安全部署自动驾驶汽车（SDC）需要彻底模拟和现场测试。大多数测试技术考虑在仿真环境中的虚拟化SDC，而较少的努力旨在评估这些技术是否转移到并对物理现实世界的车辆有效。在本文中，我们在部署在物理小型车辆上的虚拟模拟对应物上时，我们利用驴车开源框架对SDC的测试测试。在我们的实证研究中，我们研究了虚拟和真实环境之间的行为和失败风险在大量损坏和对抗的环境中的可转移性。虽然大量测试结果在虚拟和物理环境之间进行转移，但我们还确定了有助于虚拟和物理世界之间的现实差距的关键缺点，威胁到应用于物理SDC时现有的测试解决方案的潜力。

关键应用程序中机器学习（ML）组件的集成引入了软件认证和验证的新挑战。正在开发新的安全标准和技术准则，以支持基于ML的系统的安全性，例如ISO 21448 SOTIF用于汽车域名，并保证机器学习用于自主系统（AMLAS）框架。 SOTIF和AMLA提供了高级指导，但对于每个特定情况，必须将细节凿出来。我们启动了一个研究项目，目的是证明开放汽车系统中ML组件的完整安全案例。本文报告说，Smikk的安全保证合作是由行业级别的行业合作的，这是一个基于ML的行人自动紧急制动示威者，在行业级模拟器中运行。我们演示了AMLA在伪装上的应用，以在简约的操作设计域中，即，我们为其基于ML的集成组件共享一个完整的安全案例。最后，我们报告了经验教训，并在开源许可下为研究界重新使用的开源许可提供了傻笑和安全案例。

基于深度神经网络（DNN）的自主驱动系统（ADSS）预计将减少道路事故，并在运输领域提高安全性，因为它从驾驶任务中消除人为错误的因素。由于意外的驾驶条件，基于DNN的广告有时可能表现出错误或意外的行为，这可能导致事故。不可能概括所有驾驶条件的DNN模型性能。因此，在培训广告期间未考虑的驾驶条件可能导致自治车辆安全的不可预测的后果。本研究提出了一种基于AutoEncoder和时间序列分析的异常检测系统，以防止自动车辆在运行时进行安全临界不一致行为。我们称为Deepguard的方法包括两个组件。第一个组件，不一致的行为预测器，基于AutoEncoder和时间序列分析来重建驾驶场景。基于重建错误和阈值，它确定正常和意外的驾驶场景并预测潜在的不一致行为。第二个组件提供了飞行安全防护装置，即它自动激活治疗策略以防止行为不一致。我们评估了DeepGuard在预测使用已在Udacity Simulator中的可用开放的Sourced DNN的注入的异常驾驶场景预测的性能。我们的仿真结果表明，Deepguard的最佳变体可以预测司机广告的高达93％，Dave2广告的83％，在时期广告模型上的80％不一致行为，表现优于围攻和Deeproad。总体而言，DeepGuard可以通过执行预定义的安全罩来防止高达89％的ADS预测不一致行为。

背景信息：在过去几年中，机器学习（ML）一直是许多创新的核心。然而，包括在所谓的“安全关键”系统中，例如汽车或航空的系统已经被证明是非常具有挑战性的，因为ML的范式转变为ML带来完全改变传统认证方法。目的：本文旨在阐明与ML为基础的安全关键系统认证有关的挑战，以及文献中提出的解决方案，以解决它们，回答问题的问题如何证明基于机器学习的安全关键系统？'方法：我们开展2015年至2020年至2020年之间发布的研究论文的系统文献综述（SLR），涵盖了与ML系统认证有关的主题。总共确定了217篇论文涵盖了主题，被认为是ML认证的主要支柱：鲁棒性，不确定性，解释性，验证，安全强化学习和直接认证。我们分析了每个子场的主要趋势和问题，并提取了提取的论文的总结。结果：单反结果突出了社区对该主题的热情，以及在数据集和模型类型方面缺乏多样性。它还强调需要进一步发展学术界和行业之间的联系，以加深域名研究。最后，它还说明了必须在上面提到的主要支柱之间建立连接的必要性，这些主要柱主要主要研究。结论：我们强调了目前部署的努力，以实现ML基于ML的软件系统，并讨论了一些未来的研究方向。

The last decade witnessed increasingly rapid progress in self-driving vehicle technology, mainly backed up by advances in the area of deep learning and artificial intelligence. The objective of this paper is to survey the current state-of-the-art on deep learning technologies used in autonomous driving. We start by presenting AI-based self-driving architectures, convolutional and recurrent neural networks, as well as the deep reinforcement learning paradigm. These methodologies form a base for the surveyed driving scene perception, path planning, behavior arbitration and motion control algorithms. We investigate both the modular perception-planning-action pipeline, where each module is built using deep learning methods, as well as End2End systems, which directly map sensory information to steering commands. Additionally, we tackle current challenges encountered in designing AI architectures for autonomous driving, such as their safety, training data sources and computational hardware. The comparison presented in this survey helps to gain insight into the strengths and limitations of deep learning and AI approaches for autonomous driving and assist with design choices. 1

自动化驾驶系统（广告）开辟了汽车行业的新领域，为未来的运输提供了更高的效率和舒适体验的新可能性。然而，在恶劣天气条件下的自主驾驶已经存在，使自动车辆（AVS）长时间保持自主车辆（AVS）或更高的自主权。本文评估了天气在分析和统计方式中为广告传感器带来的影响和挑战，并对恶劣天气条件进行了解决方案。彻底报道了关于对每种天气的感知增强的最先进技术。外部辅助解决方案如V2X技术，当前可用的数据集，模拟器和天气腔室的实验设施中的天气条件覆盖范围明显。通过指出各种主要天气问题，自主驾驶场目前正在面临，近年来审查硬件和计算机科学解决方案，这项调查概述了在不利的天气驾驶条件方面的障碍和方向的障碍和方向。

Deep Neural Networks (DNN) are increasingly used as components of larger software systems that need to process complex data, such as images, written texts, audio/video signals. DNN predictions cannot be assumed to be always correct for several reasons, among which the huge input space that is dealt with, the ambiguity of some inputs data, as well as the intrinsic properties of learning algorithms, which can provide only statistical warranties. Hence, developers have to cope with some residual error probability. An architectural pattern commonly adopted to manage failure-prone components is the supervisor, an additional component that can estimate the reliability of the predictions made by untrusted (e.g., DNN) components and can activate an automated healing procedure when these are likely to fail, ensuring that the Deep Learning based System (DLS) does not cause damages, despite its main functionality being suspended. In this paper, we consider DLS that implement a supervisor by means of uncertainty estimation. After overviewing the main approaches to uncertainty estimation and discussing their pros and cons, we motivate the need for a specific empirical assessment method that can deal with the experimental setting in which supervisors are used, where the accuracy of the DNN matters only as long as the supervisor lets the DLS continue to operate. Then we present a large empirical study conducted to compare the alternative approaches to uncertainty estimation. We distilled a set of guidelines for developers that are useful to incorporate a supervisor based on uncertainty monitoring into a DLS.

自动化驾驶系统（ADSS）近年来迅速进展。为确保这些系统的安全性和可靠性，在未来的群心部署之前正在进行广泛的测试。测试道路上的系统是最接近真实世界和理想的方法，但它非常昂贵。此外，使用此类现实世界测试覆盖稀有角案件是不可行的。因此，一种流行的替代方案是在一些设计精心设计的具有挑战性场景中评估广告的性能，A.k.a.基于场景的测试。高保真模拟器已广泛用于此设置中，以最大限度地提高测试的灵活性和便利性 - 如果发生的情况。虽然已经提出了许多作品，但为测试特定系统提供了各种框架/方法，但这些作品之间的比较和连接仍然缺失。为了弥合这一差距，在这项工作中，我们在高保真仿真中提供了基于场景的测试的通用制定，并对现有工作进行了文献综述。我们进一步比较了它们并呈现开放挑战以及潜在的未来研究方向。

Computer vision applications in intelligent transportation systems (ITS) and autonomous driving (AD) have gravitated towards deep neural network architectures in recent years. While performance seems to be improving on benchmark datasets, many real-world challenges are yet to be adequately considered in research. This paper conducted an extensive literature review on the applications of computer vision in ITS and AD, and discusses challenges related to data, models, and complex urban environments. The data challenges are associated with the collection and labeling of training data and its relevance to real world conditions, bias inherent in datasets, the high volume of data needed to be processed, and privacy concerns. Deep learning (DL) models are commonly too complex for real-time processing on embedded hardware, lack explainability and generalizability, and are hard to test in real-world settings. Complex urban traffic environments have irregular lighting and occlusions, and surveillance cameras can be mounted at a variety of angles, gather dirt, shake in the wind, while the traffic conditions are highly heterogeneous, with violation of rules and complex interactions in crowded scenarios. Some representative applications that suffer from these problems are traffic flow estimation, congestion detection, autonomous driving perception, vehicle interaction, and edge computing for practical deployment. The possible ways of dealing with the challenges are also explored while prioritizing practical deployment.

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.

数据驱动的模拟器承诺高数据效率进行驾驶策略学习。当用于建模相互作用时，这种数据效率变为瓶颈：小型基础数据集通常缺乏用于学习交互式驾驶的有趣和具有挑战性的边缘案例。我们通过提出使用绘制的ADO车辆学习强大的驾驶策略的仿真方法来解决这一挑战。因此，我们的方法可用于学习涉及多代理交互的策略，并允许通过最先进的策略学习方法进行培训。我们评估了驾驶中学习标准交互情景的方法。在广泛的实验中，我们的工作表明，由此产生的政策可以直接转移到全规模的自治车辆，而无需使用任何传统的SIM-to-Real传输技术，例如域随机化。

我们描述了一个软件框架和用于串联的硬件平台，用于设计和分析模拟和现实中机器人自主算法。该软件是开源的，独立的容器和操作系统（OS）的软件，具有三个主要组件：COS ++车辆仿真框架（Chrono）的ROS 2接口（Chrono），该框架提供了高保真的轮毂/跟踪的车辆和传感器仿真；基于ROS 2的基本基于算法设计和测试的自治堆栈；以及一个开发生态系统，可在感知，状态估计，路径计划和控制中进行可视化和硬件实验。随附的硬件平台是1/6刻度的车辆，并具有可重新配置的用于计算，传感和跟踪的可重新配置的安装。其目的是允许对算法和传感器配置进行物理测试和改进。由于该车辆平台在模拟环境中具有数字双胞胎，因此可以测试和比较模拟和现实中相同的算法和自主堆栈。该平台的构建是为了表征和管理模拟到现实差距。在此，我们描述了如何建立，部署和用于改善移动应用程序的自主权。

Recent studies show that the state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input. Given that that emerging physical systems are using DNNs in safety-critical situations, adversarial examples could mislead these systems and cause dangerous situations. Therefore, understanding adversarial examples in the physical world is an important step towards developing resilient learning algorithms. We propose a general attack algorithm, Robust Physical Perturbations (RP 2 ), to generate robust visual adversarial perturbations under different physical conditions. Using the real-world case of road sign classification, we show that adversarial examples generated using RP 2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints. Due to the current lack of a standardized testing method, we propose a two-stage evaluation methodology for robust physical adversarial examples consisting of lab and field tests. Using this methodology, we evaluate the efficacy of physical adversarial manipulations on real objects. With a perturbation in the form of only black and white stickers, we attack a real stop sign, causing targeted misclassification in 100% of the images obtained in lab settings, and in 84.8% of the captured video frames obtained on a moving vehicle (field test) for the target classifier.

现实世界的对抗例（通常以补丁形式）对安全关键计算机视觉任务中的深度学习模型（如在自动驾驶中的视觉感知）中使用深度学习模型构成严重威胁。本文涉及用不同类型的对抗性斑块攻击时，对语义分割模型的稳健性进行了广泛的评价，包括数字，模拟和物理。提出了一种新的损失功能，提高攻击者在诱导像素错误分类方面的能力。此外，提出了一种新的攻击策略，提高了在场景中放置补丁的转换方法的期望。最后，首先扩展用于检测对抗性补丁的最先进的方法以应对语义分割模型，然后改进以获得实时性能，并最终在现实世界场景中进行评估。实验结果表明，尽管具有数字和真实攻击的对抗效果，其影响通常在空间上限制在补丁周围的图像区域。这将打开关于实时语义分段模型的空间稳健性的进一步疑问。

在本文中，我们描述了如何利用明亮的调制光源（例如，廉价，离心激光器）来利用CMOS图像传感器中的电子滚动快门。我们展示了七种不同CMOS相机的攻击，从IoT廉价到半专业监控摄像机，以突出滚动快门攻击的广泛适用性。我们模拟了影响不受控制的设置中滚动快门攻击的基本因素。然后，我们对对象检测任务的攻击作用进行了详尽的评估，研究了攻击参数的效果。我们验证了我们对两个独立相机收集的经验数据的模型，表明通过简单地使用来自相机数据表的信息，对手可以准确地预测注入的失真大小并相应地优化它们的攻击。我们发现，通过选择适当的攻击参数，对手可以通过最先进的探测器隐藏高达75％的物体。我们还调查了与NA \“{i} vers致盲攻击相比攻击的隐秘，表明常见的图像失真度量无法检测到攻击存在。因此，我们向骨干展示了一种新的，准确和轻巧的增强对象检测器的网络识别滚动快门攻击。总体而言，我们的结果表明，滚动快门攻击可以大大降低基于视觉智能系统的性能和可靠性。

自主车辆的环境感知受其物理传感器范围和算法性能的限制，以及通过降低其对正在进行的交通状况的理解的闭塞。这不仅构成了对安全和限制驾驶速度的重大威胁，而且它也可能导致不方便的动作。智能基础设施系统可以帮助缓解这些问题。智能基础设施系统可以通过在当前交通情况的数字模型的形式提供关于其周围环境的额外详细信息，填补了车辆的感知中的差距并扩展了其视野。数字双胞胎。然而，这种系统的详细描述和工作原型表明其可行性稀缺。在本文中，我们提出了一种硬件和软件架构，可实现这样一个可靠的智能基础架构系统。我们在现实世界中实施了该系统，并展示了它能够创建一个准确的延伸高速公路延伸的数字双胞胎，从而提高了自主车辆超越其车载传感器的极限的感知。此外，我们通过使用空中图像和地球观测方法来评估数字双胞胎的准确性和可靠性，用于产生地面真理数据。

This paper describes Waymo's Collision Avoidance Testing (CAT) methodology: a scenario-based testing method that evaluates the safety of the Waymo Driver Automated Driving Systems' (ADS) intended functionality in conflict situations initiated by other road users that require urgent evasive maneuvers. Because SAE Level 4 ADS are responsible for the dynamic driving task (DDT), when engaged, without immediate human intervention, evaluating a Level 4 ADS using scenario-based testing is difficult due to the potentially infinite number of operational scenarios in which hazardous situations may unfold. To that end, in this paper we first describe the safety test objectives for the CAT methodology, including the collision and serious injury metrics and the reference behavior model representing a non-impaired eyes on conflict human driver used to form an acceptance criterion. Afterward, we introduce the process for identifying potentially hazardous situations from a combination of human data, ADS testing data, and expert knowledge about the product design and associated Operational Design Domain (ODD). The test allocation and execution strategy is presented next, which exclusively utilize simulations constructed from sensor data collected on a test track, real-world driving, or from simulated sensor data. The paper concludes with the presentation of results from applying CAT to the fully autonomous ride-hailing service that Waymo operates in San Francisco, California and Phoenix, Arizona. The iterative nature of scenario identification, combined with over ten years of experience of on-road testing, results in a scenario database that converges to a representative set of responder role scenarios for a given ODD. Using Waymo's virtual test platform, which is calibrated to data collected as part of many years of ADS development, the CAT methodology provides a robust and scalable safety evaluation.

当在安全 - 关键系统中使用深层神经网络（DNN）时，工程师应确定在测试过程中观察到的与故障（即错误输出）相关的安全风险。对于DNN处理图像，工程师在视觉上检查所有引起故障的图像以确定它们之间的共同特征。这种特征对应于危害触发事件（例如，低照明），这是安全分析的重要输入。尽管内容丰富，但这种活动却昂贵且容易出错。为了支持此类安全分析实践，我们提出了SEDE，该技术可为失败，现实世界图像中的共同点生成可读的描述，并通过有效的再培训改善DNN。 SEDE利用了通常用于网络物理系统的模拟器的可用性。它依靠遗传算法来驱动模拟器来生成与测试集中诱导失败的现实世界图像相似的图像。然后，它采用规则学习算法来得出以模拟器参数值捕获共同点的表达式。然后，派生表达式用于生成其他图像以重新训练和改进DNN。随着DNN执行车载传感任务，SEDE成功地表征了导致DNN精度下降的危险触发事件。此外，SEDE启用了重新培训，从而导致DNN准确性的显着提高，最高18个百分点。

We introduce CARLA, an open-source simulator for autonomous driving research. CARLA has been developed from the ground up to support development, training, and validation of autonomous urban driving systems. In addition to open-source code and protocols, CARLA provides open digital assets (urban layouts, buildings, vehicles) that were created for this purpose and can be used freely. The simulation platform supports flexible specification of sensor suites and environmental conditions. We use CARLA to study the performance of three approaches to autonomous driving: a classic modular pipeline, an endto-end model trained via imitation learning, and an end-to-end model trained via reinforcement learning. The approaches are evaluated in controlled scenarios of increasing difficulty, and their performance is examined via metrics provided by CARLA, illustrating the platform's utility for autonomous driving research.

现代自动驾驶汽车采用最先进的DNN模型来解释传感器数据并感知环境。但是，DNN模型容易受到不同类型的对抗攻击的影响，这对车辆和乘客的安全性和安全性构成了重大风险。一个突出的威胁是后门攻击，对手可以通过中毒训练样本来妥协DNN模型。尽管已经大量精力致力于调查后门攻击对传统的计算机视觉任务，但很少探索其对自主驾驶场景的实用性和适用性，尤其是在物理世界中。在本文中，我们针对车道检测系统，该系统是许多自动驾驶任务，例如导航，车道切换的必不可少的模块。我们设计并实现了对此类系统的第一次物理后门攻击。我们的攻击是针对不同类型的车道检测算法的全面有效的。具体而言，我们引入了两种攻击方法（毒药和清洁量）来生成中毒样本。使用这些样品，训练有素的车道检测模型将被后门感染，并且可以通过公共物体（例如，交通锥）进行启动，以进行错误的检测，导致车辆从道路上或在相反的车道上行驶。对公共数据集和物理自动驾驶汽车的广泛评估表明，我们的后门攻击对各种防御解决方案都是有效，隐秘和强大的。我们的代码和实验视频可以在https://sites.google.com/view/lane-detection-attack/lda中找到。