On Adversarial Robustness of 3D Point Cloud Classification under Adaptive Attacks

3D point clouds play pivotal roles in various safety-critical applications, such as autonomous driving, which desires the underlying deep neural networks to be robust to adversarial perturbations. Though a few defenses against adversarial point cloud classification have been proposed, it remains unknown whether they are truly robust to adaptive attacks. To this end, we perform the first security analysis of state-of-the-art defenses and design adaptive evaluations on them. Our 100% adaptive attack success rates show that current countermeasures are still vulnerable. Since adversarial training (AT) is believed as the most robust defense, we present the first in-depth study showing how AT behaves in point cloud classification and identify that the required symmetric function (pooling operation) is paramount to the 3D model's robustness under AT. Through our systematic analysis, we find that the default-used fixed pooling (e.g., MAX pooling) generally weakens AT's effectiveness in point cloud classification. Interestingly, we further discover that sorting-based parametric pooling can significantly improve the models' robustness. Based on above insights, we propose DeepSym, a deep symmetric pooling operation, to architecturally advance the robustness to 47.0% under AT without sacrificing nominal accuracy, outperforming the original design and a strong baseline by 28.5% ($\sim 2.6 \times$) and 6.5%, respectively, in PointNet.