A Comparative Study of Adversarial Attacks against Point Cloud Semantic Segmentation

Recent research efforts on 3D point cloud semantic segmentation (PCSS) have achieved outstanding performance by adopting deep CNN (convolutional neural networks) and GCN (graph convolutional networks). However, the robustness of these complex models has not been systematically analyzed. Given that PCSS has been applied in many safety-critical applications (e.g., autonomous driving, geological sensing), it is important to fill this knowledge gap, in particular, how these models are affected under adversarial samples. While adversarial attacks against point clouds have been studied, we found many questions remain about the robustness of PCSS. For instance, all the prior attacks perturb the point coordinates of a point cloud, but the features associated with a point are also leveraged by some PCSS models, and whether they are good targets to attack is unknown yet. We present a comparative study of PCSS robustness in this work. In particular, we formally define the attacker's objective under targeted attack and non-targeted attack and develop new attacks considering a variety of options, including feature-based and coordinate-based, norm-bounded and norm-unbounded, etc. We conduct evaluations with different combinations of attack options on two datasets (S3DIS and Semantic3D) and three PCSS models (PointNet++, DeepGCNs, and RandLA-Net). We found all of the PCSS models are vulnerable under both targeted and non-targeted attacks, and attacks against point features like color are more effective. With this study, we call the attention of the research community to develop new approaches to harden PCSS models against adversarial attacks.