On The Adversarial Robustness of 3D Point Cloud Classification
Keywords: Adversarial Machine Learning, Point Cloud Classification, Adversarial Training
Abstract: 3D point clouds play pivotal roles in various safety-critical fields, such as autonomous driving, which desires the corresponding deep neural networks to be robust to adversarial perturbations. Though a few defenses against adversarial point cloud classification have been proposed, it remains unknown whether they can provide real robustness. To this end, we perform the first security analysis of state-of-the-art defenses and design adaptive attacks on them. Our 100% adaptive attack success rates demonstrate that current defense designs are still vulnerable. Since adversarial training (AT) is believed to be the most effective defense, we present the first in-depth study showing how AT behaves in point cloud classification and identify that the required symmetric function (pooling operation) is paramount to the model's robustness under AT. Through our systematic analysis, we find that the default used fixed pooling operations (e.g., MAX pooling) generally weaken AT's performance in point cloud classification. Still, sorting-based parametric pooling operations can significantly improve the models' robustness. Based on the above insights, we further propose DeepSym, a deep symmetric pooling operation, to architecturally advance the adversarial robustness under AT to 47.01% without sacrificing nominal accuracy, outperforming the original design and a strong baseline by 28.5% ($\sim 2.6 \times$) and 6.5%, respectively, in PointNet.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
One-sentence Summary: In this work, we first design adaptive attacks to break the state-of-the-art defenses against adversarial point cloud classification and further improve the adversarial training performance of point cloud classification models by a large margin.
Community Implementations: [ 4 code implementations](https://www.catalyzex.com/paper/arxiv:2011.11922/code)
Reviewed Version (pdf): https://openreview.net/references/pdf?id=wJ0XWhFKpg
16 Replies
Loading