Certified Robustness in Automated Driving Perception: A Review

Abstract Adversarial examples expose the black-box nature of neural networks and pose substantial threats to safety-critical Automated Driving (AD) perception systems. The research on Certified Robustness is one of the most promising defenses due to its guarantee being unrelated to adversarial perturbations, and AD perception may provide users safety endorsement via well-designed certified defenses. This review surveys certified robustness approaches for image and point cloud data and evaluates certified defense methods from three dimensions: clean accuracy, certified accuracy, and computational overhead. Based on this review, applying certified defense to multi-sensor fusion perception models will provide lower-bound guarantees of accuracy, and may successfully defend multi-sources attacks with the certified accuracy greater than 60%. For machine learning-level attacks, randomized smoothing balances certified accuracy and computational complexity, and can scale to large datasets within 12% of the loss of clean accuracy. Future automated driving perception systems can focus on reducing the sample numbers of randomized smoothing and adapting to more data sources. The review also provides challenges and promising directions of certified robustness approaches, seeking to bridge the theoretical and practical considerations of defense for users regarding security and safety in AD perception.