Adversarial Flow Matching for Imperceptible Attacks on End-to-End Autonomous Driving

2026-05-05 · Source: cs.CV updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Robotics & Autonomous Systems, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

Adversarial Flow Matching (AFM) is a novel gray-box attack framework designed to exploit structural vulnerabilities in Transformer backbones of end-to-end autonomous driving (AD) models. It enables efficient one-step generation of visually imperceptible adversarial examples by perturbing both the generative latent space and a neural average velocity field. AFM significantly degrades the performance of both Vision-Language-Action (VLA) and modular AD agents, such as SimLingo and TransFuser, across various driving scenarios, including complex traffic and nighttime conditions. The method achieves superior attack effectiveness and imperceptibility compared to baselines like FGSM, PGD, DiffAttack, PerC-AL, and NCF. Furthermore, AFM-generated adversarial examples demonstrate robust cross-model transferability, requiring only prior knowledge of a Transformer-based module in the target AD model, approximating a black-box attack setting.

Key takeaway

For research scientists and security engineers evaluating autonomous driving system robustness, AFM reveals a critical, shared vulnerability in Transformer-based AD models. You should prioritize developing defenses that specifically target the dual-perturbation mechanisms in the latent space and neural velocity fields, especially for gray-box scenarios where only structural knowledge of the Transformer is available. This necessitates moving beyond traditional pixel-level defenses to more sophisticated, generative-aware countermeasures to prevent imperceptible, high-impact attacks.

Key insights

AFM leverages Flow Matching to create imperceptible, transferable gray-box attacks against Transformer-based autonomous driving systems.

Principles

• Transformer backbones are a shared vulnerability.
• Dual-perturbation enhances attack efficacy and stealth.
• One-step generation improves efficiency over iterative methods.

Method

AFM uses a Flow Matching-guided generative mechanism and an attention-guided multi-objective optimization. It injects learnable perturbations into both the latent space and the neural average velocity field for one-step adversarial generation.

In practice

• Target Transformer backbones for AD system attacks.
• Utilize intermittent digital injection at critical timestamps.
• Generate offline physical adversarial patches for real-world deployment.

Topics

• Adversarial Flow Matching
• End-to-End Autonomous Driving
• Transformer Backbones
• Gray-Box Attacks
• Visual Imperceptibility

Best for: Computer Vision Engineer, Research Scientist, AI Scientist, AI Security Engineer, Robotics Engineer

Related on AIssential

• Systematic Discovery of Semantic Attacks in Online Map Construction through Conditional Diffusion — Semantic-level adversarial attacks exploiting diffusion model latent spaces bypass standard defenses and appear realistic.
• Route to Rome Attack: Directing LLM Routers to Expensive Models via Adversarial Suffix Optimization — Adversarial suffix optimization can mislead black-box LLM routers into selecting expensive, high-capability models.
• Architectural Bias in Face Presentation Attack Detection: A Comparative Study of Vision Transformers and Convolutional Neural Networks — Pretrained Vision Transformers significantly reduce demographic bias and improve generalization in face Presentation Attack Detection.
• Quality-Preserving Imperceptible Adversarial Attack on Skeleton-based Human Action Recognition — Imperceptible, quality-preserving adversarial attacks on skeleton-based human action recognition are achievable by minimizing the empirical-true risk gap.
• Pushing the Frontier of Black-Box LVLM Attacks via Fine-Grained Detail Targeting — M-Attack-V2 improves black-box LVLM attacks by denoising gradients and refining local alignment for better transferability.
• Transformers Can Overcome the Curse of Dimensionality: A Theoretical Study from an Approximation Perspective — Transformers can overcome the curse of dimensionality, demonstrating strong expressive capabilities for function approximation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.CV updates on arXiv.org.