ML Security PapersTowards Stealthy and Effective Backdoor Attacks on Lane Detection: A Naturalistic Data Poisoning Approach
Yifan Liao 1,2, Yuxin Cao 2, Yedi Zhang 2, Wentao He 3, Yan Xiao 4, Xianglong Du 1, Zhiyong Huang 2, Jin Song Dong 2
Published on arXiv
2508.15778
Model Poisoning
OWASP ML Top 10 — ML10
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
DBALD achieves an average attack success rate improvement of +10.87% over state-of-the-art backdoor attacks on 4 mainstream lane detection models while producing significantly more naturalistic triggers.
DBALD
Novel technique introduced
Deep learning-based lane detection (LD) plays a critical role in autonomous driving and advanced driver assistance systems. However, its vulnerability to backdoor attacks presents a significant security concern. Existing backdoor attack methods on LD often exhibit limited practical utility due to the artificial and conspicuous nature of their triggers. To address this limitation and investigate the impact of more ecologically valid backdoor attacks on LD models, we examine the common data poisoning attack and introduce DBALD, a novel diffusion-based data poisoning framework for generating naturalistic backdoor triggers. DBALD comprises two key components: optimal trigger position finding and stealthy trigger generation. Given the insight that attack performance varies depending on the trigger position, we propose a heatmap-based method to identify the optimal trigger location, with gradient analysis to generate attack-specific heatmaps. A region-based editing diffusion process is then applied to synthesize visually plausible triggers within the most susceptible regions identified previously. Furthermore, to ensure scene integrity and stealthy attacks, we introduce two loss strategies: one for preserving lane structure and another for maintaining the consistency of the driving scene. Consequently, compared to existing attack methods, DBALD achieves both a high attack success rate and superior stealthiness. Extensive experiments on 4 mainstream LD models show that DBALD exceeds state-of-the-art methods, with an average success rate improvement of +10.87% and significantly enhanced stealthiness. The experimental results highlight significant practical challenges in ensuring model robustness against real-world backdoor threats in LD.
Key Contributions
- DBALD: a diffusion-based data poisoning framework that synthesizes visually naturalistic backdoor triggers using region-based inpainting within a lane detection scene
- Gradient-based heatmap analysis to identify optimal trigger positions where poisoned samples are most effective
- Two loss strategies (lane structure preservation and driving scene consistency) to ensure stealthiness and scene integrity of generated triggers
🛡️ Threat Analysis
The attack vector is explicitly data poisoning: the training dataset is corrupted with poisoned images containing naturalistic triggers to embed the backdoor, rather than direct weight manipulation.
Primary contribution is a backdoor attack (DBALD) that embeds hidden, trigger-activated malicious behavior in lane detection models — the model behaves normally until a naturalistic diffusion-generated trigger is present in the input.