- |
-
Adversarial Attack by Limited Point Cloud Surface Modifications
Oral Presentation
Authors
Department of Computer Engineering, Sharif University of Technology, Tehran, Iran
Abstract
Recent research has revealed that the security of
deep neural networks that directly process 3D point clouds to
classify objects can be threatened by adversarial samples. Although existing adversarial attack methods achieve high success
rates, they do not restrict the point modifications enough to
preserve the point cloud appearance. To overcome this shortcoming, two constraints are proposed. These include applying hard
boundary constraints on the number of modified points and on
the point perturbation norms. Due to the restrictive nature of
the problem, the search space contains many local maxima. The
proposed method addresses this issue by using a high step-size
at the beginning of the algorithm to search the main surface of
the point cloud fast and effectively. Then, in order to converge
to the desired output, the step-size is gradually decreased. To
evaluate the performance of the proposed method, it is run on the
ModelNet40 and ScanObjectNN datasets by employing the state-of-the-art point cloud classification models; including PointNet,
PointNet++, and DGCNN. The obtained results show that it can
perform successful attacks and achieve state-of-the-art results by
only a limited number of point modifications while preserving
the appearance of the point cloud. Moreover, due to the effective
search algorithm, it can perform successful attacks in just a few
steps. Additionally, the proposed step-size scheduling algorithm
shows an improvement of up to 14.5% when adopted by other
methods as well. The proposed method also performs effectively
against popular defense methods.
deep neural networks that directly process 3D point clouds to
classify objects can be threatened by adversarial samples. Although existing adversarial attack methods achieve high success
rates, they do not restrict the point modifications enough to
preserve the point cloud appearance. To overcome this shortcoming, two constraints are proposed. These include applying hard
boundary constraints on the number of modified points and on
the point perturbation norms. Due to the restrictive nature of
the problem, the search space contains many local maxima. The
proposed method addresses this issue by using a high step-size
at the beginning of the algorithm to search the main surface of
the point cloud fast and effectively. Then, in order to converge
to the desired output, the step-size is gradually decreased. To
evaluate the performance of the proposed method, it is run on the
ModelNet40 and ScanObjectNN datasets by employing the state-of-the-art point cloud classification models; including PointNet,
PointNet++, and DGCNN. The obtained results show that it can
perform successful attacks and achieve state-of-the-art results by
only a limited number of point modifications while preserving
the appearance of the point cloud. Moreover, due to the effective
search algorithm, it can perform successful attacks in just a few
steps. Additionally, the proposed step-size scheduling algorithm
shows an improvement of up to 14.5% when adopted by other
methods as well. The proposed method also performs effectively
against popular defense methods.
Keywords
Proceeding Title [Persian]
Adversarial Attack by Limited Point Cloud Surface Modifications
Authors [Persian]
Abstract [Persian]
Recent research has revealed that the security of
deep neural networks that directly process 3D point clouds to
classify objects can be threatened by adversarial samples. Although existing adversarial attack methods achieve high success
rates, they do not restrict the point modifications enough to
preserve the point cloud appearance. To overcome this shortcoming, two constraints are proposed. These include applying hard
boundary constraints on the number of modified points and on
the point perturbation norms. Due to the restrictive nature of
the problem, the search space contains many local maxima. The
proposed method addresses this issue by using a high step-size
at the beginning of the algorithm to search the main surface of
the point cloud fast and effectively. Then, in order to converge
to the desired output, the step-size is gradually decreased. To
evaluate the performance of the proposed method, it is run on the
ModelNet40 and ScanObjectNN datasets by employing the state-of-the-art point cloud classification models; including PointNet,
PointNet++, and DGCNN. The obtained results show that it can
perform successful attacks and achieve state-of-the-art results by
only a limited number of point modifications while preserving
the appearance of the point cloud. Moreover, due to the effective
search algorithm, it can perform successful attacks in just a few
steps. Additionally, the proposed step-size scheduling algorithm
shows an improvement of up to 14.5% when adopted by other
methods as well. The proposed method also performs effectively
against popular defense methods.
deep neural networks that directly process 3D point clouds to
classify objects can be threatened by adversarial samples. Although existing adversarial attack methods achieve high success
rates, they do not restrict the point modifications enough to
preserve the point cloud appearance. To overcome this shortcoming, two constraints are proposed. These include applying hard
boundary constraints on the number of modified points and on
the point perturbation norms. Due to the restrictive nature of
the problem, the search space contains many local maxima. The
proposed method addresses this issue by using a high step-size
at the beginning of the algorithm to search the main surface of
the point cloud fast and effectively. Then, in order to converge
to the desired output, the step-size is gradually decreased. To
evaluate the performance of the proposed method, it is run on the
ModelNet40 and ScanObjectNN datasets by employing the state-of-the-art point cloud classification models; including PointNet,
PointNet++, and DGCNN. The obtained results show that it can
perform successful attacks and achieve state-of-the-art results by
only a limited number of point modifications while preserving
the appearance of the point cloud. Moreover, due to the effective
search algorithm, it can perform successful attacks in just a few
steps. Additionally, the proposed step-size scheduling algorithm
shows an improvement of up to 14.5% when adopted by other
methods as well. The proposed method also performs effectively
against popular defense methods.
Keywords [Persian]
3D data point cloud، adversarial attack، defense