Real Time Counterfactual Generation Trend Attack for Rear-End Collision Risk Prediction
Huansong Zhang, Haihua Liao, Minghao Gao, Qiong Bao, Yongjun ShenAlthough autonomous vehicles leverage perceptual information to execute downstream tasks such as prediction and control to enhance driving safety, they are vulnerable to cyberattacks. Attackers can manipulate model outputs by tampering with inputs. This study proposes a Counterfactual Generation Trend Attack (CGTA) framework for predicting rear-end collision risk. It manipulates inputs within the Key Feature Region using an optimization algorithm, aiming to either elevate (increase attack) or degrade (decrease attack) the predicted driving safety. Furthermore, considering scenarios involving partial knowledge stealing where model parameters are inaccessible, an attack scheme based on model distillation is proposed. After processing trajectory data and quantifying rear-end collision risk, experiments were conducted on three mainstream prediction models. The results demonstrate that: (1) CGTA can effectively execute real time targeted attacks. Simultaneously, the resistance to attack varies under attack directions and models. The deviation of model outputs from ground truth was from 2.87% to 54.75% under increased attacks and from −3.29% to −86.62% under decreased attacks; (2) the multi-head attention (MHA) exhibited superior attack resistance. The attack effects of the prediction models reduced by 41.69% to 86.10% after incorporating MHA; and (3) although the attack effectiveness under partial knowledge stealing decreased, it realized the target attack trend. In addition, this study provides a detailed sensitivity analysis of the parameters and verifies the generalization of the CGTA. The findings reveal the feasibility and effect mechanisms of targeted cyberattacks on autonomous driving systems, while offering theoretical support for defense against such attacks.