Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ScAR: Scaling Adversarial Robustness for LiDAR Object Detection

Xiaohu Lu, Hayder Radha

TL;DR

This work identifies a size-sensitivity bias in LiDAR-based 3D object detectors, showing that scaling 3D instances can significantly affect predictions. It introduces three black-box scaling attacks—model-aware, distribution-aware, and blind—and develops ScAR to defend by transforming the training distribution of object sizes into a Uniform distribution via ICDF-mapped scaling. The approach yields robust improvements across multiple detectors and datasets (KITTI, Waymo, nuScenes) with competitive or superior performance on adversarial data while preserving accuracy on clean data. Practically, ScAR enables more reliable LiDAR perception under realistic black-box constraints and can be implemented with moderate computational resources, as demonstrated on OpenPCDet-based architectures and common hardware.

Abstract

The adversarial robustness of a model is its ability to resist adversarial attacks in the form of small perturbations to input data. Universal adversarial attack methods such as Fast Sign Gradient Method (FSGM) and Projected Gradient Descend (PGD) are popular for LiDAR object detection, but they are often deficient compared to task-specific adversarial attacks. Additionally, these universal methods typically require unrestricted access to the model's information, which is difficult to obtain in real-world applications. To address these limitations, we present a black-box Scaling Adversarial Robustness (ScAR) method for LiDAR object detection. By analyzing the statistical characteristics of 3D object detection datasets such as KITTI, Waymo, and nuScenes, we have found that the model's prediction is sensitive to scaling of 3D instances. We propose three black-box scaling adversarial attack methods based on the available information: model-aware attack, distribution-aware attack, and blind attack. We also introduce a strategy for generating scaling adversarial examples to improve the model's robustness against these three scaling adversarial attacks. Comparison with other methods on public datasets under different 3D object detection architectures demonstrates the effectiveness of our proposed method. Our code is available at https://github.com/xiaohulugo/ScAR-IROS2023.

ScAR: Scaling Adversarial Robustness for LiDAR Object Detection

TL;DR

This work identifies a size-sensitivity bias in LiDAR-based 3D object detectors, showing that scaling 3D instances can significantly affect predictions. It introduces three black-box scaling attacks—model-aware, distribution-aware, and blind—and develops ScAR to defend by transforming the training distribution of object sizes into a Uniform distribution via ICDF-mapped scaling. The approach yields robust improvements across multiple detectors and datasets (KITTI, Waymo, nuScenes) with competitive or superior performance on adversarial data while preserving accuracy on clean data. Practically, ScAR enables more reliable LiDAR perception under realistic black-box constraints and can be implemented with moderate computational resources, as demonstrated on OpenPCDet-based architectures and common hardware.

Abstract

The adversarial robustness of a model is its ability to resist adversarial attacks in the form of small perturbations to input data. Universal adversarial attack methods such as Fast Sign Gradient Method (FSGM) and Projected Gradient Descend (PGD) are popular for LiDAR object detection, but they are often deficient compared to task-specific adversarial attacks. Additionally, these universal methods typically require unrestricted access to the model's information, which is difficult to obtain in real-world applications. To address these limitations, we present a black-box Scaling Adversarial Robustness (ScAR) method for LiDAR object detection. By analyzing the statistical characteristics of 3D object detection datasets such as KITTI, Waymo, and nuScenes, we have found that the model's prediction is sensitive to scaling of 3D instances. We propose three black-box scaling adversarial attack methods based on the available information: model-aware attack, distribution-aware attack, and blind attack. We also introduce a strategy for generating scaling adversarial examples to improve the model's robustness against these three scaling adversarial attacks. Comparison with other methods on public datasets under different 3D object detection architectures demonstrates the effectiveness of our proposed method. Our code is available at https://github.com/xiaohulugo/ScAR-IROS2023.
Paper Structure (16 sections, 5 equations, 3 figures, 3 tables)

This paper contains 16 sections, 5 equations, 3 figures, 3 tables.

Table of Contents

  1. INTRODUCTION
  2. Related Work
  3. Adversarial Attack
  4. Adversarial Robustness
  5. Methodology
  6. Statistical Characteristics of 3D Object Detection Dataset
  7. Scaling Adversarial Attack
  8. Model-aware Attack
  9. Distribution-aware Attack
  10. Blind Attack
  11. Scaling Adversarial Robustness
  12. Experiments
  13. Experimental Setup
  14. Comparison
  15. Ablation Study
  16. ...and 1 more sections

Figures (3)

  • Figure 1: Demonstration on the adversarial example (b) generated by our model-aware scaling adversarial attack, and the performance of vanilla Second yan2018second (c) and our ScAR method (d) on the adversarial example. Red bounding boxes represent the ground truth annotations, the blue ones denote the predictions. In (c), four predictions' overlapping with ground truth is less than 0.7, while in (d) the predictions align well with the ground truth.
  • Figure 2: Overview of the proposed scaling adversarial robustness method. We convert the original distribution of the dataset into an Uniform distribution which is further utilized to generate adversarial examples to improve the network's generalization to unseen object sizes.
  • Figure 3: Distributions of annotation's size (the volume of 3D bounding box) for datasets: KITTI geiger2012we, Waymo sun2020scalability, nuScenes caesar2020nuscenes.