To address the severe degradation in perception performance caused by malicious agents injecting false messages in collaborative perception, this paper first uncovers the evasion mechanism of Blind-Spot Confusion (BAC) attacks against single-frame detection methods. We propose a spatiotemporal perception defense framework featuring a dual-domain anomaly detection paradigm: (i) confidence-weighted spatial harmony loss to enforce single-frame spatial consistency, and (ii) BEV motion flow reconstruction over low-confidence regions to model temporal anomalies across frames. Furthermore, we introduce a joint spatiotemporal Benjamini–Hochberg hypothesis test to enhance robust identification of malicious agents. Under BAC attacks, our method improves AP@0.5 by 34.69%; under other typical attacks, it consistently achieves 5–8% gains in AP@0.5. These results significantly outperform existing defenses, demonstrating superior resilience against adversarial collaboration.

Collaborative perception significantly enhances autonomous driving safety by extending each vehicle's perception range through message sharing among connected and autonomous vehicles. Unfortunately, it is also vulnerable to adversarial message attacks from malicious agents, resulting in severe performance degradation. While existing defenses employ hypothesis-and-verification frameworks to detect malicious agents based on single-shot outliers, they overlook temporal message correlations, which can be circumvented by subtle yet harmful perturbations in model input and output spaces. This paper reveals a novel blind area confusion (BAC) attack that compromises existing single-shot outlier-based detection methods. As a countermeasure, we propose GCP, a Guarded Collaborative Perception framework based on spatial-temporal aware malicious agent detection, which maintains single-shot spatial consistency through a confidence-scaled spatial concordance loss, while simultaneously examining temporal anomalies by reconstructing historical bird's eye view motion flows in low-confidence regions. We also employ a joint spatial-temporal Benjamini-Hochberg test to synthesize dual-domain anomaly results for reliable malicious agent detection. Extensive experiments demonstrate GCP's superior performance under diverse attack scenarios, achieving up to 34.69% improvements in AP@0.5 compared to the state-of-the-art CP defense strategies under BAC attacks, while maintaining consistent 5-8% improvements under other typical attacks. Code will be released at https://github.com/CP-Security/GCP.git.