IEEE Trans Pattern Anal Mach Intell. 2023 Apr;45(4):4727-4746. doi: 10.1109/TPAMI.2022.3193449. Epub 2023 Mar 7.
Although many efforts have been made into attack and defense on the 2D image domain in recent years, few methods explore the vulnerability of 3D models. Existing 3D attackers generally perform point-wise perturbation over point clouds, resulting in deformed structures or outliers, which is easily perceivable by humans. Moreover, their adversarial examples are generated under the white-box setting, which frequently suffers from low success rates when transferred to attack remote black-box models. In this article, we study 3D point cloud attacks from two new and challenging perspectives by proposing a novel Imperceptible Transfer Attack (ITA): 1) Imperceptibility: we constrain the perturbation direction of each point along its normal vector of the neighborhood surface, leading to generated examples with similar geometric properties and thus enhancing the imperceptibility. 2) Transferability: we develop an adversarial transformation model to generate the most harmful distortions and enforce the adversarial examples to resist it, improving their transferability to unknown black-box models. Further, we propose to train more robust black-box 3D models to defend against such ITA attacks by learning more discriminative point cloud representations. Extensive evaluations demonstrate that our ITA attack is more imperceptible and transferable than state-of-the-arts and validate the superiority of our defense strategy.
尽管近年来在二维图像领域进行了许多攻击和防御的努力,但很少有方法探索三维模型的脆弱性。现有的三维攻击者通常对点云进行逐点的扰动,导致结构变形或出现异常点,这很容易被人类察觉。此外,他们的对抗样本是在白盒设置下生成的,当转移到攻击远程黑盒模型时,成功率通常较低。在本文中,我们从两个新的和具有挑战性的角度研究三维点云攻击,提出了一种新的不可察觉的传输攻击(ITA):1)不可察觉性:我们约束每个点的扰动方向沿着其邻域表面的法向量,从而生成具有相似几何性质的示例,从而提高不可察觉性。2)可转移性:我们开发了一种对抗变换模型来生成最有害的扭曲,并强制对抗样本抵抗这种扭曲,从而提高它们对未知黑盒模型的可转移性。此外,我们建议通过学习更具判别力的点云表示来训练更健壮的黑盒三维模型,以防御这种 ITA 攻击。广泛的评估表明,我们的 ITA 攻击比现有的方法更具不可察觉性和可转移性,并验证了我们防御策略的优越性。
