A new framework called TrajRS aims to give autonomous driving systems a mathematical proof that their pedestrian path predictions can withstand adversarial tampering.
Trajectory prediction — estimating where a pedestrian will move next — is a core input for self-driving decision systems. The problem: those models can be manipulated by adversarial attacks that subtly corrupt input data, causing the system to predict the wrong path and potentially take a dangerous action. Existing defenses are heuristic, meaning they hold up until someone finds a smarter attack. The TrajRS paper, posted to arXiv, extends a technique called Randomized Smoothing to trajectory prediction, producing a certified robust radius — a provable bound within which no perturbation can flip the model's output.
The distinction between a "certified" guarantee and a "hardened" one matters enormously in safety-critical systems. A heuristic defense can be broken by a sufficiently clever attacker; a certified guarantee cannot, by definition, within its stated bounds. The authors also split their framework into two distinct robustness modes: one covering only the top predicted path, and one covering the full distribution of possible paths — a more demanding and practically useful target.
The robotics and AV community has wrestled with adversarial fragility for years without settling on a standard verification approach, so a formal certification method tailored to trajectory models is a meaningful step — even if provable bounds in lab conditions do not always survive contact with the messiness of real roads.
