1 Introduction

Deep learning has shown impressive results in many perception tasks. Despite its performance, several works show that deep learning algorithms can be susceptible to adversarial attacks. These attacks craft small perturbations to the inputs that push the network to produce incorrect outputs. There is significant progress made in 2D image adversarial attacks, where extensive work shows diverse ways to attack 2D neural networks [2, 4, 6,7,8, 11, 18, 23, 35]. In contrast, there is little focus on their 3D counterparts [25, 31, 37, 38]. 3D point clouds captured by 3D sensors like LiDAR are now widely processed using deep networks for safety-critical applications, including but not limited to self-driving [3, 27]. However, as we show in this paper, 3D deep networks tend to be vulnerable to input perturbations, a fact that increases the risk of using them in such applications. In this paper, we present a novel approach to attack deep learning algorithms applied to 3D point clouds with a primary focus on attack transferability between networks.

The concept of attack transferability has been extensively studied in the 2D image domain [17, 19, 20]. Transferability allows an adversary to fool any network, without access to the network’s architecture. Clearly, transferable attacks pose a serious security concern, especially in the context of deep learning model deployment. In this work, the goal is to generate adversarial attacks with network-transferability, i.e. the attack to a given point cloud is generated using a single and accessible victim network, and the perturbed sample is directly applied to an unseen and inaccessible transfer network. Accessibility here refers to whether the parameters and architecture of the network are known, while optimizing the attack (white-box). Figure 1 illustrates the concept of transferability. The perturbation generated by our method for a 3D point cloud not only flips the class label of a victim network to a wrong class (i.e. it is adversarial), but it also induces a misclassification for the transfer networks that are not involved in generating the perturbation (i.e. it is transferable).

Fig. 1.
figure 1

Transferable Adversarial Perturbations on 3D point clouds: Generating adversarial attacks to fool PointNet [21] (PN) by perturbing a Table point cloud. The perturbed 3D object not only forces PointNet to predict an incorrect class, but also induces misclassification on other unseen 3D networks (PointNet++ [22], DGCNN [29]) that are not involved in generating the perturbation. Fooling unseen networks poses a threat to 3D deep vision models.

Full size image

Very few adversarial attacks have been developed for 3D point clouds. The first method was introduced by Xiang et al. [31] and it proposes point perturbation and adversarial point generation as two attack modes. More recently, Tsai et al. [25] proposed to make point cloud attacks more smooth and natural by incorporating a K-Nearest Neighbor (KNN) loss on the points, thus making the attacks physically realizable. We identify two main shortcomings in current 3D adversarial perturbations methods [25, 31]. First, their attacks are unsuccessful in the presence of simple defenses, such as Statistical Outlier Removal [38]. Second, they are limited to the victim network and do not transfer well to other networks [31]. In contrast, our work not only focuses on adversarial perturbations that are significantly more resilient against currently available point cloud defenses, but also on those that transfer well between different point cloud networks.

To generate more transferable attacks, we use a point cloud Auto-Encoder (AE), which can effectively reconstruct the unperturbed input after it is perturbed, and then add a data adversarial loss. We optimize the perturbation added to the input to fool the classifier before it passes through the AE (regular adversarial loss) and after it passes through the AE (data adversarial loss). In doing so, the attack tends to be less dependent on the victim network, and generalizes better to different networks. Our attack is dubbed “AdvPC”, and our full pipeline is optimized end-to-end from the classifier output to the perturbation. The AE learns the natural distribution of the data to generalize the attack to a broader range of unseen classifiers [26], thus making the attack more dangerous. Our attacks surpass state-of-the-art attacks [25, 31] by a large margin (up to 40%) on point cloud networks operating on the standard ModelNet40 dataset [30] and for the same maximum allowed perturbation norms (norm-budgets).

Contributions. Our contributions are two-fold. (1) We propose a new pipeline and loss function to perform transferable adversarial perturbations on 3D point clouds. By introducing a data adversarial loss targeting the victim network after reconstructing the perturbed input with a point cloud AE, our approach can be successful in both attacking the victim network and transferring to unseen networks. Since the AE is trained to leverage the point cloud data distribution, incorporating it into the attack strategy enables better transferability to unseen networks. To the best of our knowledge, we are the first to introduce network-transferable adversarial perturbations for 3D point clouds. (2) We perform extensive experiments under constrained norm-budgets to validate the transferability of our attacks. We transfer our attacks between four point cloud networks and show superiority against the state-of-the-art. Furthermore, we demonstrate how our attacks outperform others when targeted by currently available point cloud defenses.

2 Related Work

2.1 Deep Learning for 3D Point Clouds

PointNet [21] paved the way as the first deep learning algorithm to operate directly on 3D point clouds. PointNet computes point features independently, and aggregates them using an order invariant function like max-pooling. An update to this work was PointNet++ [22], where points are aggregated at different 3D scales. Subsequent works focused on how to aggregate more local context [5] or on more complex aggregation strategies like RNNs [9, 33]. More recent methods run convolutions across neighbors of points, instead of using point-wise operations [12,13,14,15, 15, 24, 28, 29]. Contrary to PointNet and its variants, these works achieve superior recognition results by focusing on local feature representation. In this paper and to evaluate/validate our adversarial attacks, we use three point-wise networks, PointNet [21] and PointNet++ [22] in single-scale (SSG) and multi-scale (MSG) form, and a Dynamic Graph convolutional Network, DGCNN [29]. We study the sensitivity of each network to adversarial perturbations and show the transferability of AdvPC attacks between the networks.

2.2 Adversarial Attacks

Pixel-Based Adversarial Attacks. The initial image-based adversarial attack was introduced by Szegedy et al. [23], who cast the attack problem as optimization with pixel perturbations being minimized so as to fool a trained classifier into predicting a wrong class label. Since then, the topic of adversarial attacks has attracted much attention [4, 6, 11, 16, 18]. More recent works take a learning-based approach to the attack [19, 20, 36]. They train a neural network (adversary) to perform the attack and then use the trained adversary model to attack unseen samples. These learning approaches [19, 20, 36] tend to have better transferability properties than the optimizations approaches [4, 6, 11, 16, 18], while the latter tend to achieve higher success rates on the victim networks. As such, our proposed AdvPC attack is a hybrid approach, in which we leverage an AE to capture properties of the data distribution but still define the attack as an optimization for each sample. In doing so, AdvPC captures the merits of both learning and optimization methods to achieve high success rates on the victim networks as well as better transferability to unseen networks.

Adversarial Attacks in 3D. Several adversarial attacks have moved beyond pixel perturbations to the 3D domain. One line of work focuses on attacking image-based CNNs by changing the 3D parameters of the object in the image, instead of changing the pixels of the image [2, 7, 8, 32, 35]. Recently, Xiang et al. [31] developed adversarial perturbations on 3D point clouds, which were successful in attacking PointNet [21]; however, this approach has two main shortcomings. First, it can be easily defended against by simple statistical operations [38]. Second, the attacks are non-transferable and only work on the attacked network [31, 38]. In contrast, Zheng et al. [37] proposed dropping points from the point cloud using a saliency map, to fool trained 3D deep networks. As compared to [37], our attacks are modeled as an optimization on the additive perturbation variable with a focus on point perturbations instead of point removal. As compared to [31], our AdvPC attacks are significantly more successful against available defenses and more transferable beyond the victim network, since AdvPC leverages the point cloud data distribution through the AE. Concurrent to our work is the work of Tsai et al. [25], in which the attack is crafted with KNN loss to make smooth and natural shapes. The motivation of their work is to craft natural attacks on 3D point clouds that can be 3D-printed into real objects. In comparison, our novel AdvPC attack utilizes the data distribution of point clouds by utilizing an AE to generalize the attack.

Defending Against 3D Point Cloud Attacks. Zhou et al. [38] proposed a Statistical Outlier Removal (SOR) method as a defense against point cloud attacks. SOR uses KNN to identify and remove point outliers. They also propose DUP-Net, which is a combination of their SOR and a point cloud up-sampling network PU-Net [34]. Zhou et al. also proposed removing unnatural points by Simple Random Sampling (SRS), where each point has the same probability of being randomly removed. Adversarial training on the attacked point cloud is also proposed as a mode of defense by [31]. Our attacks surpass state-of-the-art attacks [25, 31] on point cloud networks by a large margin (up to 38%) on the standard ModelNet40 dataset [30] against the aforementioned defenses [38].

Fig. 2.
figure 2

AdvPC Attack Pipeline: We optimize for the constrained perturbation variable \(\varvec{\varDelta }\) to generate the perturbed sample \(\mathcal {X}^{\prime } = \mathcal {X} + \varvec{\varDelta }\). The perturbed sample fools a trained classifier \(\mathbf {F}\) (i.e. \(\mathbf {F}(\mathcal {X}^{\prime })\) is incorrect), and at the same time, if the perturbed sample is reconstructed by an Auto-Encoder (AE) \(\mathbf {G}\), it too fools the classifier (i.e. \(\mathbf {F}(\mathbf {G}(\mathcal {X}^{\prime }))\) is incorrect). The AdvPC loss for network \(\mathbf {F}\) is defined in Eq. (6) and has two parts: network adversarial loss (purple) and data adversarial loss (green). Dotted lines are gradients flowing to the perturbation variable \(\varvec{\varDelta }\). (Color figure online)

Full size image

3 Methodology

The pipeline of AdvPC is illustrated in Fig. 2. It consists of an Auto-Encoder (AE) \(\mathbf {G}\), which is trained to reconstruct 3D point clouds and a point cloud classifier \(\mathbf {F}\). We seek to find a perturbation variable \(\varvec{\varDelta }\) added to the input \(\mathcal {X}\) to fool \(\mathbf {F}\) before and after it passes through the AE for reconstruction. The setup makes the attack less dependent on the victim network and more dependent on the data. As such, we expect this strategy to generalize to different networks. Next, we describe the main components of our pipeline: 3D point cloud input, AE, and point cloud classifier. Then, we present our attack setup and loss.

3.1 AdvPC Attack Pipeline

3D Point Clouds (\(\mathcal {X}\)). We define a point cloud \(\mathcal {X} \in \mathbb {R}^{N \times 3}\), as a set of N 3D points, where each point \(\mathbf {x}_i \in \mathbb {R}^{3}\) is represented by its 3D coordinates \((x_i, y_i, z_i)\).

Point Cloud Networks (\(\mathbf {F}\)). We focus on 3D point cloud classifiers with a feature max pooling layer as detailed in Eq. (1), where \(h_{\text {mlp}}\) and \(h_{\text {conv}}\) are MLP and Convolutional (\(1\times 1\) or edge) layers, respectively. This produces a K-class classifier \(\mathbf {F}\).

$$\begin{aligned} \mathbf {F}(\mathcal {X})=h_{\text {mlp}} ( \max _{\mathbf {x}_{i} \in \mathcal {X}}\left\{ h_{\text {conv}}\left( \mathbf {x}_{i}\right) \right\} ) \end{aligned}$$
(1)

Here, \(\mathbf {F} : ~ \mathbb {R}^{N \times 3} \rightarrow \mathbb {R}^K \) produces the logits layer of the classifier with size K. For our attacks, we take \(\mathbf {F}\) to be one of the following widely used networks in the literature: PointNet [21], PointNet++ [22] in single-scale form (SSG) and multi-scale form (MSG), and DGCNN [29]. Section 5.2 delves deep into the differences between them in terms of their sensitivities to adversarial perturbations.

Point Cloud Auto-Encoder (\(\mathbf {G}\)). An AE learns a representation of the data and acts as an effective defense against adversarial attacks. It ideally projects a perturbed point cloud onto the natural manifold of inputs. Any AE architecture in point clouds can be used, but we select the one in [1] because of its simple structure and effectiveness in recovering from adversarial perturbation. The AE \(\mathbf {G}\) consists of an encoding part, \(\mathbf {g}_{\text {encode}}:\mathbb {R}^{N \times 3} \xrightarrow {}\mathbb {R}^{q} \) (similar to Eq. (1)), and an MLP decoder, \(\mathbf {g}_{\text {mlp}}:\mathbb {R}^{q} \xrightarrow {}\mathbb {R}^{N \times 3} \), to produce a point cloud. It can be described formally as: \(\mathbf {G}(.) = \mathbf {g}_{\text {mlp}}\big (\mathbf {\mathbf {g}_{\text {encode}}(\mathcal {.})} \big )\). We train the AE with the Chamfer loss as in [1] on the same data used to train \(\mathbf {F}\), such that it can reliably encode and decode 3D point clouds. We freeze the AE weights during the optimization of the adversarial perturbation on the input. Since the AE learns how naturally occurring point clouds look like, the gradients updating the attack, which is also tasked to fool the reconstructed sample after the AE, actually become more dependent on the data and less on the victim network. The enhanced data dependency of our attack results in the success of our attacks on unseen transfer networks besides the success on the victim network. As such, the proposed composition allows the crafted attack to successfully attack the victim classifier, as well as, fool transfer classifiers that operate on a similar input data manifold.

3.2 AdvPC Attack Loss

Soft Constraint Loss. In AdvPC attacks, like the ones in Fig. 3, we focus solely on perturbations of the input. We modify each point \(\mathbf {x}_i\) by a an addictive perturbation variable \(\delta _i\). Formally, we define the perturbed point set \(\mathcal {X}^{\prime } = \mathcal {X} + \varvec{\varDelta }\), where \(\varvec{\varDelta } \in \mathbb {R}^{N \times 3}\) is the perturbation parameter we are optimizing for. Consequently, each pair (\(\mathbf {x}_i, \mathbf {x}^{\prime }_i\)) are in correspondence. Adversarial attacks are commonly formulated as in Eq. (2), where the goal is to find an input perturbation \(\varvec{\varDelta }\) that successfully fools \(\mathbf {F}\) into predicting an incorrect label \(t^{\prime }\), while keeping \(\mathcal {X^{\prime }}\) and \(\mathcal {X}\) close under distance metric \(\mathcal {D}:\mathbb {R}^{N\times 3} \times \mathbb {R}^{N\times 3} \rightarrow \mathbb {R}\).

$$\begin{aligned} \min _{\varvec{\varDelta }} ~~\mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \quad \text{ s.t. } \left[ \mathop {\text {arg}\,\text {max}}\limits _{i}~\mathbf {F}\left( \mathcal {X}^{\prime }\right) _{i}\right] =t^{\prime } \end{aligned}$$
(2)

The formulation in Eq. (2) can describe targeted attacks (if \(t^\prime \) is specified before the attack) or untargeted attacks (if \(t^\prime \) is any label other than the true label of \(\mathcal {X}\)). We adopt the following choice of \(t^\prime \) for untargeted attacks: \(t^\prime = \left[ \mathop {\text {arg}\,\text {max}}\nolimits _{i\ne \text {true}}~\mathbf {F}\left( \mathcal {X}^{\prime }\right) _{i}\right] \). Unless stated otherwise, we primarily use untargeted attacks in this paper. As pointed out in [4], it is difficult to directly solve Eq. (2). Instead, previous works like [25, 31] have used the well-known C&W formulation, giving rise to the commonly known soft constraint attack: \(\min _{\varvec{\varDelta }} ~~f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) +\lambda \mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \) where \(f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) \) is the adversarial loss function defined on the network \(\mathbf {F}\) to move it to label \(t^{\prime }\) as in Eq. (3).

$$\begin{aligned} f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) =\max \left( \max _{i \ne t^{\prime }}\left( \mathbf {F}\left( \mathcal {X}^{\prime }\right) _{i}\right) -\mathbf {F}\left( \mathcal {X}^{\prime }\right) _{t^{\prime }} + \kappa ,0\right) , \end{aligned}$$
(3)

where \(\kappa \) is a loss margin. The 3D-Adv attack [31] uses \(\ell _2\) for \(\mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \), while the KNN Attack [25] uses Chamfer Distance.

Fig. 3.
figure 3

Examples of AdvPC Attacks: Adversarial attacks are generated for victim networks PointNet, PointNet ++ (MSG/SSG) and DGCNN using AdvPC. The unperturbed point clouds are in black (top) while the perturbed examples are in blue (bottom). The network predictions are shown under each point cloud. The wrong prediction of each perturbed point cloud matches the target of the AdvPC attack. (Color figure online)

Full size image

Hard Constraint Loss. An alternative to Eq. (2) is to put \(\mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \) as a hard constraint, where the objective can be minimized using Projected Gradient Descent (PGD) [11, 16] as follows.

$$\begin{aligned} \min _{\varvec{\varDelta }} ~~ f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) ~~~~ s.t.~~ \mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \le \epsilon \end{aligned}$$
(4)

Using a hard constraint sets a limit to the amount of added perturbation in the attack. This limit is defined by \(\epsilon \) in Eq. (4), which we call norm-budget in this work. Having this bound ensures a fair comparison between different attack schemes. We compare these schemes by measuring their attack success rate at different levels of norm-budget. Using PGD, the above optimization in Eq. (4) with \(\ell _p\) distance \(\mathcal {D}_{\ell _p}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \) can be solved by iteratively projecting the perturbation \(\varvec{\varDelta }\) onto the \(\ell _p\) sphere of size \(\epsilon _p\) after each gradient step such that: \(\varvec{\varDelta }_{t+1} = \varPi _{p}\left( \varvec{\varDelta }_{t} - \eta \nabla _{\varvec{\varDelta }_{t}}f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) ,\epsilon _p \right) \). Here, \(\varPi _{p}\left( \varvec{\varDelta },\epsilon _p\right) \) projects the perturbation \(\varvec{\varDelta }\) onto the \(\ell _p\) sphere of size \(\epsilon _p\), and \(\eta \) is a step size. The two most commonly used \(\ell _p\) distance metrics in the literature are \(\ell _2\), which measures the energy of the perturbation, and \(\ell _\infty \), which measures the maximum point perturbation of each \(\varvec{\delta }_i \in \varvec{\varDelta }\). In our experiments, we choose to use the \(\ell _\infty \) distance defined as \(\mathcal {D}_{\ell _\infty }\left( \mathcal {X}, \mathcal {X}^{\prime }\right) = \max _{i} \left\| \varvec{\delta }_i\right\| _{\infty }\), The projection of \(\varvec{\varDelta }\) onto the \(\ell _\infty \) sphere of size \(\epsilon _\infty \) is: \(\varPi _{\infty }\left( \varvec{\varDelta },\epsilon _{\infty }\right) = \text {SAT}_{\epsilon _{\infty }}(\varvec{\delta }_{i}),~ \forall \varvec{\delta }_{i} \in \varvec{\varDelta }\), where \(\text {SAT}_{\epsilon _\infty }\left( \varvec{\delta }_{i}\right) \) is the element-wise saturation function that takes every element of vector \(\varvec{\delta }_{i}\) and limits its range to \([-\epsilon _\infty ,\epsilon _\infty ]\). Norm-budget \(\epsilon _\infty \) is used throughout the experiments in this work.

In supplement, we detail our formulation when \(\ell _2\) is used as the distance metric and report similar superiority over the baselines just as the \(\ell _\infty \) results. For completeness, we also show in the supplement the effect of using different distance metrics (\(\ell _2\), Chamfer, and Earth Mover Distance) as soft constraints on transferability and attack effectiveness.

Data Adversarial Loss. The objectives in Eq. (2, 4) focus solely on the network \(\mathbf {F}\). We also want to add more focus on the data in crafting our attacks. We do so by fooling \(\mathbf {F}\) using both the perturbed input \(\mathcal {X}^{\prime }\) and the AE reconstruction \(\mathbf {G}(\mathcal {X}^{\prime })\) (see Fig. 2). Our new objective becomes:

$$\begin{aligned} \begin{aligned} \min _{\varvec{\varDelta }} ~~\mathcal {D}\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \quad \text{ s.t. } [\mathop {\text {arg}\,\text {max}}\limits _{i}~\mathbf {F}\left( \mathcal {X}^{\prime }\right) _{i}]= t^{\prime };~~ [\mathop {\text {arg}\,\text {max}}\limits _{i}~\mathbf {F}\left( \mathbf {G}(\mathcal {X}^{\prime })\right) _{i}] = t^{\prime \prime } \end{aligned} \end{aligned}$$
(5)

Here, \(t^{\prime \prime }\) is any incorrect label \( t^{\prime \prime } \ne \mathop {\text {arg}\,\text {max}}\nolimits _{i}\mathbf {F}\left( \mathcal {X}\right) _{i}\) and \(t^{\prime }\) is just like Eq. (2). The second constraint ensures that the prediction of the perturbed sample after the AE differs from the true label of the unperturbed sample. Similar to Eq. (2), this objective is hard to optimize, so we follow similar steps as in Eq. (4) and optimize the following objective for AdvPC using PGD (with \(\ell _\infty \) as the distance metric):

$$\begin{aligned} \begin{aligned} \min _{\varvec{\varDelta }} ~ (1 - \gamma ) ~f_{t^{\prime }}\left( \mathbf {F}(\mathcal {X}^{\prime })\right) + \gamma ~ f_{t^{\prime \prime }}\left( \mathbf {F}\left( \mathbf {G}(\mathcal {X}^{\prime })\right) \right) ~~~ s.t. ~~ \mathcal {D}_{\ell _\infty }\left( \mathcal {X}, \mathcal {X}^{\prime }\right) \le \epsilon _\infty \end{aligned} \end{aligned}$$
(6)

Here, f is as in Eq. (3), while \(\gamma \) is a hyper-parameter that trades off the attack’s success before and after the AE. When \(\gamma = 0\), the formulation in Eq. (6) becomes Eq. (4). We use PGD to solve Eq. (6) just like Eq. (4). We follow the same procedures as in [31] when solving Eq. (6) by keeping a record of any \(\varvec{\varDelta }\) that satisfies the constraints in Eq. (5) and by trying different initializations for \(\varvec{\varDelta }\).

4 Experiments

4.1 Setup

Dataset and Networks. We use ModelNet40 [30] to train the classifier network (\(\mathbf {F}\)) and the AE network (\(\mathbf {G}\)), as well as test our attacks. ModelNet40 contains 12,311 CAD models from 40 different classes. These models are divided into 9,843 for training and 2,468 for testing. Similar to previous work [31, 37, 38], we sample 1,024 points from each object. We train the \(\mathbf {F}\) victim networks: PointNet [21], PointNet++ in both Single-Scale (SSG) and Multi-scale (MSG) [22] settings, and DGCNN [29]. For a fair comparison, we adopt the subset of ModelNet40 detailed in [31] to perform and evaluate our attacks against their work (we call this the attack set). In the attack set, 250 examples are chosen from 10 ModelNet40 classes. We train the AE using the full ModelNet40 training set with the Chamfer Distance loss and then fix the AE when the attacks are being generated.

Adversarial Attack Methods. We compare AdvPC against the state-of-the-art baselines 3D-Adv [31] and KNN Attack [25]. For all attacks, we use Adam optimizer [10] with learning rate \(\eta = 0.01\), and perform 2 different initializations for the optimization of \(\varvec{\varDelta }\) (as done in [31]). The number of iterations for the attack optimization for all the networks is 200. We set the loss margin \(\kappa =30\) in Eq. (3) for both 3D-Adv [31] and AdvPC and \(\kappa =15\) for KNN Attack [25] (as suggested in their paper). For other hyperparameters of [25, 31], we follow what is reported in their papers. We pick \(\gamma =0.25\) in Eq. (6) for AdvPC because it strikes a balance between the success of the attack and its transferability (refer to Sect. 5.1 for details). In all of the attacks, we follow the same procedure as [31], where the best attack that satisfies the objective during the optimization is reported. We add the hard \(\ell _\infty \) projection \(\varPi _{\infty }\left( \varvec{\varDelta },\epsilon _{\infty }\right) \) described in Sect. 3 to all the methods to ensure fair comparison on the same norm-budget \(\epsilon _\infty \). We report the best performance of the baselines obtained under this setup.

Fig. 4.
figure 4

Transferability Across Different Norm-Budgets: Here, the victim network is DGCNN [29] and the attacks are optimized using different \(\epsilon _\infty \) norm-budgets. We report the attack success on DGCNN and on the transfer networks (PointNet, PointNet ++ MSG, and PointNet++ SSG). We note that our AdvPC transfers better to the other networks across different \(\epsilon _\infty \) as compared to the baselines 3D-Adv [31] and KNN Attack [25]. Similar plots for the other victim networks are provided in the supplement.

Full size image

Transferability. We follow the same setup as [19, 20] by generating attacks using the constrained \(\ell _\infty \) metric and measure their success rate at different norm-budgets \(\epsilon _\infty \) taken to be in the range [0, 0.75]. This range is chosen because it enables the attacks to reach 100% success on the victim network, as well as offer an opportunity for transferability to other networks. We compare AdvPC against the state-of-the-art baselines [25, 31] under these norm-budgets (e.g. see Fig. 4 for attacking DGCNN). To measure the success of the attack, we compute the percentage of samples out of all attacked samples that the victim network misclassified. We also measure transferability from each victim network to the transfer networks. For each pair of networks, we optimize the attack on one network (victim) and measure the success rate of this optimized attack when applied as input to the other network (transfer). We report these success rates for all network pairs. No defenses are used in the transferability experiment. All the attacks performed in this section are untargeted attacks (following the convention for transferability experiments [31]).

Table 1. Transferability of Attacks: We use norm-budgets (max \(\ell _\infty \) norm allowed in the perturbation) of \(\epsilon _\infty = 0.18\) and \(\epsilon _\infty = 0.45\). All the reported results are the untargeted Attack Success Rate (higher numbers are better attacks). Bold numbers indicate the most transferable attacks. Our attack consistently achieves better transferability than the other attacks for all networks, especially on DGCNN [29]. For reference, the classification accuracies on unperturbed samples for networks PN, PN++(MSG), PN++(SSG) and DGCNN are 92.8%, 91.5%, 91.5%, and 93.7%, respectively.
Full size table

Attacking the Defenses. We also analyze the success of our attacks against point cloud defenses. We compare AdvPC attacks and the baselines [25, 31] against several defenses used in the point cloud literature: SOR, SRS, DUP-Net [38], and Adversarial Training [31]. We also add a newly trained AE (different from the one used in the AdvPC attack) to this list of defenses. For SRS, we use a drop rate of 10%, while in SOR, we use the same parameters proposed in [38]. We train DUP-Net on ModelNet40 with an up-sampling rate of 2. For Adversarial Training, all four networks are trained using a mix of the training data of ModelNet40 and adversarial attacks generated by [31]. While these experiments are for untargeted attacks, we perform similar experiments under targeted attacks and report the results in supplement for reference and completeness.

Fig. 5.
figure 5

Transferability Matrix: Visualizing the overall transferability for 3D-Adv [31] (left), KNN Attack [25] (middle), and our AdvPC (right). Elements in the same row correspond to the same victim network used in the attack, while those in the same column correspond to the network that the attack is transferred to. Each matrix element measures the average success rate over the range of \(\epsilon _\infty \) for the transfer network. We expect the diagonal elements of each transferability matrix (average success rate on the victim network) to have high values, since each attack is optimized on the same network it is transferred to. More importantly, brighter off-diagonal matrix elements indicate better transferability. We observe that our proposed AdvPC attack is more transferable than the other attacks and that DGCNN is a more transferable victim network than the other point cloud networks. The transferability score under each matrix is the average of the off-diagonal matrix values, which summarizes overall transferability for an attack.

Full size image

4.2 Results

We present quantitative results that focus on two main aspects. First, we show the transferable power of AdvPC attacks to different point cloud networks. Second, we highlight the strength of AdvPC under different point cloud defenses.

Transferability. Table 1 reports transferability results for \(\epsilon _\infty = 0.18\) and \(\epsilon _\infty = 0.45\) and compares AdvPC with the baselines [25, 31]. The value \(\epsilon _\infty = 0.18\) is chosen, since it allows the DGCNN attack to reach maximum success (see Sect. 5.2), and the value \(\epsilon _\infty = 0.45\) is arbitrarily chosen to be midway in the remaining range of \(\epsilon _\infty \). It is clear that AdvPC attacks consistently beat the baselines when transferring between networks (up to 40%). Our method shows substantial gains in the case of DGCNN. We also report transferability results for a range of \(\epsilon _\infty \) values in Fig. 4 when the victim network is DGCNN, and the attacks transferred to all other networks. In supplement, we show the same plots when the victim network is taken to be PN and PN++. To represent all these transferability curves compactly, we aggregate their results into a Transferability Matrix. Every entry in this matrix measures the transferability from the victim network (row) to the transfer network (column), and it is computed as the average success rate of the attack evaluated on the transfer network across all \(\epsilon _\infty \) values. This value reflects how good the perturbation is at fooling the transfer network overall. As such, we advocate the use of the transferability matrix as a standard mode of evaluation for future work on network-transferable attacks. In Fig. 5, we show the transferability matrices for our attack and the baselines. AdvPC transfers better overall, since it leads to higher (brighter) off-diagonal values in the matrix. Using the average of off-diagonal elements in this matrix as a single scalar measure of transferability, AdvPC achieves 24.9% average transferability, as compared to 11.5% for 3D-Adv [31] and 8.92% for KNN Attack [25]. We note that DGCNN [29] performs best in terms of transferability and is the hardest network to attack (for AdvPC and the baselines).

Attacking Defenses. Since DGCNN performs the best in transferability, we use it to evaluate the resilience of our AdvPC attacks under different defenses. We use the five defenses described in Sect. 4.1 and report their results in Table 2. Our attack is more resilient than the baselines against all defenses. We note that the AE defense is very strong against all attacks compared to other defenses [38], which explains why AdvPC works very well against other defenses and transfers well to unseen networks. We also observe that our attack is strong against simple statistical defenses like SRS (38% improvement over the baselines). We report results for other victim networks (PN and PN++) in the supplement, where AdvPC shows superior performance against the baselines under these defenses.

Table 2. Attacking Point Cloud Defenses: We evaluate untargeted attacks using norm-budgets of \(\epsilon _\infty = 0.18\) and \(\epsilon _\infty = 0.45\) with DGCNN [29] as the victim network under different defenses for 3D point clouds. Similar to before, we report attack success rates (higher indicates better attack). AdvPC consistently outperforms the other attacks [25, 31] for all defenses. Note that both the attacks and evaluations are performed on DGCNN, which has an accuracy of 93.7% without input perturbations (for reference).
Full size table

5 Analysis

We perform several analytical experiments to further explore the results obtained in Sect. 4.2. We first study the effect of different factors that play a role in the transferability of our attacks. We also show some interesting insights related to the sensitivity of point cloud networks and the effect of the AE on the attacks.

5.1 Ablation Study (Hyperparameter \(\gamma \))

Here, we study the effect of \(\gamma \) used in Eq. (6) on the performance of our attacks. While varying \(\gamma \) between 0 and 1, we record the attack success rate on the victim network and report the transferability to all of the other three transfer networks (average success rate on the transfer networks). We present averaged results over all norm-budgets in Fig. 6 for the four victim networks. One observation is that adding the AE loss with \(\gamma >0\) tends to deteriorate the success rate, even though it improves transferability. We pick \(\gamma =0.25\) in our experiments to balance success and transferability.

Fig. 6.
figure 6

Ablation Study: Studying the effect of changing AdvPC hyperparameter (\(\gamma \)) on the success rate of the attack (left) and on its transferability (right). The transferability score reported for each victim network is the average success rate on the transfer networks averaged across all different norm-budgets \(\epsilon _\infty \). We note that as \(\gamma \) increases, the success rate of the attack on the victim network drops, and the transferability varies with \(\gamma \). We pick \(\gamma =0.25\) in all of our experiments.

Full size image
Fig. 7.
figure 7

Sensitivity of Architectures: We evaluate the sensitivity of each of the four networks for increasing norm-budget. For each network, we plot the classification accuracy under 3D-Adv perturbation [31] (left), KNN Attack [25] (middle), and our AdvPC attack (right). Overall, DGCNN [29] is affected the least by adversarial perturbation.

Full size image

5.2 Network Sensitivity to Point Cloud Attacks

Figure 7 plots the sensitivity of the various networks when they are subject to input perturbations of varying norm-budgets \(\epsilon _\infty \). We measure the classification accuracy of each network under our AdvPC attack (\(\gamma =0.25\)), 3D-Adv [31], and KNN Attack [25]. We observe that DGCNN [29] tends to be the most robust to adversarial perturbations in general. This might be explained by the fact that the convolution neighborhoods in DGCNN are dynamically updated across layers and iterations. This dynamic behavior in network structure may hinder the effect of the attack because gradient directions can change significantly from one iteration to another. This leads to failing attacks and higher robustness for DGCNN [29].

5.3 Effect of the Auto-Encoder (AE)

In Fig. 8, we show an example of how AE reconstruction preserves the details of the unperturbed point cloud and does not change the classifier prediction. When a perturbed point cloud passes through the AE, it recovers a natural-looking shape. The AE’s ability to reconstruct natural-looking 3D point clouds from various perturbed inputs might explain why it is a strong defense against attacks in Table 2. Another observation from Fig. 8 is that: when we fix the target \(t^\prime \) and do not enforce a specific incorrect target \(t^{\prime \prime }\) (i.e. untargeted attack setting) for the data adversarial loss on the reconstructed point cloud in the AdvPC attack (Eq. (6)), the optimization mechanism tends to pick \(t^{\prime \prime }\) to be a similar class to the correct one. For example, a Toilet point cloud perturbed by AdvPC can be transformed into a Chair (similar in appearance to a toilet), if reconstructed by the AE. This effect is not observed for the other attacks [25, 31], which do not consider the data distribution and optimize solely for the network. For completeness, we tried replacing the AE with other 3D generative models from [1] in our AdvPC attack, and we tried to use the learning approach in [19, 20] instead of optimization, but the attack success was less than satisfactory in both cases (refer to supplement).

Fig. 8.
figure 8

Effect of the Auto-Encoder (AE): The AE does not affect the unperturbed point cloud (classified correctly by PN before and after AE). The AE cleans the point cloud perturbed by 3D-Adv and KNN [25, 31], which allows PN to predict the correct class label. However, our AdvPC attack can fool PN before and after AE reconstruction. Samples perturbed by AdvPC, if passed through the AE, transform into similar looking objects from different classes (Chair looks similar to Toilet).

Full size image

6 Conclusions

In this paper, we propose a new adversarial attack for 3D point clouds that utilizes a data adversarial loss to formulate network-transferable perturbations. Our attacks achieve better transferability to four popular point cloud networks than other 3D attacks, and they improve robustness against popular defenses. Future work would extend this attack to other 3D deep learning tasks, such as detection and segmentation, and integrate it into a robust training framework for point cloud networks.