Isometric 3D Adversarial Examples in the Physical World Yibo Miao1 Yinpeng Dong23y Jun Zhu2345 Xiao-Shan Gao1y

2025-05-05 0 0 2.99MB 22 页 10玖币

侵权投诉

Isometric 3D Adversarial Examples in the

Physical World

Yibo Miao1, Yinpeng Dong2,3†, Jun Zhu2,3,4,5, Xiao-Shan Gao1†

1KLMM, UCAS, Academy of Mathematics and Systems Science,

Chinese Academy of Sciences, Beijing 100190, China

2Dept. of Comp. Sci. & Tech., Institute for AI, Tsinghua-Bosch Joint ML Center,

THBI Lab, BNRist Center, Tsinghua University, Beijing 100084, China

3RealAI 4Peng Cheng Laboratory 5Pazhou Laboratory (Huangpu), Guangzhou, China

yibomiao21@163.com, {dongyinpeng, dcszj}@tsinghua.edu.cn, xgao@mmrc.iss.ac.cn

Abstract

3D deep learning models are shown to be as vulnerable to adversarial examples

as 2D models. However, existing attack methods are still far from stealthy and

suffer from severe performance degradation in the physical world. Although 3D

data is highly structured, it is difﬁcult to bound the perturbations with simple

metrics in the Euclidean space. In this paper, we propose a novel



-isometric (



ISO) attack to generate natural and robust 3D adversarial examples in the physical

world by considering the geometric properties of 3D objects and the invariance to

physical transformations. For naturalness, we constrain the adversarial example

to be



-isometric to the original one by adopting the Gaussian curvature as a

surrogate metric guaranteed by a theoretical analysis. For invariance to physical

transformations, we propose a maxima over transformation (MaxOT) method that

actively searches for the most harmful transformations rather than random ones

to make the generated adversarial example more robust in the physical world.

Experiments on typical point cloud recognition models validate that our approach

can signiﬁcantly improve the attack success rate and naturalness of the generated

3D adversarial examples than the state-of-the-art attack methods.

1 Introduction

Deep neural networks (DNNs) have achieved unprecedented performance on numerous tasks, in-

cluding 2D image classiﬁcation [

] and 3D point cloud recognition [

]. However,

DNNs are vulnerable to adversarial examples [

] — inputs crafted by adding imperceptible

perturbations to original examples that can cause misclassiﬁcation of the victim model. Adversarial

examples are prevalent in various domains beyond images, including texts [

], speeches [

] and

3D objects [

]. As deep 3D point cloud recognition has been adopted in safety-critical applications,

such as autonomous driving [

], robotics [

], medical image processing [

], it has garnered

increasing attention to studying the adversarial robustness of 3D point cloud recognition models [

However, the existing adversarial attacks on point cloud recognition models are still far from stealthy

and suffer from drastic performance degeneration in the physical world. There is usually a trade-off

between the stealthiness and the real-world attacking performance, making it challenging to achieve

the best of both worlds. Early methods [

] adopt gradient-based attacks to add, remove, and

modify points, but they are limited to digital-world attacks. The KNN attack [

] and the

GeoA3

attack [

] constrain the smoothness of the adversarial point clouds and reconstruct adversarial

†Corresponding authors.

36th Conference on Neural Information Processing Systems (NeurIPS 2022).

arXiv:2210.15291v1 [cs.CV] 27 Oct 2022

Original KNN Geo3Mesh Attack -ISO

Figure 1: An illustration of adversarial objects crafted by KNN attack [

GeoA3

attack [

], Mesh Attack [

]

and our



-ISO attack against the PointNet model: KNN attack and

GeoA3

attack can produce unnatural

adversarial objects (and often low success rates); Mesh Attack can generate a lot of distortions; while



-ISO

attack improves the naturalness of the 3D adversarial sample and ensures the consistency between the intrinsic

geometric properties of the adversarial and original 3D objects [8].

meshes from the point clouds that can be 3D-printed in the physical world. Although these works

demonstrate successful physical attacks, point cloud reconstruction introduces large noises and errors,

resulting in low attack success rates and unnaturalness of the adversarial objects in the physical

world. Mesh Attack [

] is recently proposed to perturb the mesh representation of 3D objects,

which improves the success rate but often creates large distortions that can be easily detected by

humans as anomalies, as illustrated in Fig. 1. Overall, it is difﬁcult to achieve both the naturalness

and effectiveness of 3D adversarial attacks in the physical world, which we think is largely due to the

lack of an appropriate metric to characterize the naturalness of 3D data.

To address these issues, we propose an



-isometric (

-ISO

) attack method to generate natural and

robust 3D adversarial examples in the physical world against point cloud recognition models. The



-ISO attack improves the naturalness of the 3D adversarial example by constraining it to be



isometric (see Deﬁnition 1) to the original one, which guarantees the consistency between the

intrinsic geometric properties of two 3D objects [

]. We theoretically demonstrate that Gaussian

curvature (see Deﬁnition 2) can be used to provide a sufﬁcient condition to ensure that two surfaces

are



-isometric. Due to the computable and differentiable nature of Gaussian curvature, we adopt it

as a new regularization loss to practically generate natural 3D adversarial examples. To improve the

robustness of 3D adversarial examples under physical transformations, we further propose a maxima

over transformation (

MaxOT

) method that actively searches for the most harmful transformations

rather than random ones [

] for optimization. Armed with Bayesian optimization that provides better

initialization of the transformations, MaxOT is able to ﬁnd a set of diverse worst-case transformations,

leading to improved performance of the 3D adversarial examples in the physical world.

We conduct extensive experiments to evaluate the performance of our method on attacking typical

point cloud recognition models [

]. Results demonstrate that, in comparison with the alter-

native state-of-the-art attack methods [



-ISO attack achieves higher success rates, while

making the generated adversarial examples more natural and robust under physical transformations.

A physical-world experiment is conducted by 3D-printing the adversarial meshes and re-scanning the

objects for evaluation, which also validates the effectiveness of our method.

2 Related work

Deep learning on 3D point clouds.

Deep 3D point cloud recognition [

]

has emerged in recent years with various applications in many ﬁelds, such as 3D object classiﬁca-

tion [

], 3D scene segmentation [

], and 3D object detection in autonomous

driving [

]. One of the pioneering works is PointNet [

], which directly applies a multilayer

perceptron to learn point features and aggregates them in an efﬁcient way using a max-pool module.

PointNet++ [

] and a large number of later works [

] are built on PointNet to further

capture ﬁne-grained local structure information from the neighborhood of each point. Recently, some

works have focused on designing special convolutions on 3D domains [

] or developing

graph neural networks [18,53,54,69] to improve point cloud recognition.

3D adversarial attacks.

Following the previous studies on adversarial machine learning in the 2D

image domain [

], many works [

] apply adversarial attacks to the

3D point cloud domain. Xiang et al. [

] proposed point generation attacks by adding a limited number

of synthetic points to the point cloud. Recently, more studies [

] use gradient-based attack

methods to identify key points from the point cloud for deletion. More point perturbation attacks [

] learn to perturb the xyz coordinates of each point through a C

W framework [

] based

on metrics deﬁned in the Euclidean space. Zhao et al. [

] attack by the isometric transformations

in the Euclidean space such as rotation. It is worth noting that we consider isometric mappings

between surfaces, which is essentially different from [

]. Later works [

] further apply iterative

gradient methods to achieve more advanced adversarial perturbations. Besides, other works consider

generative models [

], 3D data attacks [

], adversarial robustness [

], attacks against

LIDAR [

], autonomous driving [

], backdoor attacks [

], etc., in the 3D domain.

However, the existing attacks on 3D point cloud recognition are still far from stealthy and the only

three methods that consider the physical-world attacks [

] are not very effective. In this

paper, we surpass the performance of previous methods by proposing a novel



-isometric (



-ISO)

attack method to generate natural and robust 3D adversarial examples in the physical world.

3 Methodology

We now formally present

-ISO attack

. We ﬁrst present the general problem formulation, and

then describe how



-ISO attack enhances the imperceptibility and robustness of the generated 3D

adversarial samples, respectively.

3.1 Problem formulation

To generate 3D adversarial objects in the physical world, it is more straightforward to perturb the mesh

representation of 3D objects rather than point clouds [

] since the reconstruction process can incur

large errors [

]. A mesh

M= (V,F)

is an approximate shape representation of its underlying

surface, where

V:= {vi}nv

i=1

is the set of

vertices of

xyz

coordinates, and

F:= {zi}nf

i=1

is the set

triangle faces represented by the indices of vertices. We let

denote a differentiable sampling

process such that

P:= S(M)∈ X

is the point cloud obtained by randomly sampling on the mesh

surface, where

is the set of all point clouds. We let

y∈ Y

denote the corresponding ground-truth

label of Mas well as P.

In this paper, we focus on the challenging targeted attacks against deep 3D point cloud classiﬁcation

models [

]. Given a point cloud classiﬁer

f:X → Y

, the goal of the attack is to generate

an adversarial mesh

Madv = (Vadv,F)

for the original one

with vertex perturbations such that

the sampled point cloud

Padv := S(Madv)

will be misclassiﬁed by

as the target class

y∗(6=y)

In general, the perturbation should be small to make the adversarial mesh

Madv

inconspicuous

under human inspection. Thus, the optimization problem of generating the adversarial mesh can be

generally formulated as

min

Madv Lf(S(Madv), y∗) + β· R(Madv,M),(1)

where

is the loss that facilitates the misclassiﬁcation of

Padv

y∗

is the regularization term

that minimizes a perceptibility distance between

Madv

and

, and

is a balancing hyperparameter

between these two losses. In this paper, we try to develop a stealthy and robust attack method by

proposing a new regularization loss

based on Gaussian curvature with theoretical guarantees to

remain the naturalness as well as a new attacking loss

to enhance the robustness of the generated

3D adversarial objects under physical transformations.

and

will be introduced in the following.

3.2 -ISO attack

Most of the existing 3D adversarial attacks only consider the constraints

deﬁned in the Euclidean

space [

]. The generated adversarial examples have noticeable point outliers that cause

spikes to appear on the object’s surface, thus losing the naturalness. Moreover, the outliers are more

easily removed and defended against. The main reason is that the existing methods do not consider

the geometric properties of the 3D objects. In differential geometry, isometric mapping guarantees the

consistency of the intrinsic geometric features of two objects [

]. Therefore, we propose a constraint

loss

based on



-isometric mapping to restrict the naturalness of 3D adversarial objects. We ﬁrst

give the deﬁnition of -isometric below.

(a) Original (b) KNN & Geo3(c) Mesh Attack (d) -ISO

Figure 2: An illustration of



-isometric attack. (a): Original mesh. (b) and (c): Adversarial meshes generated

by KNN &

GeoA3

attack and Mesh Attack, respectively. They consider only the constraints deﬁned in the

Euclidean space, and the curve lengths (shown as the black curves) of the generated adversarial examples differ

signiﬁcantly from those of the original samples, which do not satisfy



-isometric and lose naturalness. (d):

Adversarial mesh generated by



-ISO. We consider the geometric features of 3D objects and constrain the 3D

adversarial example to be



-isometric to the original one, such that the curve lengths of the generated adversarial

samples vary little and have naturalness.

Deﬁnition 1.

Let

and

denote two surfaces of

. A diffeomorphism

ϕ:S→˜

is called an



-isometric mapping if there exists a constant

such that it takes any local curve

to a curve

C=ϕ(C)

satisfying

(1 −n)s(C)< s(˜

C)<(1 + n)s(C)

where

s(·)

is the length. The

surfaces Sand ˜

Sare then said to be -isometric.

As shown in Fig. 2, Fig. 2(a) is the original mesh, Fig. 2(b) is the adversarial mesh generated by KNN

attack and

GeoA3

attack, and Fig. 2(c) is the adversarial mesh generated by Mesh Attack. These

three methods only consider the constraints deﬁned in the Euclidean space, and the curve lengths of

the generated adversarial samples differ greatly from those of the original samples, which are not



-isometric and lose naturalness. Fig. 2(d) is the adversarial mesh generated by our proposed



-ISO

attack. We consider the geometric features of 3D objects to generate natural adversarial examples by

constraining them to be



-isometric to the original examples (i.e., the curve length of the resulting

adversarial examples varies very little). However, it is intractable to directly optimize the adversarial

mesh to be



-isometric as the original one. Therefore, we give the deﬁnition of the Gaussian curvature

of the surface from [8].

Deﬁnition 2.

Let

be a surface of

parameterized by

r:= r(u, v)=[x(u, v), y(u, v), z(u, v)]

where

(u, v)∈R2

. We let

ru,rv

denote the partial derivatives of

w.r.t.

and

ruu,ruv ,rvv

denote the second partial derivatives of

, and

∧,h·,·i

denote the outer product and inner product,

respectively. The parametrization thus deﬁnes unit normal vectors

n:= ru∧rv

|ru∧rv|

of the surface

. We

denote the eigenvalues of the coefﬁcient matrix of the Weingarten map

L M

M N  E F

F G −1

and

, where

E=hru,rui

F=hru,rvi

and

G=hrv,rvi

are coefﬁcients of the ﬁrst

fundamental form and

L=hruu,ni

M=hruv,ni

and

N=hrvv,ni

are coefﬁcients of the second

fundamental form. The Gaussian curvature is deﬁned as K=k1k2=LN−M2

EG−F2.

Remark 1.

The Gaussian curvature intrinsically measures the bending degree of the surface reﬂected

by the Gaussian mapping. Let the area element of the surface

dA =hru∧rv,nidudv

and the

area element under the Gaussian mapping

g:S∈R3→S2

r(u, v)→n(u, v)

dA0=hnu∧nv,nidudv

From nu∧nv=Kru∧rv(proof in Appendix D), we obtain

lim

D→P

Area (g(D))

Area (D)= lim

D→PRg(D)dA0

RDdA = lim

D→PRDKdA

RDdA =K(P).(2)

Eq.

(2)

illustrates that the geometric meaning of Gaussian curvature is the ratio of the area of the

domain at the point

on the surface

and the area of the domain at the corresponding point under

the Gaussian mapping, i.e., the bending degree of the surface reﬂected by the Gaussian mapping.

Based on Deﬁnitions 1and 2, we have the following theorem.

Theorem 1

(proof in Appendix A)

Let

and

denote two surfaces of

;

ϕ:S→˜

denote a

diffeomorphism that takes a point

to point

v0=ϕ(v)

; and

K(·)

be the Gaussian curvature

of the points. If |K(v)−K(v0)|<  for any point v, then the surfaces Sand ˜

Sare -isometric.

Theorem 1indicates that to make two surfaces



-isometric, one can constrain their Gaussian curvatures.

Since the Gaussian curvature is computable and differentiable w.r.t. vertices, we adopt it to constrain

the naturalness of 3D adversarial meshes as

RGauss (Madv,M) = 1

nvX

v∈V,v0=ϕ(v)∈Vadv

kK(v0)−K(v)k2

2,(3)

where

ϕ(·)

is the corresponding mapping between vertices in

and

Vadv

. We follow the Gauss-

Bonnet formula [7] to calculate the Gaussian curvature of the vertices as

K(v) = 2π−Pi∈N(v)θi(v)

A(v),(4)

where

A(·)

is the area of the vertex neighborhood, i.e., the area of the polygonal region joined by the

consecutive midpoints of triangles incident on the vertex of interest,

N(v)

is the set of faces containing

, and

θi(v)

is the interior angle of the face at vertex

. Note that the value of

Pi∈N(v)θi(v)

for a

plane is

2π

and the Gaussian curvature is

. The more curved the surface, the smaller the value of

Pi∈N(v)θi(v)and the larger the Gaussian curvature.

In addition, we prevent the generated adversarial meshes from self-intersecting by using the Laplace

loss [

], denoted as

RLap (Madv)

, which represents the distance between a vertex and its nearest

neighbor’s center of mass, and the edge length loss [

], denoted as

Redge (Madv)

, which represents

the smoothness of the surface. Thus, the overall regularization term can be expressed as:

R(Madv,M) = λ1· RGauss (Madv,M) + λ2· RLap (Madv) + λ3· Redge (Madv),(5)

where λ1,λ2and λ3are balancing hyperparameters.

3.3 Improving the robustness under physical transformations

Besides concerning the naturalness of 3D adversarial examples, we further enhance their robustness

under physical transformations, such as 3D rotations, afﬁne projections, cutouts, etc. A common

method is the expectation over transformation (EOT) algorithm [

], which optimizes the adversarial

example over the distribution of different transformations. However, it is still challenging to maintain

the attacking performance under various physical transformations. As shown in the experiments, after

using the EOT algorithm, there are still some transformations that the generated adversarial examples

are not robust to, leading to a reduction of the attack success rate.

To address this issue, our key insight is to consider the worst-case transformations rather than their ex-

pectation, since if the adversarial examples are resistant to the most harmful physical transformations,

they can also resist much weaker transformations, inspired by adversarial training [

]. Therefore,

we propose a

maxima over transformation (MaxOT)

algorithm to actively search for physical

transformations that maximize the misclassiﬁcation loss. The loss function

is thus formulated as:

Lf(S(Madv), y∗) = max

T∗⊂T

Et∈T∗Lce (t(S(Madv)), y∗),(6)

where

contains all possible transformations,

T∗

is a subset of transformations in

, and

Lce

is the

cross-entropy loss. Note that in Eq.

(6)

we consider a subset of transformations

T∗

rather than a

single one because the loss landscape w.r.t. transformations is largely non-convex and contains many

local maxima [

]. Thus we aim to ﬁnd a set of diverse worst-case transformations. By integrating

Eq.

(6)

into Eq.

(1)

, it forms a minimax optimization problem, where the inner maximization aims

to ﬁnd physical transformations that maximize the cross-entropy loss, while the outer minimization

aims to optimize the adversarial example with the worst-case transformations.

3.3.1 Bayesian optimization

To solve problem

(6)

, we search for the worst-case transformations one by one. Given an initialized

transformation, we perform gradient-based optimization to update the transformation parameters

(e.g., angles for rotations). However, randomly selecting initialized transformations is ineffective

since the random initialization may drop into regions of weak transformations, which limits the

exploration of the space of all transformations. To address this issue, we propose to adopt the

Bayesian optimization [17,55] to better break the dilemma between exploration and exploitation to

ﬁnd more appropriate initialized transformations.

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

Isometric3DAdversarialExamplesinthePhysicalWorldYiboMiao1,YinpengDong2;3y,JunZhu2;3;4;5,Xiao-ShanGao1y1KLMM,UCAS,AcademyofMathematicsandSystemsScience,ChineseAcademyofSciences,Beijing100190,China2Dept.ofComp.Sci.&Tech.,InstituteforAI,Tsinghua-BoschJointMLCenter,THBILab,BNRistCenter,TsinghuaUniversit...

展开>> 收起<<

Isometric 3D Adversarial Examples in the Physical World Yibo Miao1 Yinpeng Dong23y Jun Zhu2345 Xiao-Shan Gao1y.pdf

共22页,预览5页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Isometric 3D Adversarial Examples in the Physical World Yibo Miao1 Yinpeng Dong23y Jun Zhu2345 Xiao-Shan Gao1y

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: