3D point cloud classification has many safety-critical applications such as autonomous driving and robotic grasping. However, several studies showed that it is vulnerable to adversarial attacks. In particular, an attacker can make a classifier predict an incorrect label for a 3D point cloud via carefully modifying, adding, and/or deleting a small number of its points. Randomized smoothing is state-of-the-art technique to build certifiably robust 2D image classifiers. However, when applied to 3D point cloud classification, randomized smoothing can only certify robustness against adversarially {modified} points. In this work, we propose PointGuard, the first defense that has provable robustness guarantees against adversarially modified, added, and/or deleted points. Specifically, given a 3D point cloud and an arbitrary point cloud classifier, our PointGuard first creates multiple subsampled point clouds, each of which contains a random subset of the points in the original point cloud; then our PointGuard predicts the label of the original point cloud as the majority vote among the labels of the subsampled point clouds predicted by the point cloud classifier. Our first major theoretical contribution is that we show PointGuard provably predicts the same label for a 3D point cloud when the number of adversarially modified, added, and/or deleted points is bounded. Our second major theoretical contribution is that we prove the tightness of our derived bound when no assumptions on the point cloud classifier are made. Moreover, we design an efficient algorithm to compute our certified robustness guarantees. We also empirically evaluate PointGuard on ModelNet40 and ScanNet benchmark datasets.
翻译:3D点云分类有许多安全关键应用程序, 如自动驱动和机器人抓取。 但是, 一些研究显示它很容易受到对抗性攻击。 特别是, 攻击者可以让一个分类器通过仔细修改、 添加和/ 或删除少量点数来预测3D点云的错误标签。 随机平滑是一种最先进的技术, 用来构建可验证的2D点图像分类。 但是, 在应用 3D 点云分类时, 随机平滑只能证明它对于敌对性 { 调整} 点的稳健性。 在此工作中, 我们提议 点Guard, 这是第一个具有可辨别性强度的防对敌对性修改、 添加和/ 或删除点数。 具体地说, 3D点点云和任意点云分分解仪, 我们的分数包含一个随机的子集; 然后我们的PentGuard 预测原始点云值的标签是我们头点的多数选票。 当我们下标点的标值的标值的准确性计算结果被我们的主要值预测时, 我们的主要值的标值是我们的主要标值 。