Geometric Adversarial Attacks and Defenses on 3D Point Clouds (2012.05657v3)

Abstract: Deep neural networks are prone to adversarial examples that maliciously alter the network's outcome. Due to the increasing popularity of 3D sensors in safety-critical systems and the vast deployment of deep learning models for 3D point sets, there is a growing interest in adversarial attacks and defenses for such models. So far, the research has focused on the semantic level, namely, deep point cloud classifiers. However, point clouds are also widely used in a geometric-related form that includes encoding and reconstructing the geometry. In this work, we are the first to consider the problem of adversarial examples at a geometric level. In this setting, the question is how to craft a small change to a clean source point cloud that leads, after passing through an autoencoder model, to the reconstruction of a different target shape. Our attack is in sharp contrast to existing semantic attacks on 3D point clouds. While such works aim to modify the predicted label by a classifier, we alter the entire reconstructed geometry. Additionally, we demonstrate the robustness of our attack in the case of defense, where we show that remnant characteristics of the target shape are still present at the output after applying the defense to the adversarial input. Our code is publicly available at https://github.com/itailang/geometric_adv.

Geometric Adversarial Attacks and Defenses on 3D Point Clouds

The academic paper titled "Geometric Adversarial Attacks and Defenses on 3D Point Clouds" addresses a relatively unexplored domain in the field of adversarial machine learning, focusing on the geometric vulnerabilities of deep learning models that process 3D point cloud data. Point clouds are a fundamental representation of 3D data, utilized extensively in applications ranging from object detection and classification to environmental perception for autonomous systems.

Key Contributions

This work introduces the concept of geometric adversarial attacks that differ significantly from traditional semantic attacks. Instead of altering the semantic label predictions of a classifier, this research demonstrates the feasibility of manipulating the geometric reconstruction output of an autoencoder (AE) model, leading to a fundamentally different reconstructed shape at the output.

• Geometric Attack Framework: The authors propose two types of attacks:
  1. Latent Space Attack: This gray-box attack targets the latent space of an autoencoder. By manipulating the latent representation of a clean input, the attack aims to reconstruct a target shape that is geometrically distinct while maintaining minimal distortion to the original input.
  2. Output Space Attack: In a white-box setting, this attack directly optimizes the output space of the AE to match a desired target geometry. This approach yields superior performance in terms of minimizing reconstruction errors compared to the latent space attack.

• Evaluation of Attack Efficacy: The paper reports numerical results indicating that the output space attack achieves a target normalized reconstruction error (T NRE) of 1.11, indicating an 11% increase over the autoencoder's baseline error, with only 24 off-surface points (OS). These metrics highlight the attack's effectiveness in altering the reconstruction while maintaining proximity to the target geometry.

• Defensive Strategies: To counteract these geometric attacks, the paper evaluates two defenses:

  1. Off-Surface Point Removal: This mechanism involves filtering out points in the adversarial input that deviate significantly from the surface of the shape.
  2. Critical Points Removal: Leveraging the architecture of point cloud models, this defense identifies and omits critical points that significantly influence the latent representation, thereby mitigating the adversarial effect.

Practical and Theoretical Implications

The research uncovers significant implications for safety-critical applications where 3D models are employed, such as in autonomous navigation or robotic manipulation. The demonstrated vulnerabilities highlight the need for robust defense mechanisms capable of preserving the geometric integrity of point clouds against adversarial inputs.

Additionally, this research invites further exploration into the robustness of geometry-based models beyond classification tasks. Future work might explore hybrid methods that combine semantic and geometric defenses or develop more sophisticated adversarial training routines tailored for 3D point cloud synthesis.

Conclusion and Future Directions

The findings underscore a crucial dimension of vulnerability in geometric data processing, suggesting a need for broader adversarial research that encompasses both semantic and geometric aspects. Researchers are encouraged to consider the interaction between topology and adversarial robustness, potentially extending current methodologies to encompass multi-modal data processing scenarios.

Overall, the paper "Geometric Adversarial Attacks and Defenses on 3D Point Clouds" contributes significantly to the field by expanding the paradigm of adversarial machine learning to encompass geometric transformations, offering a critical perspective on the security challenges faced by contemporary 3D data-driven models.