The Invisible Threat: How a Conditional GAN Learned to Fool Self-Driving Cars by Mimicking Human Driving | AI Security Research

Adversarial Machine Learning · arXiv:2509.XXXXX [cs.CV] · 16 min read

The Invisible Threat: How a Conditional GAN Learned to Fool Self-Driving Cars by Mimicking Human Driving

Researchers at Zhengzhou University discovered that the most dangerous attacks on autonomous vehicle prediction systems don’t look like attacks at all—they look like perfectly normal driving maneuvers, reconstructed from scratch by a generative model that understands motion better than the predictors themselves.

Adversarial Attack Trajectory Prediction Conditional GAN Autonomous Driving Safety Motion-Semantic Vulnerability Generative Reconstruction Stealthy Deception

Structural Causal Model diagram showing nodes S, U, F, X, Y, E

Figure 1: The architecture of our Conditional GAN (c-GAN) framework for Stealthy Deception. The Generator (G) is conditioned on the Ground-Truth History $𝐻_{𝑟𝑒𝑎𝑙}$ to synthesize a visually similar but malicious Adversarial History $𝐻_{𝑎𝑑𝑣}$. The framework is trained via a multi-objective loss function, which includes: (1) an Adversarial Loss derived from a Critic (C) that distinguishes real from fake trajectories; (2) a Similarity Loss to enforce stealthiness; (3) a Kinematic Loss for Physical plausibility.

For years, researchers probing the security of autonomous vehicle prediction systems have played a familiar game: take a real trajectory, add carefully calculated noise, and watch the model fail. These perturbation-based attacks revealed vulnerabilities, yes, but they also revealed their own presence—subtle jerks and jitters that anomaly detectors could flag, defensive filters could smooth, and safety engineers could guard against. But what if the attack didn’t look like noise at all? What if it looked like a perfectly reasonable lane change, executed with human-like smoothness, yet designed from the ground up to make the self-driving car catastrophically misjudge where you’re going?

That is precisely what a team from Zhengzhou University has achieved with c-GAN (Conditional Generative Adversarial Network), a framework that abandons the perturbation paradigm entirely in favor of something far more insidious: generative reconstruction. Rather than tweaking existing trajectories, c-GAN learns to synthesize complete, physically plausible driving behaviors from the latent manifold of human motion—behaviors that are numerically close to real trajectories (MSE of just 0.212) yet capable of inducing prediction errors exceeding 13 meters and miss rates of 82.26%.

The implications are unsettling. While previous attacks exploited numerical instabilities—tiny deviations that gradient descent could optimize—c-GAN exposes something deeper: motion-semantic vulnerabilities, failures in the model’s fundamental understanding of driving intent. When a trajectory prediction model sees c-GAN’s crafted history, it doesn’t see an attack. It sees a fellow driver behaving normally. And that confidence is exactly what makes the subsequent prediction failure so dangerous.

The Perturbation Trap: Why Local Noise Has Reached Its Limits

Modern trajectory prediction models—architectures like Trajectron++, AgentFormer, and TNT—have become remarkably accurate at forecasting the future paths of surrounding vehicles. They process historical position data through LSTMs, graph neural networks, and transformers, outputting probability distributions over future trajectories that enable safe motion planning. Yet this sophistication masks a fragility that the security community has only begun to map.

Existing adversarial attacks on these systems fall into two camps, both fundamentally limited by their adherence to the perturbation-based paradigm. Optimization-based methods like SA-Attack iteratively adjust trajectory coordinates using gradient descent, searching for minimal perturbations that maximize prediction error while satisfying kinematic constraints. Generative variants like Adv-GAN train neural networks to output perturbation vectors, amortizing the optimization cost but still operating within the same conceptual framework: start with reality, add noise, induce failure.

The constraints of this approach are severe. By anchoring the search to a small neighborhood around the original trajectory—typically bounded by an $l_p$-norm ball—these methods cannot explore the broader space of plausible driving behaviors. They cannot, for instance, transform a “proceed straight” trajectory into one that plausibly signals “prepare to turn” without violating their own constraints. The perturbation magnitude required to fake such a distinct intent would exceed reasonable bounds, triggering defensive filters designed to catch exactly such deviations.

More fundamentally, perturbation methods test the wrong vulnerability. They probe a model’s robustness to sensor noise and adversarial jitter, not its understanding of driving semantics. Real-world safety failures in autonomous vehicles rarely stem from noisy inputs; they arise from misinterpretation of valid behaviors—a human driver signaling intent ambiguously, or executing an unusual but legal maneuver that the prediction model has never learned to parse correctly.

Key Takeaway

c-GAN identifies that perturbation-based attacks are inherently local—they cannot discover vulnerabilities requiring fundamentally different yet plausible driving behaviors. By shifting to generative reconstruction, the framework exposes motion-semantic vulnerabilities: failures in intent comprehension that persist even when inputs are kinematically perfect.

Generative Reconstruction: Synthesizing Deception from the Latent Manifold

Figure 1: The detailed architecture of our proposed Conditional GAN (c-GAN) framework for Stealthy Deception. Left Panel (Generator): The generator conditions the synthesis on the Ground-Truth History $𝐻_{𝑟𝑒𝑎𝑙}$, Context $𝑐$, and Latent Noise $𝑧$. It utilizes a single-layer LSTM encoder $Hidden: 64$ to extract intent features, which are concatenated with noise and context, then mapped to a 256-dim latent space via a Pre-processing MLP. A 2-layer LSTM decoder $Hidden: 128$ subsequently reconstructs the Adversarial History $𝐻_{𝑎𝑑𝑣}$ coordinates. Right Panel (Critic): The critic acts as a discriminator, employing a 2-layer LSTM encoder (Hidden: 128) followed by a sequential 3-layer MLP classifier $128→64→32→1$ to output a raw realness logit. Bottom (Losses): The framework is trained via a multi-objective loss function, integrating Adversarial Loss $(L_{adv})$, Similarity Loss $(L_{sim})$, Kinematic Loss $(L_{kin})$, and Deception Loss $(L_{Dec})$ computed by the frozen Target Predictor.

The theoretical breakthrough of c-GAN rests on a simple observation: if the goal is to generate trajectories that are both adversarial and stealthy, why start with a real trajectory at all? Why not learn to generate plausible trajectories directly, conditioning the generation on the real history to maintain contextual coherence while allowing the freedom to manipulate behavioral intent?

This generative reconstruction paradigm inverts the traditional attack formulation. Instead of optimizing an additive noise vector $\delta$ such that $\mathcal{F}(H_{real} + \delta)$ yields erroneous predictions, c-GAN learns a generator $G$ that samples from the conditional distribution:

Eq. 1 — Conditional Generative Reconstruction $$H_{adv} = G(z, c, H_{real}) = \text{Decoder}(\text{Encoder}(H_{real}), z, c)$$

Here, $z \sim \mathcal{N}(0, I)$ is random noise, $c = \{p_{t_0}, v_{t_0}\}$ provides initial context, and $H_{real}$ serves as the conditioning input. The encoder compresses the real history into a latent intent representation $h_{cond}$, which the decoder uses to synthesize an entirely new trajectory. Crucially, this synthesis is not constrained to be close to $H_{real}$ in Euclidean space—it need only be plausible according to the learned data distribution and similar enough to avoid detection.

The architectural implications are profound. While Adv-GAN outputs a perturbation $\delta$ to be added to $H_{real}$, c-GAN outputs coordinates directly. This allows non-linear behavioral modifications that extend beyond the linear search space of additive perturbations. The generator can, for instance, subtly adjust the curvature profile of a trajectory to suggest an earlier turn initiation—a semantic manipulation that would require large, detectable perturbations under the old paradigm but appears naturally in c-GAN’s reconstructed output.

The search space transformation is equally significant. Perturbation methods explore an $l_p$-norm ball around a point—convex, bounded, and local. c-GAN explores the behavioral manifold—the non-linear, high-dimensional surface of human-like driving behaviors learned from data. This manifold contains trajectories that are kinematically valid, contextually appropriate, yet adversarially potent in ways that local optimization cannot reach.

“We design and implement a novel ‘generative reconstruction’ framework for adversarial attacks, utilizing Generative Adversarial Networks to directly reconstruct complete, kinematically plausible, yet behaviorally deceptive historical trajectories from the learned latent manifold.” — Jia et al., Expert Systems With Applications, 2026

The Architecture of Stealth: How c-GAN Balances Competing Objectives

Training a generator to produce adversarial trajectories presents a fundamental tension. The outputs must be effective—inducing large prediction errors—but also stealthy—avoiding detection by both statistical anomaly filters and human inspection. They must be physically plausible—satisfying velocity, acceleration, and jerk limits—while being behaviorally deceptive—misleading the target model about true intent.

c-GAN resolves this through a sophisticated multi-objective loss function that navigates four competing constraints:

Adversarial Loss ($\mathcal{L}_{adv}$): Fooling the Critic

The generator plays a min-max game against a critic network $C$ trained to distinguish real trajectories from generated ones. The adversarial loss pushes the generator’s outputs toward the real data manifold:

Eq. 2 — Adversarial Loss $$\mathcal{L}_{adv} = -\mathbb{E}_{z \sim p(z)}[\log(C(G(z, c, H_{real})))]$$

Similarity Loss ($\mathcal{L}_{similarity}$): Maintaining Stealth

To ensure the attack remains visually indistinguishable from the ground truth, c-GAN enforces mean squared error (MSE) between generated and real histories. This acts as a strong regularizer, preventing the generator from producing overt, easily detectable deviations:

Eq. 3 — Similarity Loss for Stealthiness $$\mathcal{L}_{similarity} = \frac{1}{|H|}\sum_{t=t_0}^{t_1} \|p_t^{adv} – p_t^{real}\|_2^2$$

Kinematic Loss ($\mathcal{L}_{kinematic}$): Ensuring Physical Plausibility

Real vehicles cannot execute arbitrary motions—they are constrained by physics and passenger comfort. The kinematic loss penalizes high acceleration and jerk, ensuring generated trajectories respect these limits:

Eq. 4 — Kinematic Smoothness Constraints $$\mathcal{L}_{kinematic} = \mathbb{E}_{H_{adv}}\left[w_v\|\dot{p}_t\|^2 + w_a\|\ddot{p}_t\|^2 + w_j\|\dddot{p}_t\|^2\right]$$

Deception Loss ($\mathcal{L}_{attack}$): Maximizing Prediction Error

Finally, the attack loss provides direct gradient signal from the frozen target predictor $\mathcal{F}$, teaching the generator to maximize Final Displacement Error (FDE):

Eq. 5 — Deception Objective $$\mathcal{L}_{attack} = -\text{FDE}(\mathcal{F}(H_{adv}), Y_{real})$$

The complete generator loss combines these terms with calibrated weights: $\mathcal{L}_G = \mathcal{L}_{adv} + w_{kin}\mathcal{L}_{kinematic} + w_{sim}\mathcal{L}_{similarity} + w_{attack}\mathcal{L}_{attack}$. This formulation is the key to c-GAN’s success—it does not sacrifice effectiveness for stealthiness, or physical plausibility for attack potency. Instead, it finds a “sweet spot” on the behavioral manifold where all constraints are satisfied simultaneously.

The Ablation Reality: Why Every Component Matters

The research team conducted rigorous ablation studies to validate that each loss component is not merely decorative but essential for functional attacks. The results reveal how quickly the framework collapses when any constraint is removed.

Without the Deception Loss: Removing $\mathcal{L}_{attack}$ causes the attack FDE to plummet from 13.08m to 9.26m—barely worse than the no-attack baseline of 7.65m. The generator loses all adversarial capability, producing trajectories that are stealthy (MSE 0.14) but benign. This confirms that without direct gradient signal from the victim model, the generator cannot learn to craft effective deceptions.

Without the Similarity Loss: The MSE explodes from 0.212 to 11,840.05—a complete collapse in stealthiness. The generated trajectory detaches entirely from the ground truth, producing an FDE of 153.91m that, while large, would be instantly flagged by any anomaly detector. Freed from the similarity constraint, the generator pursues unconstrained attack optimization, creating overt, impractical attacks.

Without the Kinematic Loss: The Kinematic Violation Rate (KVR) soars from 0% to 79.08%. The generator produces physically implausible trajectories with unnatural jerkiness—technically adversarial but easily filtered by real-world systems enforcing basic physics constraints. The attack exists but cannot survive deployment.

Model Variant	Attack FDE (m) ↑	Stealthiness (MSE) ↓	Kinematic Violation Rate ↓
Full c-GAN (Proposed)	13.08 ± 0.15	0.212 ± 0.01	0.00%
w/o Attack Loss	9.26 ± 0.11	0.14 ± 0.01	0.00%
w/o Similarity Loss	153.91 ± 12.4	11840 ± 542	0.45%
w/o Kinematic Loss	14.09 ± 0.22	0.18 ± 0.02	79.08%

Table 1: Ablation study results demonstrating that all loss components are essential. Removing any single component causes catastrophic failure in either effectiveness, stealthiness, or physical plausibility.

Experimental Validation: From Benchmark Dominance to Cross-Domain Transfer

c-GAN’s validation on the nuScenes dataset—1000 driving scenes from Boston and Singapore—demonstrates consistent superiority over perturbation-based baselines. The framework achieves an 82.26% Miss Rate (MR) and 13.08m FDE, significantly outperforming both optimization-based SA-Attack (71.8% MR, 12.17m FDE) and perturbation-generative Adv-GAN (79.3% MR, 9.04m FDE).

But raw numbers only tell part of the story. The critical metric is the effectiveness-stealthiness trade-off. While SA-Attack achieves comparable FDE, its MSE of 0.25 indicates larger visible deviations. Adv-GAN’s MSE of 0.30 is worse still, and its lower FDE reveals less consistent attack potency. c-GAN’s MSE of 0.212— the lowest among all methods—confirms that its attacks are numerically closest to real trajectories while maintaining the highest miss rate.

More alarming is the cross-model and cross-domain transfer. When c-GAN trajectories generated for Trajectron++ (a CVAE-RNN architecture) were used to attack Grip++ (a GNN-based model) on the Apolloscape dataset (Chinese cities, distinct from nuScenes’ Boston/Singapore distribution), the attack remained devastating: FDE increased from 1.50m baseline to 14.88m, with Miss Rate nearly doubling from 43.06% to 82.56%.

This transferability suggests that c-GAN has discovered fundamental motion-semantic vulnerabilities shared across architecture families and geographic domains. The vulnerabilities are not quirks of a particular model’s implementation but inherent limitations in how data-driven predictors learn to interpret kinematic patterns. They learn the statistics of motion without acquiring the causal understanding of intent that would make them robust to semantic deception.

Key Takeaway

c-GAN’s attacks transfer across models and domains without fine-tuning, indicating that motion-semantic vulnerabilities are architectural rather than incidental. The framework exposes a fundamental brittleness in how prediction models infer intent from trajectory dynamics.

The Efficiency Advantage: Real-Time Attack Generation

Beyond effectiveness and stealthiness, practical deployment of adversarial testing tools requires computational efficiency. Optimization-based methods like SA-Attack require iterative gradient calculations—typically 100 steps per trajectory—resulting in latency of 1,240ms on modern hardware. This far exceeds the 100ms planning cycles typical of autonomous vehicle systems, rendering such methods unsuitable for real-time robustness testing.

c-GAN, by contrast, functions as a “one-pass” generator. Once trained, adversarial trajectory generation requires only a forward pass through the network, achieving inference times of 5.8ms—a 214× speedup over optimization baselines. This efficiency places c-GAN well within real-time operational constraints, enabling online robustness testing and continuous security evaluation during development.

The robustness to input noise further distinguishes c-GAN from optimization methods. When Gaussian noise (\$\sigma = 0.5m\$) is injected into ground-truth histories, SA-Attack’s FDE collapses from 12.17m to 7.85m—effectively neutralized. c-GAN’s FDE remains stable at 12.20m, showing minimal degradation. The LSTM encoder acts as a denoising filter, compressing noisy inputs into stable latent representations from which the decoder reconstructs consistent adversarial outputs.

The Nature of Motion-Semantic Vulnerability

The central insight of this work is that trajectory prediction models, despite their architectural sophistication, function as sophisticated curve-fitters with brittle understanding of high-level context. They learn to predict future positions by recognizing statistical patterns in historical data, not by reasoning about the causal factors—driver intent, traffic rules, environmental constraints—that actually determine motion.

c-GAN exploits this gap by generating trajectories that are statistically plausible (passing the critic’s realism test) yet causally deceptive (inducing intent misclassification). A trajectory showing “deceleration followed by lateral shift” semantically encodes “intent to change lanes,” but the specific kinematic profile—how abruptly the deceleration occurs, how early the lateral movement begins—can be tuned to suggest different intents without violating physical constraints.

The success of these attacks in a zero-context setting—where the prediction model receives only historical trajectory data, without HD maps or neighboring agent information—is particularly revealing. It isolates the vulnerability of the motion encoder itself, demonstrating that models can be deceived into misinterpreting kinematic patterns without any manipulation of map-based semantics. This represents a failure in fundamental physical reasoning, not merely a lack of contextual information.

Implications for defense are sobering. Traditional defenses designed to detect or smooth large, jerky perturbations will be completely ineffective against c-GAN’s smooth, statistically consistent outputs. Future robust predictors must incorporate explicit semantic rule-checking, causal reasoning capabilities, or adversarial training using generative frameworks like c-GAN itself.

What This Work Actually Means

The achievement of c-GAN is demonstrating that the most dangerous attacks on autonomous systems may not be those that exploit implementation flaws or sensor noise, but those that speak the system’s own language better than the system understands itself. By learning to generate human-like driving behaviors from the latent manifold of motion, c-GAN creates adversarial examples that are not bugs to be patched but semantic illusions that expose fundamental limitations in machine understanding.

For practitioners, c-GAN offers a template for next-generation robustness testing: train generative models to synthesize physically plausible but semantically deceptive inputs, evaluate target systems against these synthesized behaviors, and use the discovered vulnerabilities to guide architectural improvements. The framework’s efficiency and transferability make it suitable for continuous integration pipelines, where prediction models can be automatically stress-tested against an evolving library of adversarial maneuvers.

The research also carries a warning about the current state of autonomous driving safety. If state-of-the-art predictors can be consistently deceived by trajectories that are visually indistinguishable from normal driving—achieving 82% miss rates without any accuracy loss in the attack generation—then the gap between benchmark performance and real-world robustness remains substantial. The metrics we optimize for (ADE, FDE on clean data) do not capture the semantic reasoning capabilities that would make models truly reliable.

In the end, c-GAN succeeds because it respects the physics of driving while ruthlessly exploiting the statistics of prediction. It recognizes that autonomous vehicles will share roads with human drivers whose behaviors are complex, ambiguous, and occasionally deceptive—and that prediction systems must be robust not just to noise, but to the full spectrum of plausible human motion, including motion designed to mislead.

The trajectory, it turns out, was never just a sequence of coordinates. It was a statement of intent. And c-GAN learned to lie with perfect sincerity.

Conceptual Framework Implementation (Python)

The implementation below illustrates the core mechanisms of c-GAN: conditional trajectory generation, multi-objective loss computation, and the structural differences from perturbation-based attacks. This educational code demonstrates the generative reconstruction paradigm described in the paper.

# ─────────────────────────────────────────────────────────────────────────────
# c-GAN: Conditional GAN for Stealthy Adversarial Trajectory Generation
# Jia, Xiong, Luo, Cao · Expert Systems With Applications, 2026
# Conceptual implementation of generative reconstruction attack framework
# ─────────────────────────────────────────────────────────────────────────────

import torch
import torch.nn as nn
import torch.nn.functional as F
from typing import Tuple, Optional
from dataclasses import dataclass


# ─── Section 1: Conditional Generator Architecture ───────────────────────────

class TrajectoryEncoder(nn.Module):
    """
    LSTM-based encoder extracting behavioral intent from ground-truth history.
    Maps H_real to latent condition vector h_cond (Eq. 1 in paper).
    """
    
    def __init__(self, input_dim: int = 2, hidden_dim: int = 64):
        super().__init__()
        self.lstm = nn.LSTM(input_dim, hidden_dim, batch_first=True)
        
    def forward(self, H_real: torch.Tensor) -> torch.Tensor:
        """
        Args:
            H_real: Ground-truth history (batch, seq_len, 2) - (x, y) coordinates
        Returns:
            h_cond: Condition vector capturing behavioral intent (batch, hidden_dim)
        """
        _, (h_n, _) = self.lstm(H_real)
        return h_n.squeeze(0)  # Final hidden state as intent representation


class TrajectoryDecoder(nn.Module):
    """
    LSTM-based decoder synthesizing adversarial history from latent representation.
    Generates H_adv coordinates directly (not perturbations) via autoregressive 
    reconstruction (Section 3.3.1).
    """
    
    def __init__(self, 
                 latent_dim: int = 256, 
                 hidden_dim: int = 128,
                 output_dim: int = 2,
                 seq_len: int = 8):
        super().__init__()
        self.seq_len = seq_len
        self.hidden_dim = hidden_dim
        
        # Pre-processing MLP: combines noise, context, and condition
        self.pre_mlp = nn.Sequential(
            nn.Linear(latent_dim, hidden_dim),
            nn.ReLU(),
            nn.Linear(hidden_dim, hidden_dim)
        )
        
        # Autoregressive LSTM decoder
        self.lstm = nn.LSTM(output_dim, hidden_dim, num_layers=2, 
                           batch_first=True)
        self.output_proj = nn.Linear(hidden_dim, output_dim)
        
    def forward(self, 
                z: torch.Tensor, 
                c: torch.Tensor,
                h_cond: torch.Tensor) -> torch.Tensor:
        """
        Args:
            z: Random noise (batch, noise_dim)
            c: Initial context [p_t0, v_t0] (batch, 4)
            h_cond: Condition vector from encoder (batch, hidden_dim)
        Returns:
            H_adv: Generated adversarial trajectory (batch, seq_len, 2)
        """
        batch_size = z.size(0)
        
        # Combine latent inputs
        latent = torch.cat([z, c, h_cond], dim=-1)
        hidden = self.pre_mlp(latent).unsqueeze(0).repeat(2, 1, 1)
        # (num_layers, batch, hidden_dim)
        
        # Autoregressive generation
        outputs = []
        input_t = c[:, :2].unsqueeze(1)  # Start with initial position
        
        for t in range(self.seq_len):
            out, hidden = self.lstm(input_t, (hidden, torch.zeros_like(hidden)))
            coord = self.output_proj(out[:, -1, :])
            outputs.append(coord.unsqueeze(1))
            input_t = coord.unsqueeze(1)  # Next input is current output
            
        return torch.cat(outputs, dim=1)


class Critic(nn.Module):
    """
    LSTM-based discriminator distinguishing real from generated trajectories.
    Provides adversarial loss signal for generator training (Section 3.3.2).
    """
    
    def __init__(self, input_dim: int = 2, hidden_dim: int = 128):
        super().__init__()
        self.encoder = nn.LSTM(input_dim, hidden_dim, num_layers=2, 
                              batch_first=True)
        self.classifier = nn.Sequential(
            nn.Linear(hidden_dim, 64),
            nn.LeakyReLU(0.2),
            nn.Linear(64, 32),
            nn.LeakyReLU(0.2),
            nn.Linear(32, 1)
        )
        
    def forward(self, trajectory: torch.Tensor) -> torch.Tensor:
        """Returns logit: higher = more likely real"""
        _, (h_n, _) = self.encoder(trajectory)
        return self.classifier(h_n[-1]).squeeze(-1)


# ─── Section 2: Multi-Objective Loss Functions ───────────────────────────────

class CGANLoss:
    """
    Implements four-component loss from Section 3.3.3:
    L_G = L_adv + w_kin * L_kinematic + w_sim * L_similarity + w_attack * L_attack
    """
    
    def __init__(self, 
                 w_kin: float = 50.0,
                 w_sim: float = 100.0,
                 w_attack: float = 1.0):
        self.w_kin = w_kin
        self.w_sim = w_sim
        self.w_attack = w_attack
        
    def adversarial_loss(self, 
                         critic_scores: torch.Tensor) -> torch.Tensor:
        """L_adv = -E[log(C(G(z, c, H_real)))] (Eq. 2)"""
        return -torch.log(torch.sigmoid(critic_scores) + 1e-8).mean()
    
    def similarity_loss(self,
                        H_adv: torch.Tensor,
                        H_real: torch.Tensor) -> torch.Tensor:
        """L_similarity = MSE(H_adv, H_real) (Eq. 3)"""
        return F.mse_loss(H_adv, H_real)
    
    def kinematic_loss(self,
                       H_adv: torch.Tensor,
                       w_v: float = 0.01,
                       w_a: float = 1.0,
                       w_j: float = 1.0) -> torch.Tensor:
        """
        L_kinematic penalizes velocity, acceleration, jerk (Eq. 4).
        Enforces physical plausibility via finite differences.
        """
        # Compute derivatives via finite differences
        velocity = H_adv[:, 1:, :] - H_adv[:, :-1, :]  # (batch, seq-1, 2)
        accel = velocity[:, 1:, :] - velocity[:, :-1, :]  # (batch, seq-2, 2)
        jerk = accel[:, 1:, :] - accel[:, :-1, :]  # (batch, seq-3, 2)
        
        loss = (w_v * velocity.pow(2).mean() + 
                w_a * accel.pow(2).mean() + 
                w_j * jerk.pow(2).mean())
        return loss
    
    def deception_loss(self,
                       H_adv: torch.Tensor,
                       target_predictor: nn.Module,
                       Y_real: torch.Tensor) -> torch.Tensor:
        """
        L_attack = -FDE(F(H_adv), Y_real) (Eq. 5).
        Negative FDE because we maximize prediction error.
        """
        with torch.no_grad():
            Y_pred = target_predictor(H_adv)
        # FDE: Final Displacement Error (Euclidean distance at final timestep)
        fde = torch.norm(Y_pred[:, -1, :] - Y_real[:, -1, :], dim=-1).mean()
        return -fde  # Negative to maximize
    
    def total_generator_loss(self, **kwargs) -> torch.Tensor:
        """Combine all loss components with weights"""
        loss = (self.adversarial_loss(kwargs['critic_scores']) +
                self.w_kin * self.kinematic_loss(kwargs['H_adv']) +
                self.w_sim * self.similarity_loss(kwargs['H_adv'], 
                                                      kwargs['H_real']) +
                self.w_attack * self.deception_loss(kwargs['H_adv'],
                                                      kwargs['target_predictor'],
                                                      kwargs['Y_real']))
        return loss


# ─── Section 3: Complete c-GAN Framework ─────────────────────────────────────

class CGANAttackFramework(nn.Module):
    """
    Complete c-GAN for Stealthy Deception (Figure 2 in paper).
    Conditions generation on ground-truth history to ensure context-aware,
    behaviorally consistent attacks.
    """
    
    def __init__(self,
                 history_len: int = 8,
                 future_len: int = 12,
                 hidden_dim: int = 128,
                 noise_dim: int = 64):
        super().__init__()
        self.noise_dim = noise_dim
        
        self.encoder = TrajectoryEncoder(input_dim=2, hidden_dim=64)
        self.decoder = TrajectoryDecoder(
            latent_dim=64 + 4 + 64,  # noise + context + h_cond
            hidden_dim=hidden_dim,
            output_dim=2,
            seq_len=history_len
        )
        self.critic = Critic(input_dim=2, hidden_dim=128)
        self.loss_fn = CGANLoss(w_kin=50.0, w_sim=100.0, w_attack=1.0)
        
    def generate(self, 
                 H_real: torch.Tensor,
                 context: torch.Tensor) -> torch.Tensor:
        """
        Generate adversarial trajectory conditioned on real history.
        
        Args:
            H_real: Ground-truth history (batch, 8, 2)
            context: Initial position and velocity (batch, 4)
        Returns:
            H_adv: Stealthy adversarial history (batch, 8, 2)
        """
        batch_size = H_real.size(0)
        z = torch.randn(batch_size, self.noise_dim, device=H_real.device)
        h_cond = self.encoder(H_real)
        H_adv = self.decoder(z, context, h_cond)
        return H_adv
    
    def forward(self, H_real: torch.Tensor, context: torch.Tensor):
        """Alias for generate"""
        return self.generate(H_real, context)


# ─── Section 4: Comparison with Perturbation-Based Attacks ───────────────────

class PerturbationAttack(nn.Module):
    """
    Baseline perturbation-generative attack (e.g., Adv-GAN).
    Generates additive noise rather than reconstructing trajectories.
    Demonstrates fundamental difference from c-GAN paradigm.
    """
    
    def __init__(self, history_len: int = 8, noise_dim: int = 64):
        super().__init__()
        self.noise_generator = nn.Sequential(
            nn.Linear(noise_dim, 128),
            nn.ReLU(),
            nn.Linear(128, history_len * 2)
        )
        
    def forward(self, H_real: torch.Tensor, z: torch.Tensor) -> torch.Tensor:
        """
        Generates perturbation delta and adds to H_real.
        Constrained to local neighborhood (perturbation paradigm).
        """
        batch_size = H_real.size(0)
        delta = self.noise_generator(z).view(batch_size, -1, 2)
        return H_real + delta  # Local perturbation vs. generative reconstruction


# ─── Section 5: Demonstration ────────────────────────────────────────────────

if __name__ == "__main__":
    """
    Demonstration of c-GAN generative reconstruction vs. perturbation baselines.
    Shows architectural differences and attack characteristics.
    """
    
    print("=" * 70)
    print("c-GAN: Conditional GAN for Stealthy Adversarial Trajectory Attacks")
    print("Jia et al. · Expert Systems With Applications, 2026")
    print("=" * 70)
    
    # Configuration
    batch_size = 32
    history_len = 8  # 4 seconds at 2Hz
    
    # Synthetic data
    H_real = torch.randn(batch_size, history_len, 2)  # Ground-truth histories
    context = torch.randn(batch_size, 4)  # [x0, y0, vx0, vy0]
    Y_real = torch.randn(batch_size, 12, 2)  # Future ground truth
    
    # Phase 1: c-GAN Generative Reconstruction
    print("\n[1] c-GAN: Generative Reconstruction Paradigm")
    cgan = CGANAttackFramework(history_len=history_len)
    H_adv_cgan = cgan(H_real, context)
    print(f"    Input H_real shape: {H_real.shape}")
    print(f"    Output H_adv shape: {H_adv_cgan.shape}")
    print("    ✓ Generates complete trajectory from latent manifold")
    print("    ✓ Conditioned on H_real for behavioral consistency")
    print("    ✓ Search space: Behavioral manifold (non-local)")
    
    # Phase 2: Perturbation Baseline
    print("\n[2] Baseline: Perturbation-Generative (Adv-GAN style)")
    perturb = PerturbationAttack(history_len=history_len)
    z = torch.randn(batch_size, 64)
    H_adv_pert = perturb(H_real, z)
    print(f"    Output H_adv shape: {H_adv_pert.shape}")
    print("    ✓ Generates additive noise delta")
        print("    ✓ Constrained to local neighborhood (l_p ball)")
    print("    ✓ Limited to numerical deviations, not semantic changes")
    
    # Phase 3: Key differences
    print("\n[3] Paradigm Comparison")
    print("    Metric                    | Perturbation    | c-GAN (Ours)")
    print("    --------------------------|-----------------|----------------")
    print("    Synthesis Mechanism       | x + delta       | Decoder(z, c, H)")
    print("    Search Space              | Local (l_p)     | Behavioral Manifold")
    print("    Semantic Manipulation     | Limited         | Full (non-linear)")
    print("    Stealthiness (MSE)        | ~0.25-0.30      | 0.212 (best)")
    print("    Attack Effectiveness (MR) | ~72-79%         | 82.26% (best)")
    print("    Inference Speed           | 1240ms (opt)    | 5.8ms (real-time)")
    
    # Phase 4: Multi-objective loss demonstration
    print("\n[4] Multi-Objective Loss Components")
    critic_scores = cgan.critic(H_adv_cgan)
    loss_components = {
        'L_adv': cgan.loss_fn.adversarial_loss(critic_scores).item(),
        'L_sim': cgan.loss_fn.similarity_loss(H_adv_cgan, H_real).item(),
        'L_kin': cgan.loss_fn.kinematic_loss(H_adv_cgan).item(),
    }
    for name, val in loss_components.items():
        print(f"    {name}: {val:.4f}")
    print("    ✓ Balanced optimization across all constraints")
    
    # Phase 5: Architecture summary
    print("\n[5] c-GAN Architecture Summary:")
    print("    Core Innovation: Generative reconstruction (not perturbation)")
    print("    Key Components:")
    print("      - Encoder: LSTM extracts intent from H_real (hidden: 64)")
    print("      - Decoder: LSTM synthesizes H_adv from latent (hidden: 128)")
    print("      - Critic: LSTM+MLP distinguishes real vs. fake")
    print("      - Loss: 4-way balance (adv + kinematic + similarity + attack)")
    print("    Results: 82.26% MR, 13.08m FDE, 0.212 MSE, 214× speedup")
    
    print("\n" + "=" * 70)
    print("c-GAN exposes motion-semantic vulnerabilities through")
    print("behaviorally plausible, generative adversarial attacks.")
    print("=" * 70)

Access the Paper and Resources

The full c-GAN framework details and experimental protocols are available in Expert Systems With Applications. This research was conducted by the School of Cyber Science and Engineering at Zhengzhou University and published in February 2026.

📄 Read the Paper (ScienceDirect) 🏛️ Zhengzhou University

Academic Citation:
Jia, H., Xiong, X., Luo, H., & Cao, Y. (2026). A conditional GAN-Based framework for generating stealthy adversarial attacks on autonomous vehicle trajectory prediction systems. Expert Systems With Applications, 314, 131622. https://doi.org/10.1016/j.eswa.2026.131622

This article is an independent editorial analysis of peer-reviewed research published in Expert Systems With Applications. The views and commentary expressed here reflect the editorial perspective of this site and do not represent the views of the original authors or their institutions. Code implementations are provided for educational purposes to illustrate the technical concepts described in the paper. Always refer to the original publication for authoritative details and official implementations.

Explore More on AI Systems Research

If this analysis sparked your interest, here is more of what we cover across the site — from foundational tutorials to the latest research breakthroughs in efficient machine learning, recommendation systems, and industrial AI deployment.

Homepage Latest research breakdowns, trending papers, and editorial picks in AI systems

→

Machine Learning Architecture reviews, training techniques, and theoretical foundations

→

Computer-Vision Adversarial attacks, defensive techniques, and secure system design

→

Contact Reach out for collaboration, corrections, or paper submission requests

→