Traffic sign recognition plays a critical role in ensuring safe and efficient transportation of autonomous vehicles but remain vulnerable to adversarial attacks using stickers or laser projections. While existing attack vectors demonstrate security concerns, they suffer from visual detectability or implementation constraints, suggesting unexplored vulnerability surfaces in TSR systems. We introduce the Adversarial Retroreflective Patch (ARP), a novel attack vector that combines the high deployability of patch attacks with the stealthiness of laser projections by utilizing retroreflective materials activated only under victim headlight illumination. We develop a retroreflection simulation method and employ black-box optimization to maximize attack effectiveness. ARP achieves $\geq$93.4\% success rate in dynamic scenarios at 35 meters and $\geq$60\% success rate against commercial TSR systems in real-world conditions. Our user study demonstrates that ARP attacks maintain near-identical stealthiness to benign signs while achieving $\geq$1.9\% higher stealthiness scores than previous patch attacks. We propose the DPR Shield defense, employing strategically placed polarized filters, which achieves $\geq$75\% defense success rates for stop signs and speed limit signs against micro-prism patches.

翻译：交通标志识别在确保自动驾驶车辆安全高效运行中起着关键作用，但其仍易受贴纸或激光投影等对抗性攻击的影响。现有攻击手段虽揭示了安全隐患，却存在视觉可检测性或实施限制，表明交通标志识别系统存在尚未被探索的脆弱性表面。我们提出了一种新型攻击向量——对抗性逆反射贴片，该攻击通过利用仅在受害者车灯照明下激活的逆反射材料，将贴片攻击的高可部署性与激光投影的隐蔽性相结合。我们开发了一种逆反射模拟方法，并采用黑盒优化以最大化攻击效果。在动态场景中，对抗性逆反射贴片在35米距离处实现了≥93.4%的成功率，并在真实世界条件下对商用交通标志识别系统达到了≥60%的成功率。我们的用户研究表明，对抗性逆反射贴片攻击在保持与良性标志近乎相同的隐蔽性的同时，其隐蔽性评分比先前的贴片攻击高出≥1.9%。我们提出了DPR Shield防御机制，通过策略性部署偏振滤光片，对停止标志和限速标志对抗微棱镜贴片攻击实现了≥75%的防御成功率。