Mehmet Ergezer,Phat Duong,Christian Green,Tommy Nguyen,Abdurrahman Zeybey

2024-04-03

Abstract:This paper presents a novel universal perturbation method for generating robust multi-view adversarial examples in 3D object recognition. Unlike conventional attacks limited to single views, our approach operates on multiple 2D images, offering a practical and scalable solution for enhancing model scalability and robustness. This generalizable method bridges the gap between 2D perturbations and 3D-like attack capabilities, making it suitable for real-world applications.

Computer Vision and Pattern Recognition,Artificial Intelligence

Guanlin Li,Guowen Xu,Han Qiu,Ruan He,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1007/978-3-031-19772-7_39

2022-01-01

Abstract:3D point cloud classification models based on deep neural networks were proven to be vulnerable to adversarial examples, with a quantity of novel attack techniques proposed by researchers recently. It is of paramount importance to preserve the robustness of 3D models under adversarial environments, considering their broad application in safety- and security-critical tasks. Unfortunately, existing defenses are not general enough to satisfactorily mitigate all types of attacks. In this paper, we design two innovative methodologies to improve the adversarial robustness of 3D point cloud classification models. (1) We introduce CCN, a novel point cloud architecture which can smooth and disrupt the adversarial perturbations. (2) We propose AMS, a novel data augmentation strategy to adaptively balance the model usability and robustness. Extensive evaluations indicate the integration of the two techniques provides much more robustness than existing defense solutions for 3D classification models.

Shouwei Ruan,Yinpeng Dong,Hang Su,Jianteng Peng,Ning Chen,Xingxing Wei

2023-07-21

Abstract:Viewpoint invariance remains challenging for visual recognition in the 3D world, as altering the viewing directions can significantly impact predictions for the same object. While substantial efforts have been dedicated to making neural networks invariant to 2D image translations and rotations, viewpoint invariance is rarely investigated. Motivated by the success of adversarial training in enhancing model robustness, we propose Viewpoint-Invariant Adversarial Training (VIAT) to improve the viewpoint robustness of image classifiers. Regarding viewpoint transformation as an attack, we formulate VIAT as a minimax optimization problem, where the inner maximization characterizes diverse adversarial viewpoints by learning a Gaussian mixture distribution based on the proposed attack method GMVFool. The outer minimization obtains a viewpoint-invariant classifier by minimizing the expected loss over the worst-case viewpoint distributions that can share the same one for different objects within the same category. Based on GMVFool, we contribute a large-scale dataset called ImageNet-V+ to benchmark viewpoint robustness. Experimental results show that VIAT significantly improves the viewpoint robustness of various image classifiers based on the diversity of adversarial viewpoints generated by GMVFool. Furthermore, we propose ViewRS, a certified viewpoint robustness method that provides a certified radius and accuracy to demonstrate the effectiveness of VIAT from the theoretical perspective.

Computer Vision and Pattern Recognition

Shouwei Ruan,Yinpeng Dong,Hang Su,Jianteng Peng,Ning Chen,Xingxing Wei

2023-07-16

Abstract:Visual recognition models are not invariant to viewpoint changes in the 3D world, as different viewing directions can dramatically affect the predictions given the same object. Although many efforts have been devoted to making neural networks invariant to 2D image translations and rotations, viewpoint invariance is rarely investigated. As most models process images in the perspective view, it is challenging to impose invariance to 3D viewpoint changes based only on 2D inputs. Motivated by the success of adversarial training in promoting model robustness, we propose Viewpoint-Invariant Adversarial Training (VIAT) to improve viewpoint robustness of common image classifiers. By regarding viewpoint transformation as an attack, VIAT is formulated as a minimax optimization problem, where the inner maximization characterizes diverse adversarial viewpoints by learning a Gaussian mixture distribution based on a new attack GMVFool, while the outer minimization trains a viewpoint-invariant classifier by minimizing the expected loss over the worst-case adversarial viewpoint distributions. To further improve the generalization performance, a distribution sharing strategy is introduced leveraging the transferability of adversarial viewpoints across objects. Experiments validate the effectiveness of VIAT in improving the viewpoint robustness of various image classifiers based on the diversity of adversarial viewpoints generated by GMVFool.

Computer Vision and Pattern Recognition

Yifan Zhang,Junhui Hou,Yixuan Yuan

DOI: https://doi.org/10.48550/arXiv.2212.10230

2022-12-20

Computer Vision and Pattern Recognition

Abstract:Deep learning-based 3D object detectors have made significant progress in recent years and have been deployed in a wide range of applications. It is crucial to understand the robustness of detectors against adversarial attacks when employing detectors in security-critical applications. In this paper, we make the first attempt to conduct a thorough evaluation and analysis of the robustness of 3D detectors under adversarial attacks. Specifically, we first extend three kinds of adversarial attacks to the 3D object detection task to benchmark the robustness of state-of-the-art 3D object detectors against attacks on KITTI and Waymo datasets, subsequently followed by the analysis of the relationship between robustness and properties of detectors. Then, we explore the transferability of cross-model, cross-task, and cross-data attacks. We finally conduct comprehensive experiments of defense for 3D detectors, demonstrating that simple transformations like flipping are of little help in improving robustness when the strategy of transformation imposed on input point cloud data is exposed to attackers. Our findings will facilitate investigations in understanding and defending the adversarial attacks against 3D object detectors to advance this field.

Bilel Tarchoun,Ihsen Alouani,Anouar Ben Khalifa,Mohamed Ali Mahjoub

DOI: https://doi.org/10.48550/arXiv.2110.04887

2021-10-10

Cryptography and Security

Abstract:While machine learning applications are getting mainstream owing to a demonstrated efficiency in solving complex problems, they suffer from inherent vulnerability to adversarial attacks. Adversarial attacks consist of additive noise to an input which can fool a detector. Recently, successful real-world printable adversarial patches were proven efficient against state-of-the-art neural networks. In the transition from digital noise based attacks to real-world physical attacks, the myriad of factors affecting object detection will also affect adversarial patches. Among these factors, view angle is one of the most influential, yet under-explored. In this paper, we study the effect of view angle on the effectiveness of an adversarial patch. To this aim, we propose the first approach that considers a multi-view context by combining existing adversarial patches with a perspective geometric transformation in order to simulate the effect of view angle changes. Our approach has been evaluated on two datasets: the first dataset which contains most real world constraints of a multi-view context, and the second dataset which empirically isolates the effect of view angle. The experiments show that view angle significantly affects the performance of adversarial patches, where in some cases the patch loses most of its effectiveness. We believe that these results motivate taking into account the effect of view angles in future adversarial attacks, and open up new opportunities for adversarial defenses.

Hai Chen,Huanqian Yan,Xiao Yang,Hang Su,Shu Zhao,Fulan Qian

DOI: https://doi.org/10.1109/tits.2024.3410038

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The reliability and robustness of 3D object detection play an instrumental role in the practical deployment of autonomous driving systems. Despite previous research indicating that adversarial examples can negatively affect 3D object detection models, leading to misinterpretations of the environment, these models still maintain the capability to detect the majority of objects within adversarially manipulated point clouds. To further probe into the adversarial robustness of these models, we propose an effective adversarial attack method named IoU-S attack in this paper. We meticulously formulate the adversarial loss to adversely affect the decision-making behavior (such as localization, etc.) of 3D object detection, thereby compromising its ability to accurately interpret the environment. Owing to the significant relevance of this adversarial loss to 3D object detection tasks, we have integrated the IoU-S attack into three attack paradigms: point cloud perturbation, detachment, and attachment. Comprehensive experiments on the widely accepted nuScenes dataset illustrate that the IoU-S attack outperforms existing attack methods in both white-box and black-box scenarios (https://github.com/haichen-ber/IoU-S-Attack). It reinforces its potential to serve as a valuable method in understanding and enhancing the robustness of 3D object detection models against adversarial attacks.

Riran Cheng,Nan Sang,Yinyuan Zhou,Xupeng Wang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00032

2021-01-01

Abstract:3D object tracking has great potential applications in computing intensive cyber-physical systems, particularly auto-nomic driving. However, Object tracking based on deep neural networks is vulnerable to adversarial examples. Previous works generate adversarial examples by applying perturbations to samples, which suffer from the generation of an individual adversarial perturbation for each sample. Algorithms have been proposed to generate a universal adversarial perturbation, which is one single perturbation able to make classifiers misclassify most images. In this paper, we propose the universal adversarial attack method against 3D object tracking. This method gen-erates adversarial samples by applying a universal adversarial perturbation to tracking templates, leading to the deviation of the predictions from the ground truth. A novel objective function, which combines confidence loss, direction loss and distance loss, generates an atomic perturbation for each tracking template. By aggregating these atomic perturbations, the universal adversarial perturbation can be derived. Experiments conducted on the KITTI dataset show that the proposed method can effectively reduce the performance of 3D object tracking.

Riran Cheng,Nan Sang,Yinyuan Zhou,Xupeng Wang

DOI: https://doi.org/10.1109/icassp43922.2022.9746692

2022-01-01

Abstract:It is well-recognized that 3D visual tasks based on deep neural networks are vulnerable to adversarial attacks. Existing methods to generate adversarial examples are mainly developed from injecting imperceptible perturbations into the inputs. However, aggressive characteristic of geometric transformations, which are common in 3D objects, are rarely investigated. In this paper, we propose the non-rigid transformation based adversarial attack method against 3D object tracking. The adversarial example is generated by deforming parts of the tracking template, leading to deviation of the tracking predictions from the ground truth. Specifically, a clustering-based region segmentation module is designed to divide the tracking template into local regions. Furthermore, an objective function, which combines IoU loss, confidence loss and distance loss, is leveraged to update the poses of local regions. Experiments conducted on an efficient 3D tracker demonstrate that 3D trackers are extremely vulnerable to non-rigid deformation.

Bilel Tarchoun,Quazi Mishkatul Alam,Nael Abu-Ghazaleh,Ihsen Alouani

2023-12-01

Abstract:Adversarial patches exemplify the tangible manifestation of the threat posed by adversarial attacks on Machine Learning (ML) models in real-world scenarios. Robustness against these attacks is of the utmost importance when designing computer vision applications, especially for safety-critical domains such as CCTV systems. In most practical situations, monitoring open spaces requires multi-view systems to overcome acquisition challenges such as occlusion handling. Multiview object systems are able to combine data from multiple views, and reach reliable detection results even in difficult environments. Despite its importance in real-world vision applications, the vulnerability of multiview systems to adversarial patches is not sufficiently investigated. In this paper, we raise the following question: Does the increased performance and information sharing across views offer as a by-product robustness to adversarial patches? We first conduct a preliminary analysis showing promising robustness against off-the-shelf adversarial patches, even in an extreme setting where we consider patches applied to all views by all persons in Wildtrack benchmark. However, we challenged this observation by proposing two new attacks: (i) In the first attack, targeting a multiview CNN, we maximize the global loss by proposing gradient projection to the different views and aggregating the obtained local gradients. (ii) In the second attack, we focus on a Transformer-based multiview framework. In addition to the focal loss, we also maximize the transformer-specific loss by dissipating its attention blocks. Our results show a large degradation in the detection performance of victim multiview systems with our first patch attack reaching an attack success rate of 73% , while our second proposed attack reduced the performance of its target detector by 62%

Computer Vision and Pattern Recognition,Cryptography and Security

Xiao Yang,Longlong Xu,Tianyu Pang,Yinpeng Dong,Yikai Wang,Hang Su,Jun Zhu

DOI: https://doi.org/10.1007/s11263-024-02177-6

IF: 13.369

2024-01-01

International Journal of Computer Vision

Abstract:Recent research has elucidated the susceptibility of face recognition models to physical adversarial patches, thus provoking security concerns about the deployed face recognition systems. Most existing 2D and 3D physical attacks on face recognition, however, produce adversarial examples using a single-state face image of an attacker. This point-wise attack paradigm tends to yield inferior results when countering numerous complicated states in physical environments, such as diverse pose variations. In this paper, by reassessing the intrinsic relationship between an attacker’s face and its variations, we propose a practical pipeline that simulates complex facial transformations in the physical world through 3D face modeling. This adaptive simulation serves as a digital counterpart of physical faces and empowers us to regulate various facial variations and physical conditions. With this digital simulator, we present the Face3DAdv method to craft 3D adversarial patches, which account for 3D facial transformations and realistic physical variations. Moreover, by optimizing the latent space on 3D modeling and involving importance sampling on various transformations, we demonstrate that Face3DAdv can significantly improve the effectiveness and naturalness of a wide range of physically feasible adversarial patches. Furthermore, the physically 3D-printed adversarial patches by Face3DAdv can achieve an effective evaluation of adversarial robustness on multiple popular commercial services, including four recognition APIs, three anti-spoofing APIs and one automated access control system.

Yifan Zhang,Junhui Hou,Yixuan Yuan

DOI: https://doi.org/10.1007/s11263-023-01934-3

IF: 13.369

2023-12-01

International Journal of Computer Vision

Abstract:Recent years have witnessed significant advancements in deep learning-based 3D object detection, leading to its widespread adoption in numerous applications. As 3D object detectors become increasingly crucial for security-critical tasks, it is imperative to understand their robustness against adversarial attacks. This paper presents the first comprehensive evaluation and analysis of the robustness of LiDAR-based 3D detectors under adversarial attacks. Specifically, we extend three distinct adversarial attacks to the 3D object detection task, benchmarking the robustness of state-of-the-art LiDAR-based 3D object detectors against attacks on the KITTI and Waymo datasets. We further analyze the relationship between robustness and detector properties. Additionally, we explore the transferability of cross-model, cross-task, and cross-data attacks. Thorough experiments on defensive strategies for 3D detectors are conducted, demonstrating that simple transformations like flipping provide little help in improving robustness when the applied transformation strategy is exposed to attackers. Finally, we propose balanced adversarial focal training, based on conventional adversarial training, to strike a balance between accuracy and robustness. Our findings will facilitate investigations into understanding and defending against adversarial attacks on LiDAR-based 3D object detectors, thus advancing the field. The source code is publicly available at https://github.com/Eaphan/Robust3DOD.

computer science, artificial intelligence

Rabnawaz,A. Javed,M. Yousaf,Abeer Toheed

DOI: https://doi.org/10.1109/ICoDT255437.2022.9787422

2022-05-24

Abstract:Adversarial attacks are being frequently used these days to exploit different machine learning models including the deep neural networks (DNN) either during the training or testing stage. DNN under such attacks make the false predictions. Digital adversarial attacks are not applicable in physical world. Adversarial attack on object detection is more difficult as compared to the adversarial attack on image classification. This paper presents a physical adversarial attack on object detection using 3D adversarial objects. The proposed methodology overcome the constraint of 2D adversarial patches as they only work for certain viewpoints only. We have mapped an adversarial texture onto a mesh to create the 3D adversarial object. These objects are of various shapes and sizes. Unlike adversarial patch attacks, these adversarial objects are movable from one place to another. Moreover, application of 2D patch is limited to confined viewpoints. Experimentation results show that our 3D adversarial objects are free from such constraints and perform a successful attack on object detection. We used the ShapeNet dataset for different vehicle models. 3D objects are created using Blender 2.93 [1]. Different HDR images are incorporated to create the virtual physical environment. Moreover, we targeted the FasterRCNN and YOLO pre-trained models on the COCO dataset as our target DNN. Experimental results demonstrate that our proposed model successfully fooled these object detectors.

Engineering,Computer Science

Shaoyuan Xie,Zichao Li,Zeyu Wang,Cihang Xie

DOI: https://doi.org/10.48550/arXiv.2301.10766

2024-01-19

Abstract:In recent years, camera-based 3D object detection has gained widespread attention for its ability to achieve high performance with low computational cost. However, the robustness of these methods to adversarial attacks has not been thoroughly examined, especially when considering their deployment in safety-critical domains like autonomous driving. In this study, we conduct the first comprehensive investigation of the robustness of leading camera-based 3D object detection approaches under various adversarial conditions. We systematically analyze the resilience of these models under two attack settings: white-box and black-box; focusing on two primary objectives: classification and localization. Additionally, we delve into two types of adversarial attack techniques: pixel-based and patch-based. Our experiments yield four interesting findings: (a) bird's-eye-view-based representations exhibit stronger robustness against localization attacks; (b) depth-estimation-free approaches have the potential to show stronger robustness; (c) accurate depth estimation effectively improves robustness for depth-estimation-based methods; (d) incorporating multi-frame benign inputs can effectively mitigate adversarial attacks. We hope our findings can steer the development of future camera-based object detection models with enhanced adversarial robustness.

Computer Vision and Pattern Recognition,Artificial Intelligence

Zhao Yue,Wu Yuwei,Chen Caihua,Lim Andrew

DOI: https://doi.org/10.1109/CVPR42600.2020.00128

2020-01-01

Abstract:While deep learning in 3D domain has achieved revolutionary performance in many tasks, the robustness of these models has not been sufficiently studied or explored. Regarding the 3D adversarial samples, most existing works focus on manipulation of local points, which may fail to invoke the global geometry properties, like robustness under linear projection that preserves the Euclidean distance, i.e., isometry. In this work, we show that existing state-of-the-art deep 3D models are extremely vulnerable to isometry transformations. Armed with the Thompson Sampling, we develop a black-box attack with success rate over 95% on ModelNet40 data set. Incorporating with the Restricted Isometry Property, we propose a novel framework of white-box attack on top of spectral norm based perturbation. In contrast to previous works, our adversarial samples are experimentally shown to be strongly transferable. Evaluated on a sequence of prevailing 3D models, our white-box attack achieves success rates from 98.88% to 100%. It maintains a successful attack rate over 95% even within an imperceptible rotation range [+/- 2.81 degrees].

Riran Cheng,Xupeng Wang,Ferdous Sohel,Hang Lei

DOI: https://doi.org/10.1007/s44267-023-00033-8

2023-01-01

Abstract:3D object tracking based on deep neural networks has a wide range of potential applications, such as autonomous driving and robotics. However, deep neural networks are vulnerable to adversarial examples. Traditionally, adversarial examples are generated by applying perturbations to individual samples, which requires exhaustive calculations for each sample and thereby suffers from low efficiency during malicious attacks. Hence, the universal adversarial perturbation has been introduced, which is sample-agnostic. The universal perturbation is able to make classifiers misclassify most samples. In this paper, a topology-aware universal adversarial attack method against 3D object tracking is proposed, which can lead to predictions of a 3D tracker deviating from the ground truth in most scenarios. Specifically, a novel objective function consisting of a confidence loss, direction loss and distance loss generates an atomic perturbation from a tracking template, and aims to fail a tracking task. Subsequently, a series of atomic perturbations are iteratively aggregated to derive the universal adversarial perturbation. Furthermore, in order to address the characteristic of permutation invariance inherent in the point cloud data, the topology information of the tracking template is employed to guide the generation of the universal perturbation, which imposes correspondences between consecutively generated perturbations. The generated universal perturbation is designed to be aware of the topology of the targeted tracking template during its construction and application, thus leading to superior attack performance. Experiments on the KITTI dataset demonstrate that the performance of 3D object tracking can be significantly degraded by the proposed method.

Yinpeng Dong,Shouwei Ruan,Hang Su,Caixin Kang,Xingxing Wei,Jun Zhu

DOI: https://doi.org/10.48550/arXiv.2210.03895

2022-01-01

Abstract: Recent studies have demonstrated that visual recognition models lack robustness to distribution shift. However, current work mainly considers model robustness to 2D image transformations, leaving viewpoint changes in the 3D world less explored. In general, viewpoint changes are prevalent in various real-world applications (e.g., autonomous driving), making it imperative to evaluate viewpoint robustness. In this paper, we propose a novel method called ViewFool to find adversarial viewpoints that mislead visual recognition models. By encoding real-world objects as neural radiance fields (NeRF), ViewFool characterizes a distribution of diverse adversarial viewpoints under an entropic regularizer, which helps to handle the fluctuations of the real camera pose and mitigate the reality gap between the real objects and their neural representations. Experiments validate that the common image classifiers are extremely vulnerable to the generated adversarial viewpoints, which also exhibit high cross-model transferability. Based on ViewFool, we introduce ImageNet-V, a new out-of-distribution dataset for benchmarking viewpoint robustness of image classifiers. Evaluation results on 40 classifiers with diverse architectures, objective functions, and data augmentations reveal a significant drop in model performance when tested on ImageNet-V, which provides a possibility to leverage ViewFool as an effective data augmentation strategy to improve viewpoint robustness.

Yao Huang,Yinpeng Dong,Shouwei Ruan,Xiao Yang,Hang Su,Xingxing Wei

2024-06-10

Abstract:Compared with transferable untargeted attacks, transferable targeted adversarial attacks could specify the misclassification categories of adversarial samples, posing a greater threat to security-critical tasks. In the meanwhile, 3D adversarial samples, due to their potential of multi-view robustness, can more comprehensively identify weaknesses in existing deep learning systems, possessing great application value. However, the field of transferable targeted 3D adversarial attacks remains vacant. The goal of this work is to develop a more effective technique that could generate transferable targeted 3D adversarial examples, filling the gap in this field. To achieve this goal, we design a novel framework named TT3D that could rapidly reconstruct from few multi-view images into Transferable Targeted 3D textured meshes. While existing mesh-based texture optimization methods compute gradients in the high-dimensional mesh space and easily fall into local optima, leading to unsatisfactory transferability and distinct distortions, TT3D innovatively performs dual optimization towards both feature grid and Multi-layer Perceptron (MLP) parameters in the grid-based NeRF space, which significantly enhances black-box transferability while enjoying naturalness. Experimental results show that TT3D not only exhibits superior cross-model transferability but also maintains considerable adaptability across different renders and vision tasks. More importantly, we produce 3D adversarial examples with 3D printing techniques in the real world and verify their robust performance under various scenarios.

Computer Vision and Pattern Recognition

Yanjie Li,Yiquan Li,Xuelong Dai,Songtao Guo,Bin Xiao

DOI: https://doi.org/10.48550/arXiv.2205.13412

2022-05-26

Computer Vision and Pattern Recognition

Abstract:2D face recognition has been proven insecure for physical adversarial attacks. However, few studies have investigated the possibility of attacking real-world 3D face recognition systems. 3D-printed attacks recently proposed cannot generate adversarial points in the air. In this paper, we attack 3D face recognition systems through elaborate optical noises. We took structured light 3D scanners as our attack target. End-to-end attack algorithms are designed to generate adversarial illumination for 3D faces through the inherent or an additional projector to produce adversarial points at arbitrary positions. Nevertheless, face reflectance is a complex procedure because the skin is translucent. To involve this projection-and-capture procedure in optimization loops, we model it by Lambertian rendering model and use SfSNet to estimate the albedo. Moreover, to improve the resistance to distance and angle changes while maintaining the perturbation unnoticeable, a 3D transform invariant loss and two kinds of sensitivity maps are introduced. Experiments are conducted in both simulated and physical worlds. We successfully attacked point-cloud-based and depth-image-based 3D face recognition algorithms while needing fewer perturbations than previous state-of-the-art physical-world 3D adversarial attacks.

Ce Zhou,Qiben Yan,Sijia Liu

2024-09-26

Abstract:Object detection is a crucial task in autonomous driving. While existing research has proposed various attacks on object detection, such as those using adversarial patches or stickers, the exploration of projection attacks on 3D surfaces remains largely unexplored. Compared to adversarial patches or stickers, which have fixed adversarial patterns, projection attacks allow for transient modifications to these patterns, enabling a more flexible attack. In this paper, we introduce an adversarial 3D projection attack specifically targeting object detection in autonomous driving scenarios. We frame the attack formulation as an optimization problem, utilizing a combination of color mapping and geometric transformation models. Our results demonstrate the effectiveness of the proposed attack in deceiving YOLOv3 and Mask R-CNN in physical settings. Evaluations conducted in an indoor environment show an attack success rate of up to 100% under low ambient light conditions, highlighting the potential damage of our attack in real-world driving scenarios.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition