[TMC] CP-uniGuard: A Unified, Probability-Agnostic, and Adaptive Framework for Malicious Agent Detection and Defense in Multi-Agent Embodied Perception Systems
Senkang Hu, Yihang Tao, Guowen Xu, Xinyuan Qian, Yiqin Deng, Xianhao Chen, Sam Tak Wu Kwong, Yuguang Fang
"Unified defense framework against adversarial attacks in multi-agent collaborative perception with adaptive consensus mechanisms" - Accepted by IEEE Transactions on Mobile Computing (TMC),
CP-uniGuard is a unified framework for adversarially robust collaborative perception in autonomous driving scenarios. It provides multiple defense strategies against malicious attacks in multi-agent collaborative perception systems, including:
- ROBOSAC: Original sampling-based consensus defense
- PASAC: Progressive Agent Selection with Adaptive Consensus using recursive binary splitting (CP-Guard [AAAI'25 Oral])
- Linear Selection: Individual agent testing with adaptive threshold
- Adaptive Sampling: Dynamic consensus set size adjustment
- 🔒 Multiple Defense Mechanisms: Support for ROBOSAC, PASAC, Linear, and other consensus-based defenses
- 🎯 Adaptive Threshold: Online adaptive threshold with temporal sliding-window quantile for robust agent selection
- ⚔️ Adversarial Attack Simulation: Built-in support for PGD, BIM, and CW-L2 attacks
- 📊 Comprehensive Evaluation: mAP evaluation, success rate analysis, and visualization
- 🚗 Autonomous Driving Focus: Designed for V2X collaborative 3D object detection
See Installation Guide for environment setup.
See Dataset Preparation for V2X-Sim dataset setup.
See Specifying Dataset and Model for checkpoint configuration.
cd coperception/tools/det/
python cp_uniguard.py [OPTIONS]Test with all benign agents, no attackers:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac upperbound \
--scene_id 8 \
--com mean \
--resume /path/to/model.pthTest with only ego agent, no collaboration:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac lowerbound \
--scene_id 8 \
--com mean \
--resume /path/to/model.pthTest with attackers but no defense:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac no_defense \
--scene_id 8 \
--number_of_attackers 2 \
--adv_method pgd \
--eps 0.5 \
--adv_iter 15 \
--com mean \
--resume /path/to/model.pthRun original ROBOSAC with sampling-based consensus:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac robosac_mAP \
--scene_id 8 \
--number_of_attackers 2 \
--step_budget 5 \
--box_matching_thresh 0.3 \
--adv_method pgd \
--eps 0.5 \
--com mean \
--resume /path/to/model.pthRun Progressive Agent Selection with Adaptive Consensus:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac pasac_mAP \
--scene_id 8 \
--number_of_attackers 2 \
--box_matching_thresh 0.3 \
--adaptive_alpha 0.2 \
--adaptive_gamma 0.02 \
--adaptive_window_size 30 \
--initial_threshold 0.3 \
--adv_method pgd \
--eps 0.5 \
--com mean \
--resume /path/to/model.pthRun linear agent testing with adaptive threshold:
python cp_uniguard.py \
-d /path/to/V2X-Sim-det/test \
--robosac linear_mAP \
--scene_id 8 \
--number_of_attackers 2 \
--adaptive_alpha 0.2 \
--adaptive_gamma 0.02 \
--adv_method pgd \
--com mean \
--resume /path/to/model.pth| Argument | Default | Description |
|---|---|---|
-d, --data |
../coperception/V2X-Sim-det/test |
Path to preprocessed sparse BEV test data |
--resume |
../../ckpt/meanfusion/epoch_49.pth |
Path to saved model checkpoint |
--batch |
1 |
Batch size |
--nworker |
4 |
Number of data loading workers |
--num_agent |
6 |
Total number of agents |
--no_cross_road |
- | Do not load data of cross roads |
| Argument | Default | Description |
|---|---|---|
--robosac |
(required) | Defense mode: upperbound / lowerbound / no_defense / robosac_mAP / pasac_mAP / linear_mAP / fix_attackers / probing / adaptive / performance_eval |
--ego_agent |
1 |
ID of ego agent (agent 0 is RSU) |
--step_budget |
3 |
Maximum sampling steps per frame |
--robosac_k |
None |
Fixed consensus set size (optional) |
--box_matching_thresh |
0.3 |
IoU threshold for validating two detection results |
| Argument | Default | Description |
|---|---|---|
--adv_method |
pgd |
Attack method: pgd, bim, or cw-l2 |
--eps |
0.5 |
Epsilon (perturbation budget) |
--pert_alpha |
0.1 |
Scale of perturbation update |
--adv_iter |
15 |
Number of attack iterations |
--number_of_attackers |
1 |
Number of malicious attackers |
--fix_attackers |
- | Keep attackers fixed across frames |
--ego_loss_only |
- | Only use ego loss for perturbation |
| Argument | Default | Description |
|---|---|---|
--adaptive_alpha |
0.2 |
Smoothing factor for threshold updates |
--adaptive_gamma |
0.02 |
Additive compensation for recursive levels |
--adaptive_window_size |
30 |
Maximum size of sliding window |
--adaptive_min_window_size |
5 |
Minimum samples before computing threshold |
--initial_threshold |
0.3 |
Initial threshold value |
| Argument | Default | Description |
|---|---|---|
--scene_id |
[8] |
Target evaluation scene(s) |
--sample_id |
None |
Target specific frame (optional) |
--use_history_frame |
- | Use previous frame as reference (saves 1 forward pass) |
| Argument | Default | Description |
|---|---|---|
--com |
mean |
Fusion method: mean, sum, max, disco, when2com, v2v, cat, agent |
--layer |
3 |
Communication layer index |
--compress_level |
0 |
Channel compression (2**x) |
--only_v2i |
0 |
Only V2I communication |
| Argument | Description |
|---|---|
--log |
Enable logging to file |
--logpath |
Custom log file path |
--visualization |
Visualize detection results |
All agents are benign and collaborate. Serves as performance upper bound.
Only ego agent performs detection without collaboration. Serves as performance lower bound.
Attackers are present but no defense is applied. Shows impact of attacks.
Sampling-based defense that randomly samples agent subsets until consensus is reached.
Recursive binary splitting algorithm with online adaptive threshold:
- Recursively splits agent set into two halves
- Uses adaptive threshold with temporal sliding-window quantile
- Depth-adjusted threshold for different recursion levels
- More efficient than random sampling
Tests each agent individually with ego:
- Linear complexity O(n)
- Uses adaptive threshold
- Suitable for small agent sets
Attackers remain constant across frames. Once consensus is found, it is reused.
Estimates attacker ratio using aggressive-to-conservative probing.
Dynamically adjusts consensus set size based on previous results.
Measures forward pass time without defense overhead.
CUDA_VISIBLE_DEVICES=0 python cp_uniguard.py [arguments]If you find this project useful in your research, please cite:
@ARTICLE{11329182,
author={Hu, Senkang and Tao, Yihang and Xu, Guowen and Qian, Xinyuan and Deng, Yiqin and Chen, Xianhao and Kwong, Sam Tak Wu and Fang, Yuguang},
journal={IEEE Transactions on Mobile Computing},
title={{CP-uniGuard: A Unified, Probability-Agnostic, and Adaptive Framework for Malicious Agent Detection and Defense in Multi-Agent Embodied Perception Systems}},
year={2025},
volume={},
number={01},
ISSN={1558-0660},
pages={1-14},
keywords={Collaboration;Robustness;Feature extraction;Training;Detectors;Autonomous vehicles;Artificial intelligence;Accuracy;Training data;Smart cities},
doi={10.1109/TMC.2026.3650980},
url={https://doi.ieeecomputersociety.org/10.1109/TMC.2026.3650980},
publisher={IEEE Computer Society},
address={Los Alamitos, CA, USA},
month=jan
}CP-uniGuard is modified from coperception, ROBOSAC, and CP-Guard library.
Adversarial attacks (PGD/BIM/CW) are implemented from adversarial-attacks-pytorch library.
This project would not be possible without these great codebases.
This project is licensed under the MIT License - see the LICENSE file for details.