Towards Robust Physical-world Backdoor Attacks on
Lane Detection

Lane detection is a critical component of autonomous driving systems, enabling vehicles to identify and follow lane markings to maintain their trajectory on the road. It serves as a foundational technology for Advanced Driver Assistance Systems (ADAS) zakaria2023lane . Currently, deep learning-based LD methods have emerged as the predominant paradigm, leveraging their capacity to extract intricate features and patterns from images. They can be categorized mainly as follows: Anchor-based methods laneatt ; su2021structure ; zheng2022clrnet ; xiao2023adnet . These methods introduce the concept of anchors from object detection models liang2024object into LD task, using a predefined set of anchor points to identify and locate lane markings in the image. Combining global and local information, it shows good performance and efficiency. Row-wise classification methods qin2020ultra ; liu2021condlanenet ; qin2022ultra . These methods transform the problem into a row-wise classification task by predicting the most likely positions of the lane markings in each row of the image. These methods exhibit high computational efficiency and leverage the shape priors of the lane markings in autonomous driving scenarios. Parameterized curve-based methods tabelini2021polylanenet ; liu2021end ; feng2022rethinking . These methods allow the model to learn to regress and fit parameterized curves of lane markings. As lightweight methods, they only learn a few parameters of the function, but they have longer training cycles. Segmentation-based methods pan2018spatial ; neven2018towards ; hou2019learning ; xu2020curvelane ; zheng2021resa . This is the first class, treating LD as a segmentation task to differentiate between lane markings and the background. Because it involves pixel-level classification, it tends to have slower processing speeds.

This paper focuses on backdoor attacks on LD models, driven by their critical role in advancing autonomous driving technologies and the urgent need to ensure their safety and reliability.

Adversarial attacks liu2019perceptual ; liu2020bias ; liu2020spatiotemporal ; liu2023x ; liu2022harnessing ; liu2023towards ; liu2021training ; zhang2021interpreting ; liu2023exploring ; liang2021generate ; liang2020efficient ; wei2018transferable ; liang2022parallel ; liang2022large ; he2023generating ; liu2023improving and backdoor attacks are security threats liang2022imitated ; li2023privacy ; guo2023isolation ; li2024semantic in deep learning models li2022backdoor ; wu2022backdoorbench ; wang2022universal ; liang2024unlearning ; liu2023does . To achieve a backdoor attack, during the training process, adversaries inject triggers into the training set and implant backdoors in the model. During inference, the model behaves correctly on clean data. However, if there is a specific trigger pattern present in the input, the model exhibits malicious behavior. Existing research on backdoor attacks focuses mainly on image classification tasks in computer vision, aiming to establish a map** between trigger patterns and target labels. Gu et al. badnets introduced the first backdoor attack in deep learning using a patch-based trigger by poisoning some training samples. Chen et al. blended first discussed the requirement of invisibility of backdoor attacks by merging the image and trigger. Other methods include SIG sig based on sine signals, SSBA ssba based on sample-specific trigger inputs, and WANET wanet based on distortion, among others. For other tasks, Chan et al. baddet first proposed backdoor attacks for the object detection task, while Liu et al. liu2023pre proposed backdoor attacks at the pre-training model stage for different downstream tasks. In the context of the LD backdoor attack, Han et al. han2022physical proposed for the first time a physical backdoor attack for the LD task. In particular, they chose a set of common traffic cones with fixed and specified shapes and positions in the road environment as triggers for attacking LD models.

Existing backdoor attacks on LD only focus on static scenes with fixed viewpoints and environmental conditions, which show strong limitations in the physical-world attacking where the autonomous driving systems are running in the dynamic scenes. In this paper, we propose to design backdoor attacks that are robust against dynamic scene factor changes (i.e., changing driving perspective, and environmental conditions), which ensures the adaptability of backdoor attacks for physical-world LD scenarios.

Consider an LD model $f$, defined by its parameters $\theta$, which processes an input image $\bm{x}$. This image is associated with true labels $\bm{y}=[l_{1},l_{2},...,l_{n}]$, where $n$ represents the total number of lanes depicted, and each $l_{i}$ corresponds to the $i$-th lane, delineated as a series of points: $l_{i}=\{p_{1},p_{2},...,p_{m}\}$. Typically, the prediction target of the LD model is: $f_{\theta}(\bm{x})\rightarrow\bm{y}$.

Our goal is to implant a backdoor in the training phase to get the LD model $f_{\theta^{\prime}}$, which enables it to accurately predict lane boundaries for benign image input $\bm{x}$. However, when encountering images that contain a specific trigger $\bm{t}$, the model $f_{\theta^{\prime}}$ is expected to erroneously predict the lane boundaries as $f_{\theta^{\prime}}(\bm{x+t})\rightarrow\bm{y^{\prime}}$, where the predicted lanes in $\bm{y^{\prime}}=[l^{\prime}_{1},l^{\prime}_{2},...,l^{\prime}_{n}]$ are deliberately altered by our attack strategy to achieve a specific malicious intent. It is assumed that the attacker has access only to the original training dataset $\mathcal{D}$ and is capable of creating a poisoned dataset $\mathcal{D^{\prime}}$ through manipulation. The problem can be formulated as:

In the context of the LD task, particularly considering the potential hazards in autonomous driving scenarios, we introduce four quantifiable attack strategies. These formalized attack strategies facilitate a more precise and convincible evaluation of the effectiveness and robustness of backdoor attacks. As shown in Fig. 3.

Lane Disappearance Attack (LDA). The most straightforward strategy for lane attacks involves the complete removal of all lane boundaries within an image, thereby rendering the LD system inoperative. When an image containing a trigger is fed into the backdoor LD model, it fails to detect any lane boundaries. The specific transformation formula for the label is $l^{\prime}_{i}=\phi\,(i=1,2,\ldots,n)$, i.e., there are no points included in the lane.

Lane Straightening Attack (LSA). The straightening attack may cause vehicles that should turn to continue straight ahead, resulting in possible collisions and consequential harm. For each lane boundary in the image, a straight line parameter curve is fitted starting from the lane boundary’s starting position based on the slope of the line. Subsequently, the positions of lane points that deviate from this curve are modified to align with the straight line. The specific transformation formula for the labels is $l^{\prime}_{i}=\{p_{1},...,p_{k},p^{\prime}_{k+1},...,p^{\prime}_{m}\}\,(i=1,2,\ldots,n)$, where $p^{\prime}_{k+1},...,p^{\prime}_{m}$ are determined by the straight line parameter curve fitted by $p_{1},...,p_{k}$.

Lane Rotation Attack (LRA). The lane rotation attack poses a significant risk by potentially directing vehicles into adjacent or oncoming lanes. Given a rotation angle $\alpha$, for each lane boundary in the image, a curve equation is fitted using cubic spline interpolation. The curve is then rotated about its respective starting point, and the corresponding new horizontal coordinate values for the vertical coordinates in the label can be calculated. The specific transformation formula for the labels is $l^{\prime}_{i}=\{p_{1},p^{\prime}_{2},...,p^{\prime}_{m}\}\,(i=1,2,\ldots,n)$, where $p^{\prime}_{2},...,p^{\prime}_{m}$ is determined by the equation: $\angle p^{\prime}_{j}p_{1}p_{j}=\alpha$.

Lane Offset Attack (LOA). A critical functionality of current lane-kee** assistance systems lies in maintaining the vehicle’s position centrally between two lane lines. If all lane positions output by the LD system are offset by several pixels $\beta$ from the actual positions, it will cause the vehicle to deviate from the correct position. The specific transformation formula for the labels is $l^{\prime}_{i}=\{p^{\prime}_{1},p^{\prime}_{2},...,p^{\prime}_{m}\}\,(i=1,2,\ldots,n)$, where $p^{\prime}_{j}=p_{j}+(\beta,0)$ i.e., all lane points add a fixed value to the horizontal coordinates.

Note that for all aforementioned attack strategies, the lane points whose coordinates extend beyond the image bounds after transformation are discarded.

Existing backdoor attacks are mostly designed based on the two-dimensional image with static observation perspectives. Such triggers are characterized by immutable patterns, viewpoints, sizes, and positions, and they suffer from limitations that hinder their application in the physical world. Our objective is to design a trigger capable of reliable activation under dynamic driving perspectives, unfettered by constraints related to position, shape, viewpoint, or size. Given the susceptibility of LD models to adversarial attacks leveraging dirty road conditions sato2021dirty and the vulnerability of DNNs to color-offset backdoor attacks jiang2023color , we introduce an amorphous pattern for trigger design. This trigger draws inspiration from the prevalent mud elements encountered in natural settings.

Specifically, to enhance the generalization of our trigger mechanism, we gather a comprehensive collection of mud patterns set $\mathcal{M}$ from the internet and real world, aiming to delineate the defining attributes of brown-colored pixels. From each pattern in $\mathcal{M}$, we extract all values of brown pixels. In this way, we can create a color set $\mathcal{C}$ comprising a variety of shades of brown with distinct $RGB$ pixel attributes:

Concurrently, we develop an amorphous mask generator $G_{m}$ to diversify the shapes of triggers, as illustrated in Fig. 2. Given that irregular-shaped masks can be approximated by polygons, we randomly generate combinations of line segments to endow them with irregular boundaries, and randomly remove some internal points to achieve a state of discretization. The pseudo-algorithm of $G_{m}$ can be found in Supplementary Material. Given a rectangular area of size $w\times h$, the $G_{m}$ can generate an amorphous mask within a specified size. Our amorphous pattern $\bm{t}$ can be formalized as:

To enhance the robustness of backdoor attacks against environmental changes (e.g., various weather or lighting conditions), we introduce a meta-learning framework to train specific meta-generators tailored to different environmental conditions. These generators can produce meta-triggers that integrate diverse environmental factors through sampling benign images, as the initialization of the amorphous trigger patterns for backdoor implantation. In this way, we can implant backdoors robust to diverse environmental conditions with few trigger samples.

Meta-learning finn2017model ; nichol2018first ; li2017meta has attracted widespread attention in recent years for its potential to help models/samples learn better initialization states to more effectively complete new tasks finn2017model ; yuan2021meta . Its principles have been widely applied in various fields such as computer vision ravi2016optimization ; yuan2021meta ; yin2023generalizable , natural language processing jamal2019task ; lee2022meta , etc. Inspired by this, we reframe the concept of triggers as learning samples and the introduction of the backdoor as a novel task. Specifically, in the backdoor attack scenario, the meta-task is defined as follows: Given a benign image $\bm{x}$ and an amorphous pattern trigger under a certain environmental condition $\bm{t_{e}}$, the goal is to learn a conditional generation model (called meta-generator) that produces a meta-trigger $\bm{t_{m}}$ incorporating information from the trigger in that environment through sampling $\bm{x}$, as illustrated in Fig. 2. For a specific LD model type to attack, we utilize its feature extractor (backbone) from the model trained on clean dataset as the teacher model $\hat{f}$. By minimizing the feature distance of the $\hat{f}$ between $\bm{x+t_{m}}$ and $\bm{x+t_{e}}$, and maximizing the feature distance between $\bm{x+t_{e}}$ and $\bm{x}$, we update the parameters of the generator, which could be formulated as follows:

Inspired by yin2023generalizable , we use conditional generative flow (c-Glow) lu2020structured as the meta-generator and let it capture the conditional distribution of the benign image and sample the $\bm{t_{m}}$, denoted as $p(\bm{t_{m}}|\bm{x},\bm{\varphi})$, where $\bm{t_{m}}=G_{\bm{\varphi}}(z;\bm{x})$, $G$ is the generator with parameters $\bm{\varphi}$ and $z$ represents a random vector following the Gaussian distribution. Given a set of tasks ${\{\mathcal{T}_{i}\}}^{N}_{i=1}$, we adopt the batch approach of REPTILE nichol2018first for meta-learning. We select $n$ tasks to create a batch and utilize Adam kingma2014adam to update the task-specific parameters $\omega$ times for each task $\mathcal{T}_{i}$. The procedure for inner-loop optimization can be described as:

For outer loop optimization, we update the parameters $\bm{\varphi}$ using the generated task-specific parameters in a batch, with a learning rate $\gamma$. It can be written as follows:

Fig. 2 illustrates the overall framework of our BadLANE . To construct meta-tasks, we collect benign images from the training dataset $\mathcal{D}$ and generate triggers using amorphous patterns under varied environmental conditions at a designated probability, including normal environment. Given $\mathcal{D}$ and a poisoning rate $p$, we randomly select samples from $\mathcal{D}$ to generate a set of malicious images $\bm{X^{\prime}}$ for replacement. These images predominantly incorporate image-specific meta-triggers, produced by sampling each benign image with the meta-generator and placed randomly. They provide a better initialization state for the model to learn triggers in various environments. A small subset of $\bm{X^{\prime}}$ contains amorphous pattern triggers under different environmental conditions, which guide the model in better adapting to new tasks based on the initialization state. Following adjustments to the labels using attack strategies outlined in Sec. 3.2, we compile the poisoned dataset $\mathcal{D^{\prime}}$. Training the LD model with $\mathcal{D^{\prime}}$ results in the implantation of the BadLANE backdoor. The overall pseudo-algorithm of our BadLANE can be found in Supplementary Material.

Dataset. Our experiments are conducted on the most widely used LD dataset TuSimple tusimple . It consists of 3626 images in the training set and 2782 images in the test set, each with a resolution of 1280 $\times$ 720 pixels and containing a maximum of 5 lanes. We also evaluate on CULane dataset culane and we observe similar tendencies (results are shown in Supplementary Material).

Model Architectures. To fully evaluate the effectiveness of our method across different types of DNN-based LD models. Without loss of generality, we select four representative model architectures from various categories: LaneATT laneatt , UFLD v2 (Ultra Fast Lane Detection v2) qin2022ultra , PolyLaneNet tabelini2021polylanenet and RESA (Recurrent Feature-Shift Aggregator) zheng2021resa . A detailed introduction to these model architectures can be found in the Supplementary Material.

Backdoor Attack Baselines. Due to the particularity of autonomous driving scenarios, many backdoor attacks targeted at the digital world are not applicable, as they are unlikely to be deployed in the real world (such as Wanet nguyen2021wanet and Sample-specific li2021invisible that add perturbation overall the image). Therefore, we consider several representative methods: ❶ Fixed Patterns: BadNets badnets , it adds a fixed white pattern to the bottom right corner of the clean image. ❷ Fixed Images: Blended blended , it blends a fixed universal image as the trigger with a clean image. ❸ Real Objects: LD-Attack han2022physical , it uses common objects such as traffic cones in the physical world as triggers. These methods can be triggered in the physical world by printing patterns or placing actual objects.

Evaluation Metric. In image classification tasks, the effectiveness of backdoor attacks is typically evaluated using the Attack Success Rate (ASR) li2022backdoor . For LD task, LD-Attack han2022physical suggests using the rotation angle as a metric to quantify the performance of backdoor attacks. It does not apply to our proposed attack strategies, as the magnitude of the rotation angle is not a reliable measure of alignment with our predetermined attack objectives. A more effective backdoor should align more closely with our pre-set lane point coordinates, rather than simply having a larger rotation angle. Hence, we propose using the classical ASR based on LD task to assess the effectiveness of backdoor attacks. On Tusimple, ACC is commonly used as an evaluation metric to measure the performance of a model tusimple ; laneatt . Its calculation formula is $ACC=\Sigma_{i}C_{i}/\Sigma_{i}S_{i}$, where $C_{i}$ represents the number of correctly predicted lane points (mismatch distance between prediction and ground truth is within a certain threshold) and $S_{i}$ represents the total number of lane points in the ground truth for the $i$-th test image. The threshold is empirically set to 20 pixels. Similarly, for poisoned annotation labels, let $S_{i}^{*}$ represent the total number of lane points, and $C_{i}^{*}$ represent the number of correctly predicted lane points in the poisoned annotation. The ASR calculation is: $ASR=\Sigma_{i}C_{i}^{*}/\Sigma_{i}S_{i}^{*}$. For ACC and ASR, higher values of these metrics indicate better methods.

Implementation Details. For all experiments, we set the poisoning rate of backdoor attacks to 10%, and the size of the trigger is uniformly set to 900 pixels. Specifically, for BadNets and Blended, the trigger size is 30 $\times$ 30 pixels and set at the bottom right corner of the image; for LD-Attack, the area of traffic cones is 900 pixels and fixed on the middle-left lane. following han2022physical ; for our method, we randomly select 900 pixels within a 100 $\times$ 100 pixels square with random positions in the image. For all model architectures, we follow the parameter settings in their original papers. For the meta-generator training, we adopt the same architecture for the generator c-Glow following lu2020structured and it outputs meta-trigger with a size of $100\times 100$ pixels. Before training, we pre-train the c-Glow to provide a better initial state. As for meta-training, we utilize the Tusimple training dataset and generate 10 meta-tasks for each image. Triggers in meta-tasks are randomly added environmental conditions with a probability of 0.15 for each type. The generator is trained for 5 epochs with a batch size of 16. The update step size $\omega$ of the inner optimization is set to 4. The learning rates of the inner and outer loops are set to $\mu=0.0003$ and $\gamma=0.0006$.

Evaluation methodology. To comprehensively simulate the real-world dynamic scenes in autonomous driving, we follow hendrycks2019benchmarking ; tang2023natural and consider eight typical dynamic scene factors for backdoor attack evaluation, including ❶ Driving perspective changes: position, shape, viewpoint, and size of the trigger, and ❷ common environmental conditions: sunlight, shadow, rain, and snow. Examples of BadLANE attacks under these dynamic scene factors are illustrated in Fig. 3. In our main experiment, we adopt the LOA strategy and set the offset pixels to 60.

Results. As shown in Tab. 1, we can draw some observations that: ❶ Traditional attack methods perform well in the static scene (shown in “Origin”). However, their ASRs drop sharply when driving perspectives or environmental conditions change. Especially when the trigger’s position or size changes, or when it encounters the sunlight and shadow environmental conditions. For example, for the LD-Attack method in LaneATT, its ASR sharply decreases when the position of the trigger change (-38.88%) or in sunlight environment (-42.82%). ❷ Our BadLANE attack consistently achieves the highest ASR in all dynamic cases, maintaining effectiveness in the face of various dynamic scene factors in the real world and outperforming other baselines significantly (+24.47% on average). Moreover, it turns out to be universally effective across various LD models. ❸ Our attack maintains high ACCs on clean samples comparable to uninfected models. It demonstrates the effectiveness of our attack on kee** the original functionality of the model. ❹ LaneATT and RESA architectures are particularly vulnerable to our BadLANE attacks, with their backdoor models achieving an average ASR nearly equivalent to the ACC. In comparison, the UFLD v2 and PolyLaneNet models exhibit a lower susceptibility to attacks, displaying a gap of over 4% between their average ASR and ACC.

Different Attack Strategies. We then evaluate the performance of different backdoor attacks using three other attack strategies i.e., LDA, LSA, and LRA. For LSA, we select images that include non-linear lanes for poisoning attacks; for LRA, we set the rotation angle to $4.5^{\circ}$. The average ASR results under various dynamic scene factors of different backdoor attacks are shown in Tab. 2. We can identify that our attacks are effective under all attack strategies and significantly outperform traditional backdoor attack methods (+61.16% in LDA, +0.45% in LSA, and +14.53% in LRA on average). We also observe that LDA and LSA strategies are more easily executed, possibly due to the simplicity of their targets or a significant overlap in the backdoor model’s predictions between malicious images and benign images. In contrast, the LOA and LRA strategies present more challenging attacks but can still achieve a high ASR. As illustrated in Fig. 3, the LOA and LRA strategies pose substantial risks in autonomous driving scenarios, where deviations or rotations in lane lines can significantly alter a vehicle’s driving direction, potentially leading to accidents.

In this part, we demonstrate the generalization of our BadLANE attack on different mud trigger patterns. Models implanted with this backdoor can be triggered not only by unstructured pixel sets but also by various forms/shapes of unseen mud spots or pollution, which facilitates the implementation of attacks in the physical world. To ensure the diversity and randomness of the mud patterns, we collect 10 images of mud patterns with different shapes from the internet and the real world, as shown in Fig. 4 (more images are shown in Supplementary Material). These patterns have distinct sizes, degrees of dispersion, and viewing angles. We add these mud patterns to benign images to obtain malicious images and test the infected models in Sec. 4.2 by BadLANE attack. Visualization examples are shown in Fig. 3. Note that, all these mud triggers have not been directly trained/seen during poisoning.

The results are shown in Fig. 5, we can find that these different unseen mud patterns can effectively activate the backdoors implanted by our BadLANE attack. In some cases, the ASR is even higher than using unstructured pixel sets to attack (e.g., average ASR under various environmental conditions with LOA strategy in UFLD v2 +0.29% and in RESA +0.20%). This demonstrates the superior generalization and practicality of our method and can be effectively deployed in the physical world. Moreover, we can also observe that average ASR under different environmental conditions is generally higher than driving perspective changes across different models and strategies, indicating that the changes in driving perspective pose more challenges for attacking with our method, yet still perform better than traditional attack methods.

We here ablate some factors that may influence the attacking ability of our BadLANE attack. All experiments are conducted using the LOA strategy with 60 offset pixels, unless otherwise specified.

Amorphous Trigger and Meta-Learning. We conduct ablation studies to understand the contributions of amorphous triggers and the meta-learning framework. Specifically, we employ different schemes to poison the dataset for training backdoored models: (1) BadLANE , using our attack approach; (2) (w/o) Meta, without utilizing meta-learning framework; (3) (w/o) Meta & Amo, without using meta-learning framework and amorphous pattern for trigger design. In contrast, we utilize a $30\times 30$ pixels patch composed of brown-colored pixels with the fixed position as the trigger. As shown in Tab. 3, we can draw several observations: ❶ Using Amo shows a significant improvement in average ASR under driving perspective changes (DPC), indicating that the amorphous pattern for trigger design technique enhances the attack’s robustness to perspective changes. ❷ Using Meta exhibits a notable increase in average ASR under different environmental conditions (EC), suggesting that meta-learning improves the attack’s robustness to environmental conditions. The findings corroborate our hypothesis that the amalgamation of both techniques yields optimal performance in dynamic scenarios, underscoring the significance of each component in the orchestration of the attack.

Attack Parameters. For LOA and LRA attack strategies, we can flexibly choose the offset magnitude and rotation angle to achieve different levels of attack. To evaluate the impact of attack parameters on attack effectiveness, we select different offset pixels and rotation angles for these strategies. As shown in Fig. LABEL:fig:attack_para, we can observe that BadLANE attacks exhibit strong attack effectiveness for various settings of attack parameters, allowing for highly flexible specification of attack schemes. Visualizations are shown in Fig. 3 (more images are shown in Supplementary Material). Furthermore, we observe that for the LOA strategy, change in the number of offset pixels have a negligible impact on the attack effectiveness. In contrast, for the LRA strategy, an increase in the absolute value of the rotation angle leads to a weakening of the attack effect. We also find that the LRA strategy performs poorly on the PolyLaNet model. We speculate that this may be because the rotated lane lines require more complex polynomials for representation, making them more challenging to regress.

Poisoning Rates. We evaluate the effectiveness of BadLANE attack under different poisoning rates. For four LD models, we generate poisoned datasets and train backdoor models with poisoning rates of 1%, 3%, 5%, 10%, 15%, and 20%. As shown in Tab. 4, even at a low poisoning rate (e.g., 1%), our BadLANE can achieve a high ASR. Additionally, as the poisoning rate increases, the ASR continues to rise slowly, while the ACC gradually decreases.