A Unified Anomaly Detection Methodology for Lane-Following of Autonomous Driving Systems Xingshuo Han ∗ , Kangjie Chen ∗ , Yuan Zhou ∗‡ , Meikang Qiu † , Chun Fan § , Yang Liu ∗ , Tianwei Zhang ∗ ∗ Nanyang Technological University, Singapore 639798 Email: {xingshuo001,kangjie001}@e.ntu.edu.sg, {y.zhou, yangliu, tianwei.zhang}@ntu.edu.sg † Texas A&M University Commerce, TX, USA 75428 Email: meikang.qiu@tamuc.edu § Peng Cheng Laboratory & Peking University, China Email: fanchun@pku.edu.cn ‡ Corresponding author Abstract—Autonomous Vehicles (AVs) are equipped with var- ious sensors and controlled by Autonomous Driving Systems (ADSs) to provide high-level autonomy. When interacting with the environment, AVs suffer from a broad attack surface, and the sensory data are susceptible to anomalies caused by faults, sensor malfunctions, or attacks, which may jeopardize traffic safety and result in serious accidents. Most of the current works focus on anomaly detection of specific attacks, such as GPS spoofing or traffic sign attacks. There are no works on scenario-aware anomaly detection for ADSs. In this paper, focusing on the lane- following scenario, we introduce a novel transformer-based one- class classification model to identify time series anomalies and adversarial image examples. It can detect GPS spoofing, traffic sign recognition and lane detection attacks with high efficiency and accuracy. We further design a Swin-transformer model to enhance the detection performance. Experiments on Baidu Apollo and two public data sets (GTSRB and Tusimple) show that compared with the state-of-the-art methods, our method, on average, improves the detection performance by 9.7%, 14.7% and 15.7% for GPS spoofing, traffic sign recognition and lane detection attacks, respectively. Index Terms—One-Class Classification, Autonomous Driving Systems, Transformer, Multi-source Anomaly Detection I. I NTRODUCTION Autonomous Vehicles (AVs) will play an essential role in modern intelligent transportation systems to reduce traffic accidents and congestion [1], [2]. Recent advances in the tech- nologies of computing, automation and artificial intelligence inspire many companies to devote themselves to this promising domain and accelerate the commercialization of autonomous driving, e.g., Baidu Apollo [3], Google Waymo [4]. To guarantee high-level automation, Autonomous Driving Systems (ADSs) serve as the brain of AVs, which com- municate with the external environment and internal vehicle components, and make driving decisions. Due to the complex environment and requirements, most of the current ADSs are scenario-sensitive, i.e., they have different tasks to complete under different scenarios (lane following, lane changing, over- taking, and intersections, etc.) based on the information from different sensors. For example, in the lane following scenario, an AV is required to move along the central lines of lanes. So the preliminary task for an ADS is to recognize the lane boundaries and locate the central lines. Cameras and GPS are required to achieve this function. In the overtaking scenario, an ADS needs to recognize surrounding obstacles and determine whether it is safe to perform overtaking. The decision is made from the data in Lidar and GPS. The high complexity of ADSs inevitably brings a broad attack surface [5]. For example, an adversary can launch GPS spoofing attacks to mislead AVs to navigate to a dangerous position [6]. The attack cost is only $200 for a low-end “GPS spoofing” device. By adding malicious patches [7], paint [8] or stickers [9] on the road or traffic signs, an adversary can make ADSs perceive the environment mistakenly and make wrong decisions [10], [11]. Attacks on Lidar can deceive ADSs into ignoring the surrounding obstacles, resulting in collisions [12], [13]. Different attacks may cause different damages under different scenarios. For instance, adversarial attacks against Lidars target obstacle avoidance rather than lane following, which mainly depends on AV’s localization and lane detection; GPS spoofing focuses on the lane following and change scenarios. In this paper, we consider the security protection of the lane following mechanism, which is the most common and fundamental scenario in not only ADSs but also state-of-the- art Advanced Driver-Assistance Systems (ADASs) and Lane Keeping Assist Systems (LKASs). We aim to introduce a unified methodology to detect any anomalies during lane fol- lowing, and mitigate different types of security vulnerabilities, i.e., localization attacks, lane detection attacks, and traffic sign recognition attacks. They have significant impacts on the functionality of ADSs, and it is important for vehicles to be immune to them for secure and safe driving. Although prior studies proposed some solutions to defeat sensor attacks for AVs [13]–[16], they only focus on one specific kind of threats. It is challenging to design a unified and comprehensive method to cover different attack vectors, as they have distinct behaviors and techniques. We develop a novel detection methodology, called T-GP (Transformer with Gradient Penalty), to analyze and identify time series anomalies (localization attacks) and adversarial images (i.e., lane detection attacks and traffic sign recognition 836 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom) 978-1-6654-3574-1/21/$31.00 ©2021 IEEE DOI 10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00119 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom) | 978-1-6654-3574-1/21/$31.00 ©2021 IEEE | DOI: 10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00119 Authorized licensed use limited to: Nanyang Technological University. Downloaded on January 23,2022 at 09:22:47 UTC from IEEE Xplore. Restrictions apply.