Autonomous driving perception modules are vulnerable to adversarial attacks, while existing global-noise methods suffer from poor imperceptibility. To address this, we propose AdvSwap—a wavelet-transform-based reversible high-frequency information swapping attack. AdvSwap is the first method to integrate selective wavelet high-frequency component swapping with invertible neural networks (INNs), enabling implicit, label-erasing, and guidance-image-fusion-driven attacks. It preserves semantic integrity of original images while generating adversarial examples imperceptible to human vision and robustly evading mainstream object detectors. Evaluated on GTSRB and nuScenes, AdvSwap achieves high attack success rates against traffic signs and vehicle detection, demonstrating strong cross-model transferability and robustness under common corruptions. This work establishes a new paradigm for visual security assessment in autonomous driving systems.

Perception module of Autonomous vehicles (AVs) are increasingly susceptible to be attacked, which exploit vulnerabilities in neural networks through adversarial inputs, thereby compromising the AI safety. Some researches focus on creating covert adversarial samples, but existing global noise techniques are detectable and difficult to deceive the human visual system. This paper introduces a novel adversarial attack method, AdvSwap, which creatively utilizes wavelet-based high-frequency information swapping to generate covert adversarial samples and fool the camera. AdvSwap employs invertible neural network for selective high-frequency information swapping, preserving both forward propagation and data integrity. The scheme effectively removes the original label data and incorporates the guidance image data, producing concealed and robust adversarial samples. Experimental evaluations and comparisons on the GTSRB and nuScenes datasets demonstrate that AdvSwap can make concealed attacks on common traffic targets. The generates adversarial samples are also difficult to perceive by humans and algorithms. Meanwhile, the method has strong attacking robustness and attacking transferability.