System-level attacks against deep learning models in autonomous driving lack systematic analysis. Method: We construct the first comprehensive taxonomy covering 12 top-level categories and multi-level subcategories; identify 19 highly relevant papers from a bibliometric screening of 8,831 publications; collaboratively annotate them with three domain experts; and—novelty—model the causal propagation chain “input perturbation → perception failure → system collapse” via threat modeling, attack surface mapping, and failure chain analysis. Contribution/Results: (1) We propose the first unified taxonomy for system-level attacks in autonomous driving; (2) we identify critical attack patterns and system vulnerabilities; and (3) we deliver actionable security best practices for industry and concrete directions for future research—thereby filling a key gap in systematic, end-to-end attack analysis for autonomous driving systems.

The advent of deep learning and its astonishing performance in perception tasks, such as object recognition and classification, has enabled its usage in complex systems, including autonomous vehicles. On the other hand, deep learning models are susceptible to mis-predictions when small, adversarial changes are introduced into their input. Such mis-predictions can be triggered in the real world and can propagate to a failure of the entire system, as opposed to a localized mis-prediction. In recent years, a growing number of research works have investigated ways to mount attacks against autonomous vehicles that exploit deep learning components for perception tasks. Such attacks are directed toward elements of the environment where these systems operate and their effectiveness is assessed in terms of system-level failures triggered by them. There has been however no systematic attempt to analyze and categorize such attacks. In this paper, we present the first taxonomy of system-level attacks against autonomous vehicles. We constructed our taxonomy by first collecting 8,831 papers, then filtering them down to 1,125 candidates and eventually selecting a set of 19 highly relevant papers that satisfy all inclusion criteria. Then, we tagged them with taxonomy categories, involving three assessors per paper. The resulting taxonomy includes 12 top-level categories and several sub-categories. The taxonomy allowed us to investigate the attack features, the most attacked components, the underlying threat models, and the propagation chains from input perturbation to system-level failure. We distilled several lessons for practitioners and identified possible directions for future work for researchers.