Isometric 3D Adversarial Examples in the Physical World
This work addresses the vulnerability of 3D deep learning models to adversarial attacks in real-world applications, representing an incremental advance in making such attacks more effective and stealthy.
The paper tackles the problem of generating stealthy and physically robust 3D adversarial examples by proposing an ε-isometric attack that uses Gaussian curvature for naturalness and a maxima over transformation method for robustness, achieving significant improvements in attack success rate and naturalness over state-of-the-art methods.
3D deep learning models are shown to be as vulnerable to adversarial examples as 2D models. However, existing attack methods are still far from stealthy and suffer from severe performance degradation in the physical world. Although 3D data is highly structured, it is difficult to bound the perturbations with simple metrics in the Euclidean space. In this paper, we propose a novel $ε$-isometric ($ε$-ISO) attack to generate natural and robust 3D adversarial examples in the physical world by considering the geometric properties of 3D objects and the invariance to physical transformations. For naturalness, we constrain the adversarial example to be $ε$-isometric to the original one by adopting the Gaussian curvature as a surrogate metric guaranteed by a theoretical analysis. For invariance to physical transformations, we propose a maxima over transformation (MaxOT) method that actively searches for the most harmful transformations rather than random ones to make the generated adversarial example more robust in the physical world. Experiments on typical point cloud recognition models validate that our approach can significantly improve the attack success rate and naturalness of the generated 3D adversarial examples than the state-of-the-art attack methods.