On Adversarial Robustness of 3D Point Cloud Classification under Adaptive Attacks

3D point clouds are playing pivotal roles in many safety-critical applications like autonomous driving, where adversarially robust 3D deep learning models are desired. In this study, we conduct the first security analysis of state-of-the-art (SOTA) defenses against 3D adversarial attacks and design adaptive evaluations on them. Our 100% adaptive attack success rates demonstrate that SOTA countermeasures are still fragile. We further present an in-depth study showing how adversarial training (AT) performs in point cloud classification and identify that the required symmetric function (pooling operation) is paramount to 3D models’ robustness. Through systematic analysis, we unveil that the default-used fixed pooling ( e.g., MAX pooling) generally weakens AT’s effectiveness. Interestingly, we also discover that sorting-based parametric pooling significantly improves the models’ robustness. Based on the above insights, we propose DeepSym , a deep symmetric pooling operation, to architecturally advance the robustness of PointNet to 47.0% under AT without sacrificing nominal accuracy, outperforming the original design and a strong baseline by +28.5% ( ∼ 2 . 6 × ) and +6.5% , respectively.

[1]  Neil Zhenqiang Gong,et al.  PointGuard: Provably Robust 3D Point Cloud Classification , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[2]  Mohammed Bennamoun,et al.  Deep Learning for 3D Point Clouds: A Survey , 2019, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[3]  Federico Tombari,et al.  SoftPoolNet: Shape Descriptor for Point Cloud Completion and Classification , 2020, ECCV.

[4]  Qi Alfred Chen,et al.  Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures , 2020, USENIX Security Symposium.

[5]  Quoc V. Le,et al.  Smooth Adversarial Training , 2020, ArXiv.

[6]  Nenghai Yu,et al.  Self-Robust 3D Point Recognition via Gather-Vector Guidance , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[7]  Hang Su,et al.  Benchmarking Adversarial Robustness on Image Classification , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[8]  Kejiang Chen,et al.  LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud Based Deep Networks , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[9]  Cihang Xie,et al.  PatchAttack: A Black-box Texture-based Attack with Reinforcement Learning , 2020, ECCV.

[10]  Tsung-Yi Ho,et al.  Robust Adversarial Objects against Deep Learning Models , 2020, AAAI.

[11]  Ethan Fetaya,et al.  On Learning Sets of Symmetric Elements , 2020, ICML.

[12]  Florian Tramèr,et al.  On Adaptive Attacks to Adversarial Example Defenses , 2020, NeurIPS.

[13]  Xiaogang Wang,et al.  PV-RCNN: Point-Voxel Feature Set Abstraction for 3D Object Detection , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[14]  Ali K. Thabet,et al.  AdvPC: Transferable Adversarial Perturbations on 3D Point Clouds , 2019, ECCV.

[15]  Cihang Xie,et al.  Universal Physical Camouflage Attacks on Object Detectors , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[16]  Cho-Jui Hsieh,et al.  Towards Stable and Efficient Training of Verifiably Robust Neural Networks , 2019, ICLR.

[17]  Cihang Xie,et al.  Intriguing Properties of Adversarial Training at Scale , 2019, ICLR.

[18]  Jonathon S. Hare,et al.  FSPool: Learning Set Representations with Featurewise Sort Pooling , 2019, ICLR.

[19]  Ke Chen,et al.  Geometry-aware Generation of Adversarial and Cooperative Point Clouds , 2019, ArXiv.

[20]  Duc Thanh Nguyen,et al.  Revisiting Point Cloud Classification: A New Benchmark Dataset and Classification Model on Real-World Data , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[21]  Kevin Fu,et al.  Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving , 2019, CCS.

[22]  Dina Katabi,et al.  ME-Net: Towards Effective Adversarial Robustness with Matrix Estimation , 2019, ICML.

[23]  Aleksander Madry,et al.  On Evaluating Adversarial Robustness , 2019, ArXiv.

[24]  Michael A. Osborne,et al.  On the Limitations of Representing Functions on Sets , 2019, ICML.

[25]  Hao Su,et al.  Extending Adversarial Attacks and Defenses to Deep 3D Point Cloud Classifiers , 2019, 2019 IEEE International Conference on Image Processing (ICIP).

[26]  Kejiang Chen,et al.  DUP-Net: Denoiser and Upsampler Network for 3D Adversarial Point Clouds Defense , 2018, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[27]  Jiong Yang,et al.  PointPillars: Fast Encoders for Object Detection From Point Clouds , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[28]  Xiaogang Wang,et al.  PointRCNN: 3D Object Proposal Generation and Detection From Point Cloud , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[29]  Yee Whye Teh,et al.  Set Transformer , 2018, ICML.

[30]  Chong Xiang,et al.  Generating 3D Adversarial Point Clouds , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[31]  Yue Wang,et al.  Dynamic Graph CNN for Learning on Point Clouds , 2018, ACM Trans. Graph..

[32]  Dawn Song,et al.  Physical Adversarial Examples for Object Detectors , 2018, WOOT @ USENIX Security Symposium.

[33]  Junsong Yuan,et al.  Multi-view Harmonized Bilinear Network for 3D Object Recognition , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[34]  Logan Engstrom,et al.  Black-box Adversarial Attacks with Limited Queries and Information , 2018, ICML.

[35]  Pushmeet Kohli,et al.  Adversarial Risk and the Dangers of Evaluating Against Weak Attacks , 2018, ICML.

[36]  Max Welling,et al.  Attention-based Deep Multiple Instance Learning , 2018, ICML.

[37]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[38]  Daniel Cohen-Or,et al.  PU-Net: Point Cloud Upsampling Network , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[39]  Mingyan Liu,et al.  Generating Adversarial Examples with Adversarial Networks , 2018, IJCAI.

[40]  Jun Zhu,et al.  Boosting Adversarial Attacks with Momentum , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[41]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[42]  Moustapha Cissé,et al.  Countering Adversarial Images using Input Transformations , 2018, ICLR.

[43]  Silvio Savarese,et al.  SEGCloud: Semantic Segmentation of 3D Point Clouds , 2017, 2017 International Conference on 3D Vision (3DV).

[44]  Lukasz Kaiser,et al.  Attention is All you Need , 2017, NIPS.

[45]  Leonidas J. Guibas,et al.  PointNet++: Deep Hierarchical Feature Learning on Point Sets in a Metric Space , 2017, NIPS.

[46]  Hao Chen,et al.  MagNet: A Two-Pronged Defense against Adversarial Examples , 2017, CCS.

[47]  Alan L. Yuille,et al.  Adversarial Examples for Semantic Segmentation and Object Detection , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[48]  Alexander J. Smola,et al.  Deep Sets , 2017, 1703.06114.

[49]  Leonidas J. Guibas,et al.  PointNet: Deep Learning on Point Sets for 3D Classification and Segmentation , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[50]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[51]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[52]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[53]  Yuan Yu,et al.  TensorFlow: A system for large-scale machine learning , 2016, OSDI.

[54]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[55]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[56]  Jianxiong Xiao,et al.  Deep Sliding Shapes for Amodal 3D Object Detection in RGB-D Images , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[57]  Sebastian Scherer,et al.  VoxNet: A 3D Convolutional Neural Network for real-time object recognition , 2015, 2015 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[58]  Ingmar Posner,et al.  Voting for Voting in Online Point Cloud Object Detection , 2015, Robotics: Science and Systems.

[59]  Andrew Zisserman,et al.  Spatial Transformer Networks , 2015, NIPS.

[60]  Geoffrey E. Hinton,et al.  Deep Learning , 2015, Nature.

[61]  Subhransu Maji,et al.  Multi-view Convolutional Neural Networks for 3D Shape Recognition , 2015, 2015 IEEE International Conference on Computer Vision (ICCV).

[62]  Sergey Ioffe,et al.  Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift , 2015, ICML.

[63]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[64]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[65]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[66]  Yoshua Bengio,et al.  Neural Machine Translation by Jointly Learning to Align and Translate , 2014, ICLR.

[67]  Jianxiong Xiao,et al.  3D ShapeNets: A deep representation for volumetric shapes , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[68]  Naila Murray,et al.  Generalized Max Pooling , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[69]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[70]  Anh Nguyen,et al.  3D point cloud segmentation: A survey , 2013, 2013 6th IEEE Conference on Robotics, Automation and Mechatronics (RAM).

[71]  Geoffrey E. Hinton,et al.  Rectified Linear Units Improve Restricted Boltzmann Machines , 2010, ICML.