PointBA: Towards Backdoor Attacks in 3D Point Cloud

Xinke Li,Zhirui Chen,Yue Zhao,Zekun Tong,Yabang Zhao,Andrew Lim,Joey Tianyi Zhou
DOI: https://doi.org/10.48550/arXiv.2103.16074
2021-08-23
Abstract:3D deep learning has been increasingly more popular for a variety of tasks including many safety-critical applications. However, recently several works raise the security issues of 3D deep models. Although most of them consider adversarial attacks, we identify that backdoor attack is indeed a more serious threat to 3D deep learning systems but remains unexplored. We present the backdoor attacks in 3D point cloud with a unified framework that exploits the unique properties of 3D data and networks. In particular, we design two attack approaches on point cloud: the poison-label backdoor attack (PointPBA) and the clean-label backdoor attack (PointCBA). The first one is straightforward and effective in practice, while the latter is more sophisticated assuming there are certain data inspections. The attack algorithms are mainly motivated and developed by 1) the recent discovery of 3D adversarial samples suggesting the vulnerability of deep models under spatial transformation; 2) the proposed feature disentanglement technique that manipulates the feature of the data through optimization methods and its potential to embed a new task. Extensive experiments show the efficacy of the PointPBA with over 95% success rate across various 3D datasets and models, and the more stealthy PointCBA with around 50% success rate. Our proposed backdoor attack in 3D point cloud is expected to perform as a baseline for improving the robustness of 3D deep models.
Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the backdoor attack in 3D point - cloud data. Specifically, the author recognizes that most of the existing research mainly focuses on adversarial attacks, but the more serious threat in 3D deep - learning systems - backdoor attacks - has not been fully explored yet. Backdoor attacks implant malicious functions by injecting a small amount of "poisoned" data into the training data, and these malicious functions will be activated by specific triggers in the test data, resulting in abnormal model behavior. ### Main contributions: 1. **First study**: As far as the author knows, this is the first work to explore backdoor attacks in the 3D field. Based on the unique nature of 3D data, a unified framework is proposed to study 3D backdoor triggers, and perturbation analysis is provided to reasonably limit the attack ability. 2. **Experimental verification**: Through standard backdoor attack experiments, the effectiveness of the proposed trigger is demonstrated, further revealing the vulnerability of 3D models under spatial transformation and the possibility of backdoor attacks in the 3D field. 3. **Clean - label attack**: Inspired by the rotation - based 3D adversarial attack, a technique called feature disentanglement is developed to generate perturbed data through an optimization method. This technique makes it difficult for the model to learn semantic labels from feature - disentangled data, but it is easy to learn the association between labels and implanted triggers. Based on this technique, a more concealed clean - label attack is designed, which has a wider range of application scenarios. ### Method overview: - **Unified form of 3D backdoor trigger**: A general trigger - implantation - function (TIF) form for 3D point - cloud data is proposed. This form is implemented through matrix operations and can flexibly design different triggers, such as orientation triggers and interaction triggers. - **Attack methods**: - **PointPBA**: Backdoor attacks are directly achieved by changing the labels and data in the training data, which is applicable to various 3D datasets and models, with a success rate of more than 95%. - **PointCBA**: The trigger implantation is enhanced through the feature - disentanglement technique to achieve a more concealed clean - label attack, with a success rate of about 45%. ### Experimental results: - **Attack success rate (ASR)**: Extensive experiments were carried out on different datasets and models. The results show that the ASR of PointPBA exceeds 93%, and the ASR of PointCBA exceeds 45%. At the same time, the accuracy loss of the backdoor model on the clean test set does not exceed 2%. - **Influence of injection rate**: The ASR of PointCBA is very sensitive to the injection rate. As the injection rate increases, the ASR also gradually increases. In contrast, the ASR of PointPBA still remains at a high level at a higher injection rate. ### Conclusion: This research not only reveals the vulnerability of 3D deep - learning models under backdoor attacks but also provides a benchmark framework, which is helpful for future research to improve the robustness of 3D models.