The art of defense: letting networks fool the attacker
This addresses the need for robust environment perception in autonomous vehicles, offering a defense that maintains accuracy, though it is incremental as it builds on known properties of DNNs.
The paper tackles the problem of adversarial attacks on 3D point cloud classifiers for autonomous cars by proposing IT-Defense, a method that leverages the permutation invariance of DNNs to defend against state-of-the-art attacks without reducing clean accuracy.
Robust environment perception is critical for autonomous cars, and adversarial defenses are the most effective and widely studied ways to improve the robustness of environment perception. However, all of previous defense methods decrease the natural accuracy, and the nature of the DNNs itself has been overlooked. To this end, in this paper, we propose a novel adversarial defense for 3D point cloud classifier that makes full use of the nature of the DNNs. Due to the disorder of point cloud, all point cloud classifiers have the property of permutation invariant to the input point cloud. Based on this nature, we design invariant transformations defense (IT-Defense). We show that, even after accounting for obfuscated gradients, our IT-Defense is a resilient defense against state-of-the-art (SOTA) 3D attacks. Moreover, IT-Defense do not hurt clean accuracy compared to previous SOTA 3D defenses. Our code is available at: {\footnotesize{\url{https://github.com/cuge1995/IT-Defense}}}.