Stop-and-Go: Exploring Backdoor Attacks on Deep Reinforcement Learning-based Traffic Congestion Control Systems.

Recent work has shown that the introduction of autonomous vehicles (AVs) in traffic could help reduce traffic jams. Deep reinforcement learning methods demonstrate good performance in complex control problems, including autonomous vehicle control, and have been used in state-of-the-art AV controllers. However, the use of deep neural networks (DNNs) renders automated driving vulnerable to machine learning-based attacks. In this work, we explore backdooring/trojanning of DRL-based AV controllers. We develop a trigger design methodology that is based on well-established principles of traffic physics. The malicious actions include vehicle deceleration and acceleration to cause stop-and-go traffic waves to emerge (congestion attacks), or AV acceleration resulting in the AV crashing into the vehicle in front (insurance attack). In the pre-injection stage, we consider the stealth of this backdoor attack by selecting triggers that are closest to the genuine data. We demonstrate our attack in a baseline traffic scenario of a single-lane ring, and then we generalize it to more lanes and the introduction of intersections. Experimental results show that the backdoored model does not compromise the performance of normal operation with the maximum decrease in cumulative rewards being 1%, but it can be maliciously activated to cause a crash or congestion when the corresponding triggers appear. We also discuss the effectiveness of state-of-the-art defenses towards the presented attacks.