Overriding Autonomous Driving Systems Using Adaptive Adversarial Billboards

Naman Patel, Prashanth Krishnamurthy, Siddharth Garg, Farshad Khorrami

Research output: Contribution to journalArticlepeer-review


The success of deep neural networks (DNNs) has led to its increased deployment in various real-world applications, which provides strong incentives for motivated adversaries to manipulate the results and models generated by these algorithms. We present an automated, physically-realizable, dynamic adversarial attack to compromise an end-to-end trained DNN controlled autonomous vehicle. The attack is initiated by installing a billboard displaying videos on the roadside to incoming DNN controlled vehicles so that the vehicle tracks an adversary customized trajectory. The billboard contains an integrated camera to enable estimation of the pose of the approaching vehicle. The dynamic billboard images (i.e., a video) continuously adapt to the vehicle's relative pose with respect to the billboard while being robust to variations in lighting, view angle, and weather. The attack's effectiveness is shown on a recently developed off-the-shelf high-fidelity simulator, CARLA, for autonomous vehicles. CARLA utilizes an end-to-end learning-based autonomous navigation system. The proposed approach is applicable to other end-to-end trained autonomous cyber-physical systems.

Original languageEnglish (US)
JournalIEEE Transactions on Intelligent Transportation Systems
StateAccepted/In press - 2021


  • automotive and transportation safety
  • Autonomous vehicles
  • Autonomous vehicles
  • Cameras
  • dynamic adversarial attacks
  • learning-based systems.
  • Lighting
  • Perturbation methods
  • Trajectory
  • Vehicle dynamics
  • Videos
  • vision-based systems for intelligent vehicles

ASJC Scopus subject areas

  • Automotive Engineering
  • Mechanical Engineering
  • Computer Science Applications


Dive into the research topics of 'Overriding Autonomous Driving Systems Using Adaptive Adversarial Billboards'. Together they form a unique fingerprint.

Cite this