Recent research has revealed that the security of deep neural networks that directly process 3D point clouds to classify objects can be threatened by adversarial samples. Although existing adversarial attack methods achieve high success rates, they do not restrict the point modifications enough to preserve the point cloud appearance. To overcome this shortcoming, two constraints are proposed. These include applying hard boundary constraints on the number of modified points and on the point perturbation norms. Due to the restrictive nature of the problem, the search space contains many local maxima. The proposed method addresses this issue by using a high step-size at the beginning of the algorithm to search the main surface of the point cloud fast and effectively. Then, in order to converge to the desired output, the step-size is gradually decreased. To evaluate the performance of the proposed method, it is run on the ModelNet40 and ScanObjectNN datasets by employing the state-of-the-art point cloud classification models; including PointNet, PointNet++, and DGCNN. The obtained results show that it can perform successful attacks and achieve state-of-the-art results by only a limited number of point modifications while preserving the appearance of the point cloud. Moreover, due to the effective search algorithm, it can perform successful attacks in just a few steps. Additionally, the proposed step-size scheduling algorithm shows an improvement of up to $14.5\%$ when adopted by other methods as well. The proposed method also performs effectively against popular defense methods.
翻译:最近的研究显示,直接处理3D点云以对天进行分类的深神经网络的安全可能会受到对抗性样本的威胁。虽然现有的对抗性攻击方法取得了高成功率,但它们并没有限制点修改以保持点云表面。为了克服这一缺陷,提出了两个制约因素。其中包括对修改点的数量和点扰动规范实行硬边界限制。由于问题的限制性质,搜索空间包含许多本地的格子。拟议方法通过在算法开始时使用高分尺来解决这一问题,快速和有效地搜索点云的主要表面。随后,为了与预期产出趋同,分级规模将逐渐缩小。为了评估拟议方法的性能,将采用模型Net40和ScanObjectNNN数据集,采用最先进的点云分类模型;包括PointNet、PointNet++和DGCNNN。 获得的结果表明,它能够进行成功的攻击,并且通过有限的分数点修改来达到点结果。然后,为了与预期的产出一致,分大小将逐步缩小;为了评估拟议的方法,还可以通过采用其他方法进行成功的搜索。