iBA: Backdoor Attack on 3D Point Cloud via Reconstructing Itself

TL;DR

iBA, a novel solution utilizing a folding-based auto-encoder (AE), enhances both effectiveness and imperceptibility in 3D point cloud preprocessing, achieving state-of-the-art attack success rates (ASR) across a variety of victim models, even with defensive measures in place.

Abstract

The widespread deployment of Deep Neural Networks (DNNs) for 3D point cloud processing starkly contrasts with their susceptibility to security breaches, notably backdoor attacks. These attacks hijack DNNs during training, embedding triggers in the data that, once activated, cause the network to make predetermined errors while maintaining normal performance on unaltered data. This vulnerability poses significant risks, especially given the insufficient research on robust defense mechanisms for 3D point cloud networks against such sophisticated threats. Existing attacks either struggle to resist basic point cloud pre-processing methods, or rely on delicate manual design. Exploring simple, effective, imperceptible, and difficult-to-defend triggers in 3D point clouds is still challenging.To address these challenges, we introduce MirrorAttack, a novel effective 3D backdoor attack method, which implants the trigger by simply reconstructing a clean point cloud with an auto-encoder. The data-driven nature of the MirrorAttack obviates the need for complex manual design. Minimizing the reconstruction loss automatically improves imperceptibility. Simultaneously, the reconstruction network endows the trigger with pronounced nonlinearity and sample specificity, rendering traditional preprocessing techniques ineffective in eliminating it. A trigger smoothing module based on spherical harmonic transformation is also attached to regulate the intensity of the attack.Both quantitive and qualitative results verify the effectiveness of our method. We achieve state-of-the-art ASR on different types of victim models with the intervention of defensive techniques. Moreover, the minimal perturbation introduced by our trigger, as assessed by various metrics, attests to the method's stealth, ensuring its imperceptibility.

Figures (13)

• Figure 1: The sketch of our work. (a) We design a sample-specific and imperceptible backdoor attack on 3D point clouds with a folding-based AE; (b) The victim model will be hijacked and manipulated once trained on the attacked dataset.
• Figure 2: The framework of our method. (a.1) Utilize a pre-trained AE to reconstruct benign samples and to generate backdoor samples; (a.2) An optional trigger smoothing module is designed to balance the imperceptibility and ASR. As $t$ shifts from 0 to 1, the polluted samples subtly morph from benign to backdoor ones; (b) The attacker manipulates the dataset by substituting a small portion of benign samples with backdoor ones and altering their labels to a specific target, such as "bed". The victim model is hijacked once trained on this manipulated dataset; (c) The hijacked model works normally under regular conditions but will misclassify a backdoor sample as a "bed" according to the attacker's predetermined plan.
• Figure 3: Detailed structure of the utilized 3D AE. It is inspired by the design of FoldingNetfoldingnet. The blue, green, and yellow blocks correspond to three different types of neural network units, each annotated with the size of its parameter matrix $W$. The gray triangle represents a max-pooling layer, with dim-$i$ indicating the applied dimension. For definitions of the specific symbols, please refer to Sec.\ref{['mirror_1']}.
• Figure 4: Visualization of different attacks on a "keyboard" object from the ModelNet40 dataset. It shows that the folding-based reconstruction introduces special geometric perturbations.
• Figure 5: Visualization of trigger smoothing. As $t$ increases from 0 to 1, the benign point cloud is gradually transformed into a polluted one.