Abstract
Machine learning models are shown to be vulnerable to adversarial examples. While most of the existing methods for adversarial attack and defense work on 2D image domains, a few recent ones attempt to extend the studies to 3D data of point clouds. However, adversarial results obtained by these methods typically contain point outliers, which are both noticeable and easier to be defended by simple techniques of outlier removal. Motivated by the different mechanisms when humans perceive 2D images and 3D shapes, we propose in this paper a new design of geometry-aware objectives, whose solutions favor (discrete versions of) the desired surface properties of smoothness and fairness. To generate adversarial point clouds, we use a misclassification loss of targeted attack that supports continuous pursuing of more malicious signals. Regularizing the targeted attack loss with our proposed geometry-aware objectives gives our proposed method of Geometry-Aware Adversarial Attack ($GeoA^3$). Results of $GeoA^3$ tend to be more adversarial, arguably less defendable, and of the key adversarial characterization of being imperceptible to humans. While the main focus of this paper is to learn to generate adversarial point clouds, we also present a simple but effective algorithm termed Iterative Tangent Jittering (IterTanJit), in order to preserve surface-level adversarial effects when re-sampling point clouds from the surface meshes reconstructed from adversarial point clouds. We quantitatively evaluate our methods on both synthetic and physical object models in terms of attack success rate and geometric regularity. For qualitative evaluation, we conduct subjective studies by collecting human preferences from Amazon Mechanical Turk. Comparative results in comprehensive experiments confirm the advantages of our proposed methods over existing ones. We make our source codes publicly available.
Abstract (translated)
URL
https://arxiv.org/abs/1912.11171
