KNN-Defense: Defense against 3D Adversarial Point Clouds using Nearest-Neighbor Search (2506.06906v1)

Abstract: Deep neural networks (DNNs) have demonstrated remarkable performance in analyzing 3D point cloud data. However, their vulnerability to adversarial attacks-such as point dropping, shifting, and adding-poses a critical challenge to the reliability of 3D vision systems. These attacks can compromise the semantic and structural integrity of point clouds, rendering many existing defense mechanisms ineffective. To address this issue, a defense strategy named KNN-Defense is proposed, grounded in the manifold assumption and nearest-neighbor search in feature space. Instead of reconstructing surface geometry or enforcing uniform point distributions, the method restores perturbed inputs by leveraging the semantic similarity of neighboring samples from the training set. KNN-Defense is lightweight and computationally efficient, enabling fast inference and making it suitable for real-time and practical applications. Empirical results on the ModelNet40 dataset demonstrated that KNN-Defense significantly improves robustness across various attack types. In particular, under point-dropping attacks-where many existing methods underperform due to the targeted removal of critical points-the proposed method achieves accuracy gains of 20.1%, 3.6%, 3.44%, and 7.74% on PointNet, PointNet++, DGCNN, and PCT, respectively. These findings suggest that KNN-Defense offers a scalable and effective solution for enhancing the adversarial resilience of 3D point cloud classifiers. (An open-source implementation of the method, including code and data, is available at https://github.com/nimajam41/3d-knn-defense).

• The paper introduces a novel nearest-neighbor approach that restores perturbed 3D point clouds to improve classification robustness.
• It achieves up to 20.1% accuracy gains on PointNet and notable improvements on DGCNN and PCT against point-dropping attacks.
• KNN-Defense integrates with pretrained models without architectural changes, offering a scalable and efficient defense mechanism.

Defense Strategy Against 3D Adversarial Point Clouds Using Nearest-Neighbor Techniques

The paper presents KNN-Defense, a novel approach aimed at addressing the susceptibility of deep neural networks (DNNs) to adversarial attacks within the context of 3D point cloud data processing. This vulnerability affects the semantic scaffolding and structural integrity of point cloud-based systems, notably compromising applications in domains such as autonomous vehicles and robotics. Traditional DNN training and adversarial defense strategies have primarily focused on surface reconstruction and maintaining geometric priors, limitations which KNN-Defense aims to overcome through feature space manipulation grounded in the manifold assumption.

The essence of KNN-Defense lies in its utilization of the manifold assumption which posits that adversarial point clouds deviate from a lower-dimensional manifold occupied by clean data. The proposed defense mechanism restores perturbed samples by identifying and relying on semantically similar training instances residing within this manifold. Through efficient nearest-neighbor searches in feature space, KNN-Defense reestablishes the affinity between clean data points and adversarial inputs, thereby countering the effects of various attack modalities—including point dropping, shifting, and adding—without extensive computational overhead.

Notably, experimental evaluation on ModelNet40 highlights substantial improvements in classification accuracy under adversarial stress. With the targeted point-dropping attacks, significant accuracy enhancements were realized—e.g., upsurges of 20.1\% with PointNet, and improvements straddling 3.44\% to 7.74\% for networks like DGCNN and PCT. These robust empirical results underscore the efficacy and scalability of KNN-Defense, marking it as a competitive choice amidst existing defense mechanisms.

The implications of KNN-Defense span several dimensions:

1. Scalability and Efficiency: Its lightweight algorithmic structure supports fast inference times, well-suited for deployment within real-time systems constrained by computational resources.
2. Generality Across Attacks: Uniquely, the method does not confine its efficacy to specific attack types, demonstrating versatility in countering various adversarial strategies without needing attack-specific tailoring.
3. Architectural Independence: KNN-Defense operates on pretrained models without necessitating architectural modifications, preserving the integrity of established systems while enhancing adversarial robustness.
4. Practical Deployment: With accompanying released code and datasets, practical application and further experimentation is facilitated for researchers and engineers.

Future avenues in AI could further explore integrating manifold-based methods with other dimensional reduction techniques to bolster defense mechanisms against increasingly complex adversarial threats. Deriving adaptable architectures leveraging the manifold assumption could catalyze developments in real-time decision systems, further reinforcing the position of KNN-Defense in the broad domain of AI security research.