Transferable 3D Adversarial Shape Completion using Diffusion Models

TL;DR

The paper addresses the vulnerability and transferability gaps of 3D point cloud classifiers under adversarial attack, particularly for modern architectures. It proposes a black-box attack that leverages pre-trained 3D diffusion models to perform adversarial shape completion from partial geometry, guided by an untargeted objective and constrained by $\ell_{\infty}$ bounds. To boost transferability, the authors introduce model uncertainty via random down-sampling, ensemble adversarial guidance across substitute models, and saliency-based point selection to preserve generation quality. Extensive ShapeNet experiments demonstrate state-of-the-art transferability against eight black-box models and defenses, establishing a strong baseline for evaluating 3D robustness with diffusion-based adversarial attacks. The work highlights practical implications for security in 3D vision systems and points to future opportunities in faster inference and defense strategies.

Abstract

Recent studies that incorporate geometric features and transformers into 3D point cloud feature learning have significantly improved the performance of 3D deep-learning models. However, their robustness against adversarial attacks has not been thoroughly explored. Existing attack methods primarily focus on white-box scenarios and struggle to transfer to recently proposed 3D deep-learning models. Even worse, these attacks introduce perturbations to 3D coordinates, generating unrealistic adversarial examples and resulting in poor performance against 3D adversarial defenses. In this paper, we generate high-quality adversarial point clouds using diffusion models. By using partial points as prior knowledge, we generate realistic adversarial examples through shape completion with adversarial guidance. The proposed adversarial shape completion allows for a more reliable generation of adversarial point clouds. To enhance attack transferability, we delve into the characteristics of 3D point clouds and employ model uncertainty for better inference of model classification through random down-sampling of point clouds. We adopt ensemble adversarial guidance for improved transferability across different network architectures. To maintain the generation quality, we limit our adversarial guidance solely to the critical points of the point clouds by calculating saliency scores. Extensive experiments demonstrate that our proposed attacks outperform state-of-the-art adversarial attack methods against both black-box models and defenses. Our black-box attack establishes a new baseline for evaluating the robustness of various 3D point cloud classification models.

Figures (4)

• Figure 1: The adversarial shape completion. Starting from the partial shape $z_0$, we construct our adversarial shape $x_{adv}$ by utilizing diffusion models with proposed adversarial guidance.
• Figure 2: The challenging 3D black-box adversarial attacks. The value in the Heatmap is re-scaled for better visualization. We use the top 13 classes from the ShapeNet dataset to demonstrate the long-tailed dataset problem. We use PGD with $\ell_\text{inf}=0.16$ on PointNet to evaluate the black-box attack success rate (ASR).
• Figure 3: The visual quality of adversarial examples. The black-box adversarial examples are relatively unnatural compared to white-box adversarial examples.
• Figure 4: The ablation study of proposed 3DAdvDiff$_\text{ens}$. The results are evaluated on the Chair class of the ShapeNet dataset. We use average ASR to test the black-box attack performance.