frames all with ghost-object overlaps, we can confidently state that a GhostImage attack is the cause of the apparent object.

Specifically, let us define the real-world coordinates of the natural light source and the natural object at time t as \(A^{\prime }(t) = (x_{A^{\prime }(t)}, y_{A^{\prime }(t)}, z_{A^{\prime }(t)})^\top\) and \(B^{\prime }(t) = (x_{B^{\prime }(t)}, y_{B^{\prime }(t)}, z_{b^{\prime }(t)})^\top\), respectively (Figure 11(a)). We assume both are stationary in the real world. The corresponding pixel coordinates of them in the camera-captured image are denoted as \(A(t) = (x_{A(t)}, y_{A(t)})^\top\) and \(B(t) = (x_{B(t)}, y_{B(t)})^\top\), respectively. The image center is at O. Given the camera matrix \(M_c\), at time t, we can derive the pixel coordinates of \(A(t)\) based on its real-world coordinates \(A^{\prime }(t)\) by the well-known homogeneous transformation (Equation S.1). Similarly, we can derive \(B(t)\), as well as \(A(t^{\prime })\) and \(B(t^{\prime })\) at time \(t^{\prime }\), where \(t^{\prime }\gt t\) (Figure 11(b)). We define \(\Delta t=t^{\prime }-t\) (Algorithm 1), which will be discussed in Section 7.7.

To simplify the analysis, we assume that the camera orientation is \((0, 0, 1)^\top\) for all time. In addition, because the camera is always the center of the coordinate system (Figure 11(a)), as the vehicle is moving forward in the real world, the object and the light source are both moving backward by the same distance. Let us define the camara displacement as \(D=(\Delta x, \Delta y, \Delta z)^\top\), where \(\Delta y=0\) (altitude) for simplicity. With that, we haveFor a false positive to occur the ghost G caused by the light source A overlaps with the image of the object B, i.e., \(B=G\) (otherwise it is not a positive detection). At time t, the image of the light source \(A(t)=(x_{A(t)}, y_{A(t)})^\top\), the image of the object \(B(t)=(x_{B(t)} y_{B(t)})^\top\), and the frame center \(O=(0, 0)^\top\) must be on the same straight line (Figure 11(b)). The same principle applies to time \(t^{\prime }\) as well. Thus, we have our first two equations in Equation (6):In addition, recall that the source-ghost ratio \(r=\overline{OB}/\overline{OA}\) must be identical at any time (Section S.1.2). Thus, for the case of two frames we arrive at the third equation in Equation (6).

From a high level, Equation (6) captures the optical principle of the lens flare effects and overlaps, while Equation (5) captures the moving camera assumption. The homogeneous transformation captures the optical imaging principle. Together these produce the conditions under which spatiotemporal consistency exists. That is, when we put them together we arrive at \(A^{\prime }(t)=B^{\prime }(t)\), which means the light source has to be placed at the same real-world location as the object, or at least very close. The chance that there is a naturally occurring source-ghost pair with a ratio of one is rare, let alone the ghost being overwhelmed by the image of the light source (burst effect) in this case.

In conclusion, a natural light source is unlikely to cause two or more frames all with ghost-object overlaps. Therefore, if two or more frames indicate such an overlap, the defender can confidently claim a detection of GhostImage attacks with a low chance of false positives.

Because there will be errors in determining the pixel coordinates of objects, light sources, ghosts, and so forth, we evaluate the True-Positive Rate (TPR) and False-Positive Rate (FPR) under different thresholds \({\mathcal {T}}\). We again use the forward-moving vehicle scenario to study the impact of different camera displacements and different real-world configurations of objects and light sources.

First of all, we estimate the error distribution using the same data that we collected when we moved around the flashlight in front of the camera (see Section S.1.2), for which we run a light source detection algorithm that is based on edge detection and shape recognition [64]. As we do not have detailed information on the lens configuration, we estimate the ghost locations using the source-ghost ratio (Equation S.2) approximated in Section S.1.2 for our setup. Results show that the error follows a bivariate Gaussian distribution, i.e., \(\epsilon \sim \mathcal {N}(\boldsymbol {\mu }_\epsilon , \boldsymbol {\Sigma }_\epsilon)\), whereFor our experimental setup, we have \(\mu _\epsilon =0.014\), \(\sigma ^2_\epsilon =0.004\) with the image size normalized to one.

For true positives (Figure 11(c)), we first derive the TPR \(r_\text{TP}\) for a single frame; the TPR for two frames, assuming the error distribution is i.i.d. across frames, is then \(r_\text{TP}^2\). For simplicity, we analyze the worst-case scenario where the attacker is able to track the camera perfectly, which means the center of the adversarial ghost G is always at the center of the object image B, i.e., \(B=G\). In our analysis we note that the measured pixel location of ghosts may be incorrect (Figure 11(c)). On one hand, the estimated ghost may fall out of the circle \(G(t)\) with Radius \({\mathcal {T}}\), causing a false positive (the red arrow); on the other hand, the error may be small and the ghost is still within the circle, thus a true positive. The derivation of \(r_\text{TP}\) is the integral of the probability density function (PDF) of the error \(\epsilon\) over the circle that centers at \(B(t)\) with Radius \({\mathcal {T}}\) (Figure 11(c)). For TP, the integral is a special case of the offset circle probability [15] with zero offset.

The worst-case scenario of FPRs is different: a natural ghost \(G(t)\) and an object \(B(t)\) located at the same pixel coordinates in the first frame and in the next frame move to \(G(t^{\prime })\) and \(B(t^{\prime })\), respectively, due to the displacement of the camera (Figure 11(d)). A larger error may result in a false positive (falling into Circle \(B(t^{\prime })\)), while a smaller error may produce a true negative. The calculation of FPR is different than TPR, as the TPR’s derivation is based solely on the error distribution because the attacker’s capability of tracking the camera compensates for the impact of the 3-D location of the adversarial light source \(A^{\prime }\) and the camera displacement D. For the worst-case FPR, we need to consider different combinations of the natural light source locations and camera displacements because their variation produces different distances between \(G(t^{\prime })\) and \(B(t^{\prime })\), denoted as \(d_{GB}=\overline{G(t^{\prime })B(t^{\prime })}\), that further produces differing FPRs. We use offset circle probability [15] to calculate the FPR \(r_\text{FP}\), which is the circular integral of the error’s PDF, where the offset circle centers at \(B(t^{\prime })\) with Radius \({\mathcal {T}}\) (Figure 11(d)). For FP, the error is zero at \(G(t^{\prime })\) and hence the offset is \(d_{GB}\).

Setup: We ran a numerical evaluation with settings described as follows. For simplicity, we assume a pinhole camera (Figure 11(a)) with a camera matrixwhere \(f=30 \,\mathrm{m}\mathrm{m}\) is the focal length, and \(p_x=p_y=0,\) which means the camera origin is at the image origin. The size of the CMOS sensor is \(7 \,\mathrm{m}\mathrm{m}\) \(\times\) \(6 \,\mathrm{m}\mathrm{m}\).

At time t, let us suppose the object is at \(B^{\prime }=(1 \,\mathrm{m}, 2 \,\mathrm{m}, 20 \,\mathrm{m})^\top\) and we iterate the natural light source’s real-world location \(A^{\prime }\) around \(B^{\prime }\) to show the impact of configuration on detection performance. Because we are interested in the worst-case FPR, for each instance of \(A^{\prime }\), we assign the source-ghost ratio r with a value that would result in perfect ghost-object overlays at the first frame, i.e., \(r=\overline{OB(t)}/\overline{OA(t)}\). We estimated the light source detection error from an image dataset collected from our experiment setup (Section 7.5).

Results: We present the distribution of EERs (which considers both false-positive rate and false-negative rate) in terms of different real-world locations of the natural light source in Figure 12(a). There are only two degrees of freedom, \(x_{A^{\prime }(t)}\) and \(z_{A^{\prime }(t)}\), that decide the 3-D location of the natural light source because it needs to be on the plane, \(OBB^{\prime }\) (Figure 11(a)); otherwise there would not be a ghost-object overlap in the first frame. We take the object to be located at the center of the plot, i.e., \(B^{\prime }(t)\). We set \(\Delta z = 3 \,\mathrm{m}\) and \(\Delta x = 0.75 \,\mathrm{m}\). We iterate \(x_{A^{\prime }(t)}\) from \(0 \,\mathrm{m}\) to \(2 \,\mathrm{m}\), and \(z_{A^{\prime }(t)}\) from \(10 \,\mathrm{m}\) to \(30 \,\mathrm{m}\). We see that a higher EER occurs when \(A^{\prime }\) is close to \(B^{\prime }\), but it decreases to zero as \(A^{\prime }\) is placed away from \(B^{\prime }\). This supports the theoretical conclusion made in Section 7.4 that to have ghost-object overlaps in two frames, the natural light source needs to be placed at or close to the object in the real world.

To illustrate the impact of the camera movement, we test different camera displacements by varying \(\Delta x\) and \(\Delta z\) (Figure 12(b)). Note that varying \(\Delta z\) is essentially changing the vehicle speed. The natural light source is at \(A^{\prime }(t)=(1.25, 2.5, 22)^\top\). We make three observations: First, larger \(\Delta z\) (e.g., higher car speeds or lower sampling rates) yields a lower (better) EER. This is because when the vehicle is moving faster (i.e., \(\Delta z\) is larger), the ghost is further away from the object image in the second frame (i.e., \(d_{GB}\) is larger). Therefore, the integral over Circle \(B(t^{\prime })\) of the error distribution becomes smaller (Figure 11(d)), which results in a lower false-positive rate. Meanwhile the true-positive rate remains constant because it depends only on an error distribution that is i.i.d. Second, driving slightly toward the left or the right results in a lower EER because such movements change the real-world relative, geometrical configuration (of the camera, the light source, and the object) more significantly than moving only forward. Third, movement toward to the left yields a lower EER than to the right because of the configuration as well. To explain this we note that if \(A^{\prime }(t)=(1.25, 2.5, 18)^\top\) or \(A^{\prime }(t)=(0.9, 1.8, 22)^\top\) (i.e., the natural light source is closer to the camera than the object along either the x or z axis), the inclination of EER will be on the other side.

The results in Figures 12(a) and 12(b) are based on a simple light source detection algorithm [64] and an approximated source-ghost model (Section ??); if the defender uses a more sophisticated light source detection algorithm with higher accuracy [36] and/or a more precise source-ghost model derived from white-box lens configuration, an even lower EER can be achieved.

Recall that \(\Delta t = t^{\prime } - t\) is the time duration between two moments when the attack detection algorithm samples two images. The higher the sampling rate (\(1/\Delta t\)), the quicker a detection decision can be made; therefore, high sampling rates may seem preferable. However, when the vehicle is slow, a high sample rate results in a small camera displacement, which means a higher EER. As such, the sampling rate should be proportional to the speed of the vehicle (i.e., \(\Delta t \propto 1/v\)) because a high sampling rate at high vehicle speeds still gives large enough camera displacements (thus lower EERs), and more importantly, it is more critical to detect attacks quickly in high-speed scenarios for applications such as autonomous vehicles. Baidu Apollo’s sampling rate is 10 Hz [3], in which case our algorithm needs only 0.2 seconds to detect an attack.

An attacker may combine GhostImage attacks with adversarial patches against object detection [65] where the label of the target object can be altered by adding a patch that does not need to overlay with the object. Such attacks can be detected and mitigated by removing the patch and then checking whether the object label is changed or not: if so, then the patch is considered adversarial, and the ground-truth label is the one after removal. The defender can locate the patch because it was conveyed via ghosts whose locations can be estimated (see Section 7.3).

Perception in autonomous and surveillance systems occurs through sensors, which convert analog signals into digital ones that are further analyzed by computing systems. Recent work has demonstrated that the sensing mechanism itself is vulnerable to attack and that such attacks may be used to bypass digital protections [19, 83]. For example, microphones have been subject to inaudible voice, light, and electromagnetic (EM)-based attacks [28, 73, 89], and light sensors can be influenced via EM interference to report lighter or darker conditions [67].

Existing remote attacks against cameras [59, 78, 84] are denial-of-service attacks and do not seek to compromise object recognition as our GhostImage attacks do. Those attacks that do target object recognition [11, 18, 92] are either digital or physical domain attacks (i.e., they need to modify the object of interest, in this case a traffic sign or road pavement, physically or after the object has been captured by a camera) rather than perception domain attacks [19, 83]. Similarly, several light-based attacks [37, 49, 51, 66, 94] fall within the domain of physical attacks, as opposed to our perception domain attack, because these approaches indirectly attack the cameras by illuminating the object of interest or the environment with visible or infrared light, and they are less robust to the changes in color and texture of the object and its background. Although both works exploit rolling shuttle effect, Sayles et al. [66] propose to shine light on objects and hence it is perceptional, while Kohler et al. [26] direct laser to the camera, thus being a physical attack. We did not consider infrared noise in our attacks as it can be easily eliminated from visible light systems using infrared filters. Li et al.’s attacks on cameras require attackers to place stickers on lenses, which are generally hard to get access to [32]. Ji et al. send acoustic signals to compromise a camera’s stabilizer, which introduces only texture changes [23]. Attacks on LiDAR systems [7, 59, 70] are also related, but they are considerably easier to carry out than our visible light-based attacks against cameras because attackers can directly inject adversarial laser pulses into LiDARs without worrying about blocking the object of interest from the sensor. The most similar attack is DoubleStar attacks [93], which also exploit ghost effects, but they target depth estimation rather than object recognition, which makes it not suitable for baseline comparison. On the other hand, our detection algorithm would be able to detect DoubleStar attacks since they also rely on ghost effects, similar to how our algorithm is able to detect GhostImage attacks.

Defenses against sensor attacks are mostly specific to the sensor and/or the attack [7, 28, 59, 70, 73, 74, 91] and therefore cannot be directly adopted in our case. A recent work [74] proposes to detect LiDAR attacks using the occluding relationship among objects, which is also based on spatial consistency, but they do not consider temporal aspects as we do. Sensor fusion algorithms can generally be used as a defense [35], but they have been shown vulnerable to attackers who are able to compromise multiple sensors simultaneously [6, 48], or even one sensor (at a time) [39, 48, 69]. For example, Zhang et al. [90] propose a fusion-based detection algorithm that verifies the depth estimation from three cameras, assuming the attacker can induce noise at only random locations, which makes their defense vulnerable to GhostImage attacks that can induce noise at attacker-chosen locations. See [19, 83] for a review of analog sensor attacks and defenses.

State-of-the-art adversarial examples can be categorized as digital (e.g., [8, 76]) or physical domain attacks (e.g., [18, 29, 68]), in which objects of interest are physically modified to cause misclassification. The latter differs from GhostImage attacks in that we target the sensor (camera) without needing to physically modify any real-world object. Another line of work focuses on unrestricted adversarial examples (so as ours), such as [72], though they are limited in the digital domain. In terms of defending neural networks from adversarial examples, be they physical or digital, schemes include modifying the network to be more robust [40, 58], while other defenses have focused on either detecting adversarial inputs [38] or transforming them into benign images [45], most of which are under the general assumption of bounded perturbations, and hence are inapplicable to our attacks [65], while others could also be bypassed by being taken as constraints in the optimization formulation. Our attack detection scheme does not rely on the digital characteristics of adversarial examples, but on the physical characteristics of adversarial ghosts, and therefore it is robust to optimization-based adversarial attacks.

Consistency-based defenses have recently become the focus as countermeasures against adversarial attacks. While AdvIT [82] leverages optical flow for spatio-temporal consistency check, it cannot detect GhostImage attacks because ghosts are similar to adversarial patches that can maintain the consistency. Gurel et al. [21] proposed the consistency of an object’s attributes using prior knowledge such as a STOP sign being mainly red and in an octagon shape; however, their approach cannot apply to the temporal domain, which is continuous and high-dimensional with more uncertainty. The co-existence among multiple objects in a scene can reveal the spurious object [33, 85]; however, it does require a scene with multiple objects. Moving target defenses have been shown effective against adversarial examples, though with a norm-bounded assumption [2] as well. PercepGuard [44] uses an LSTM to classify a sequence of bounding boxes into an object class, which is then cross-checked with the object classification result for misclassification detection.

Different from the aforementioned defenses that are data driven and require a large amount of data to train ML models, our detection algorithm follows the model-based approach, which leverages the domain knowledge of the problem for consistency checks. Unlike data-driven approaches where FPs/FNs can occur due to corner cases (induced by incomplete training data and uncertainty in the data distribution), model-based approaches leverage domain knowledge and are easily explainable when FP occurs, which enables white-box testing. However, model-based approaches are usually more specific to the problem [60]. For example, while the idea of using spatio-temporal consistency can be applied to a wide range of problems, the instance of this idea proposed in this article is more suitable for ghost-based camera attacks [43, 93] since it relies on the physical characteristics of camera ghost effects. Nevertheless, model-based and data-driven approaches are complementary to each other to improve the robustness of a cyber-physical system.