ShapeAdv: Generating Shape-Aware
Adversarial 3D Point Clouds

A 3D point cloud $x\in\mathcal{X}\subset\bigcup_{n=1}^{\infty}\mathbb{R}^{n\times 3}$ is a set of $N$ points sampled from the surface of an object, where each point is represented by a tuple of Cartesian coordinates (XYZ) in the point space $\mathcal{X}$. Let $\mathcal{M}:\mathcal{X}\rightarrow\mathcal{Y}$ be a classification model, which takes a 3D point cloud $x$ as an input and predicts its label $y\in\mathcal{Y}\subset\mathbb{Z}$. Since the number of points $N$ and their order vary depending on the sampling, $\mathcal{M}$ is designed to be invariant to the dimension of $N$, usually achieved by a global max pool or average pool operation [35, 53].

Given a point cloud data and its ground truth label $(x,y)$, the goal of an adversarial attack is to lead $\mathcal{M}$ to misclassify the label of an input $x$, by finding an adversary $x^{\prime}$ satisfying:

where $\mathcal{D}$ is a distance metric to measure the similarity between the original data $x$ and the optimized adversary $x^{\prime}$. In targeted attacks, a target label $t\neq y$ is provided such that the adversary is optimized to satisfy $\mathcal{M}(x^{\prime})=t$, while $\mathcal{M}(x^{\prime})\neq y$ is sufficient in untargeted attacks.

In adversarial attacks on 3D point clouds, two types of strategies have been studied [26, 48, 57, 65]: adversarial point perturbation and adversarial point generation. Adversarial point perturbation adds a small perturbation $\delta$ to $x$, i.e., $x^{\prime}=x+\delta$, while adversarial point generation augments $N_{\text{aug}}$ points to $x$, i.e., $x^{\prime}=[x;\delta]\in\mathbb{R}^{(N+N_{\text{aug}})\times 3}$.

Different from prior works, we propose to inject an adversarial perturbation to the latent representation of a point cloud. To achieve this, we take an auto-encoder $\mathcal{G}=\mathcal{G}_{\text{dec}}\circ\mathcal{G}_{\text{enc}}$, which consists of an encoder network $\mathcal{G}_{\text{enc}}$ and a decoder network $\mathcal{G}_{\text{dec}}$. In this setting, given a data and its label $(x,y)$, we optimize the adversary in the latent space $z^{\prime}$ to be similar to the encoded data $z=\mathcal{G}_{\text{enc}}(x)$, such that it leads the model $\mathcal{M}$ to misclassify the decoded output $x^{\prime}=\mathcal{G}_{\text{dec}}(z^{\prime})$. Similar to Eq. (1), we optimize the following:

where $\mathcal{D}$ is a distance metric to measure the similarity between the input and its adversary in the latent space. For this purpose, any auto-encoder is applicable, but a high-quality auto-encoder would produce better quality of the generated adversarial attack, i.e., $\mathcal{D}(x,\mathcal{G}(x))$ should be small enough for any $x\in\mathcal{X}$.

It is straightforward to minimize the difference between the input and the adversary in the latent space. We then solve the following optimization problem:

where $x^{\prime}=\mathcal{G}_{\text{dec}}(z^{\prime})$ is the decoded adversary. We regularize $z$ and $z^{\prime}$ to be close with respect to $\ell_{2}$ distance. To distinguish with other proposed methods, we refer to this method as ShapeAdv-Latent $\ell_{2}$.

In ShapeAdv-Latent $\ell_{2}$, we implicitly assume that local similarity is preserved: i.e., as long as $z^{\prime}$ is similar to $z$, the adversary $x^{\prime}$ is also similar to $x$. Alternatively, we can directly constrain the similarity between the decoded adversary $x^{\prime}$ and the input $x$, as our point decoder $\mathcal{G}_{\text{dec}}$ is differentiable. More specifically, let $x=[x_{1},x_{2},\dots,x_{N}]^{\top}$ and $x^{\prime}=[x_{1}^{\prime},x_{2}^{\prime},\dots,x_{N^{\prime}}^{\prime}]^{\top}$ be the collection of points in the input and adversary, respectively. We apply the squared Chamfer distance $\mathcal{D}_{\text{CH}}^{2}(x,x^{\prime})=\frac{1}{\lVert x^{\prime}\rVert_{0}}\sum_{x_{j}^{\prime}}\min_{x_{i}}\lVert x_{i}-x_{j}^{\prime}\rVert_{2}^{2}+\frac{1}{\lVert x\rVert_{0}}\sum_{x_{i}}\min_{x_{j}^{\prime}}\lVert x_{i}-x_{j}^{\prime}\rVert_{2}^{2}$ as the metric, which is permutation-invariant and effective in approximating the shape manifold of 3D point cloud data [12]:¹¹1Strictly speaking, the Chamfer distance is not a valid metric because it does not satisfy the triangle inequality. However, it is empirically shown to be effective.

where $x^{\prime}=\mathcal{G}_{\text{dec}}(z^{\prime})\in\mathcal{X}$ is the decoded adversary. We refer to this method as ShapeAdv-Chamfer.

In the above two methods, we optimize the adversarial perturbation in any direction in the latent space. However, if the quality of the latent space is not perfect, the perturbation in the latent space would cause an undesirable perturbation in the point space. To avoid such perturbation in the point space, we propose to leverage auxiliary point clouds sampled from the category of the input to guide the direction in the latent space. Specifically, given a pair of data and its label $(x,y)$, we find $K$ nearest training data whose label is $y$.²²2We use the Chamfer distance in the point space to find the $K$ nearest neighbors. Let $x_{0}=x$ be the input data and its nearest neighbor training data be $\{x_{1},x_{2},\cdots,x_{K}\}$. We then solve the following optimization problem:

where $x^{\prime}=\mathcal{G}_{\text{dec}}(z^{\prime})\in\mathcal{X}$ is the decoded adversary. The coefficient $1/(K+1)$ in the second term could be a tunable hyperparameter to give different weights to the input and auxiliary point clouds, but we could not find significant differences in terms of the attack performance quantitatively. We refer to this method as ShapeAdv-Auxiliary.

To analyze the adversary $x^{\prime}$ generated by this attack, suppose we have only one auxiliary point cloud. Then minimizing the second term in Eq. (8) forces $x^{\prime}$ to be similar to both the input data $x$ and the auxiliary point cloud $x_{1}$, and its optimal value is expected to be a linear interpolation between them. We note that this holds in a valid metric only. Since the Chamfer distance is not a valid metric, the triangle inequality does not hold in general, such that the optimal value may not be a linear interpolation of $x$ and $x^{\prime}$. However, we use the Chamfer distance here, because we found that its qualitative results empirically follow our analysis and show a good performance. In general, when we take $K$ auxiliary point clouds, the adversary $x^{\prime}$ would expected to be in a convex polyhedron $\Omega(x_{0},x_{1},x_{2},...,x_{K})$. Therefore, this formulation also serves as a method to analyze the robustness of the classifier under shape deformation in the same class; in other words, if such an adversary exists, then the model is not robust to shape deformation.

On the other hand, we can restrict the search space of adversary in the latent space $z^{\prime}$ to be a convex polyhedron $\Omega(z_{0},z_{1},z_{2},...,z_{K})$. In this case, we no longer need the second term in Eq. (8) and $z^{\prime}$ is formulated as a convex combination of the input and the auxiliary point clouds, i.e., $z^{\prime}=\sum_{k=0}^{K}\alpha_{k}z_{k}$ where $\alpha_{k}$ is optimizable. However, we empirically found that such formulation is not very effective.

We conduct our experiments on the 3D point cloud classification benchmark aligned ModelNet40 [43, 56], and follow the same experimental settings as reported in [57]. This dataset consists of $12,311$ CAD models from $40$ common object categories, where $9,843$ objects are used for training and $2,468$ are for testing.³³3The compared methods and ours do not require validation, as they are optimization-based. We uniformly sample $1,024$ points on the surface of each object in the point space in the Cartesian coordinate (XYZ), and normalize them into a unit ball by centering and scaling. To evaluate the performance of adversarial attacks, we follow the protocol in [57] for targeted attack, which uses $2,250$ victim-target pairs sampled from 10 major categories (airplane, bed, bookshelf, bottle, chair, monitor, sofa, table, toilet, and vase). For untargeted attacks, we use all the $2,468$ testing examples.

The victim model for adversarial attack is the popular PointNet [35], which has shown the state-of-the-art performance in many tasks. For the attack transferability analysis, we also use PointNet++ [37] and DGCNN [53] as additional 3D point cloud classification models. We train the 3D point cloud classification models by minimizing the standard cross-entropy loss on aligned ModelNet40.

To learn the mapping from raw 3D point cloud data to the latent space, we leverage the point cloud auto-encoder (PointAE) with a latent space with 128 dimension approximating the shape manifold. Here, we consider two different architectures of PointAE proposed in different literature: MLP [1] and AtlasNet [18]. We pre-train PointAE on ShapeNetCore [10]; because the distribution of categories in ModelNet40 is highly imbalanced, training only on ModelNet40 leads to a severe performance downgrade. We note that PointAE-MLP was also trained on ShapeNetCore in [1]. In summary, we pre-train the PointAE on ShapeNetCore [10] using more than $51,300$ object instances and fine-tune the auto-encoder on the aligned ModelNet40 dataset for $700$ epochs. We find that such shape pre-training is crucial to learn a good latent space with a low reconstruction error, and effective shape deformation and interpolation in the latent space.

We compare the state-of-the-art adversarial attacks for 3D point clouds with our proposed methods. Point shifting attack (Shift-Point) [57] perturbs the victim point cloud on the point space while minimizing the perturbation magnitude under the $\ell_{2}$ constraint. Point addition attacks [57] introduce new points to the original victim point cloud, where we compare three strategies: (1) adding a number of points independently (Add-Point), (2) adding several clusters of points (Add-Cluster), and (3) adding several point clouds from another object belonging to a different category (Add-Object).

As described in Section 3, we introduce three variants of the shape-aware adversarial attacks by injecting adversarial perturbations in the latent space. We additionally constrain the perturbation by (1) minimizing the $\ell_{2}$ distance in the latent space (ShapeAdv-Latent $\ell_{2}$), (2) minimizing the Chamfer distance in the point space (ShapeAdv-Chamfer), and (3) minimizing the Chamfer distance from the auxiliary point clouds sampled from the category of the input as well as the input (ShapeAdv-Auxiliary).

For the defense experiments, we consider the sparse outlier removal (SOR) [40, 68] and our proposed auto-encoder based method. SOR is a simple defense method that removes outlier points in the point space, which is shown to be effective in [68]; for each point, it first computes the average distance from its $k$-nearest neighbors, and then filters out points if the average distance is larger than $\mu+c\cdot\sigma$, where $\mu$ and $\sigma$ are the mean and standard deviation of the average distances, and $k$ and $c$ are hyperparameters. We set the hyperparameters to be $k=2$ and $c=2.5$, which is more conservative than the original paper [68] and shows a strong defense performance against the adversarial point clouds. In PointAE Defense, as described in Section 3.3, each point cloud in the test dataset is auto-encoded and then considered as an input of the classification model, as in Eq. (9). Specifically, for each point cloud in the test dataset, we use the reconstruction-based method described in Section 3.3: using the direct output from the encoder model for decoding as in Eq. (9), referred as PointAE Defense. To show the classification performance after applying defense mechanisms, we report the test accuracy with the reconstructed point clouds in Table 1.

We use both attack success rate as well as the perturbation magnitude measure (using the Chamfer distance) as our major evaluation metrics. For attack success rate, we compute the number of successfully attacked object instances divided by the total number. For the Chamfer distance measure, we report the quantitative results in the best, average, and worst performance over category-wise performances, as some category pairs are more difficult to attack than others. The best case represents the most easily attacked victim class, average case for attacking all classes, and worst case for the most difficult class.

First, we measure the attack success rate of our ShapeAdv methods under both targeted and untargeted settings, and found that the attack success rate is 100% for all methods. We report the perturbation magnitude in the Chamfer distance in Table 2. Overall, adversarial point clouds generated by the AtlasNet [18] have relatively small perturbations compared to the MLP baseline [1]. Compared to the other variants, our ShapeAdv-Chamfer achieves the lowest distance, as it is directly used in the optimization objective when generating the adversarial attacks. In particular, our ShapeAdv-Auxiliary generates attacks that deviate further from the original shape as we use one more auxiliary point cloud to guide the shape deformation, such that the distance to the original shape is not always minimized. As in Table 2, the trend is consistent in both targeted and untargeted settings, while untargeted attacks are relatively easier to accomplish than targeted ones.

In Figure 2, we visualize our adversarial examples for targeted attacks. Both methods generate perceptually plausible 3D point clouds similar to the shape of the original one with noticeable shape deformations. AtlasNet tends to preserve local geometric details of the original point cloud; the MLP baseline tends to generate a coarse shape of the same semantic category while being slightly different from the original point cloud. Compared to ShapeAdv-Chamfer which uses the Chamfer distance objective, examples generated by ShapeAdv-Latent $\ell_{2}$ have relatively larger deformations, which is consistent with the distance measure in our quantitative evaluation. Taking account of its better visualization, we use AtlasNet for ShapeAdv below, unless otherwise stated.

As seen in Figure 3, the deformed shapes guided by auxiliary point clouds under adversarial attacks are perceptually similar to both input and auxiliary point cloud in one or several aspects. Moreover, this attack works in a more controllable fashion in which the deformation can be guided by the geometry and structure of auxiliary point cloud. For example, in the third column of Figure 3, the method is able to generate an adversarial chair without chair arms from the input chair with two arms. This can be potentially useful when analyzing the robustness of modern 3D point cloud classifiers given a specific shape deformation.

We compare our shape-aware attacks with existing point cloud attack methods proposed by [57] and visualize the results in Figure 4. We evaluate the proposed shape-aware attacks against two defense methods including sparse outlier removal (SOR) [68] and our auto-encoder based defense method, which can also be interpreted as Defense-GAN [41] on 3D point clouds. SOR is designed to remove point outliers from the raw point cloud while our AE-based method performs the defense through the auto-encoder. As in Table 3, our shape-aware adversarial attacks are generally more difficult to defend than the existing point perturbation attacks and attacks based on adding individual points. Compared to them, adversarial point clouds generated by our shape-aware attacks have noticeable geometric deformations as we do not use point-to-point correspondences to constrain the perturbation. Also, our methods exhibit different statistics compared to attacks by adding points from point clusters or objects, as the resulting shapes from those methods are severely deformed from the origin ones (the Chamfer distance is higher). In summary, we believe that our shape-aware adversarial attacks are orthogonal to existing adversarial attacks on point clouds.

Comparisons between the two architectures (MLP and AtlasNet) demonstrate that ShapeAdv generated by the MLP baseline is relatively harder to defend against compared to AtlasNet. First, this implies that AtlasNet tends to inject adversarial perturbations on the local geometry surfaces which can be partially removed by the existing defense methods, while the MLP baseline tends to inject global deformations as adversarial perturbations which makes the defense challenging. When it comes to 3D point cloud reconstruction, AtlasNet is more expressive and detail-preserving with a patch-based decoder that constructs the piecewise planar surfaces, where each planar surface is independent from each other (each patch is generated by a separate deformation-based decoder with different model weights). However, the detail-preserving adversaries can be possibly considered as outliers by the point defense methods. Second, existing defense methods consistently fail at defending against adversaries with global geometric deformation or structure difference while being effective against adversary with only local geometric deformation.

Regarding the safety-critical concerns related to the PointNet model [35], we further extend our study on black-box attack transferability. Basically, we study how well the attacks generated by our shape-aware attack methods can be transferred to other classifiers such as PointNet++ [37] and DGCNN [53]. As in Table 4, our latent-space $\ell_{2}$ attacks exhibit stronger transferability compared to all existing methods. Here, we exclude the comparisons with methods that generate additional clusters or objects as they lead to severe shape deformation to the original object shapes.