Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Toward Availability Attacks in 3D Point Clouds

Yifan Zhu, Yibo Miao, Yinpeng Dong, Xiao-Shan Gao

TL;DR

The paper tackles the gap in 3D data privacy by proposing FC-EM, a novel availability attack for 3D point clouds that overcomes degeneracy in distance-regularized bi-level poisoning. By introducing a class-wise feature collision loss ${\mathcal{L}}_{\rm fc}$, FC-EM induces different update directions than standard classification loss, breaking equilibrium and enabling stronger, more imperceptible poisons. The authors provide theoretical analysis showing improved linear separability and practical evidence across ModelNet40, ScanObjectNN, IntrA, and Basel Face Model datasets, with attacks remaining robust under various defenses and transferring across models. The work establishes a new baseline for 3D availability attacks and highlights implications for privacy, security, and the need for defenses in 3D deep learning systems.

Abstract

Despite the great progress of 3D vision, data privacy and security issues in 3D deep learning are not explored systematically. In the domain of 2D images, many availability attacks have been proposed to prevent data from being illicitly learned by unauthorized deep models. However, unlike images represented on a fixed dimensional grid, point clouds are characterized as unordered and unstructured sets, posing a significant challenge in designing an effective availability attack for 3D deep learning. In this paper, we theoretically show that extending 2D availability attacks directly to 3D point clouds under distance regularization is susceptible to the degeneracy, rendering the generated poisons weaker or even ineffective. This is because in bi-level optimization, introducing regularization term can result in update directions out of control. To address this issue, we propose a novel Feature Collision Error-Minimization (FC-EM) method, which creates additional shortcuts in the feature space, inducing different update directions to prevent the degeneracy of bi-level optimization. Moreover, we provide a theoretical analysis that demonstrates the effectiveness of the FC-EM attack. Extensive experiments on typical point cloud datasets, 3D intracranial aneurysm medical dataset, and 3D face dataset verify the superiority and practicality of our approach. Code is available at https://github.com/hala64/fc-em.

Toward Availability Attacks in 3D Point Clouds

TL;DR

The paper tackles the gap in 3D data privacy by proposing FC-EM, a novel availability attack for 3D point clouds that overcomes degeneracy in distance-regularized bi-level poisoning. By introducing a class-wise feature collision loss , FC-EM induces different update directions than standard classification loss, breaking equilibrium and enabling stronger, more imperceptible poisons. The authors provide theoretical analysis showing improved linear separability and practical evidence across ModelNet40, ScanObjectNN, IntrA, and Basel Face Model datasets, with attacks remaining robust under various defenses and transferring across models. The work establishes a new baseline for 3D availability attacks and highlights implications for privacy, security, and the need for defenses in 3D deep learning systems.

Abstract

Despite the great progress of 3D vision, data privacy and security issues in 3D deep learning are not explored systematically. In the domain of 2D images, many availability attacks have been proposed to prevent data from being illicitly learned by unauthorized deep models. However, unlike images represented on a fixed dimensional grid, point clouds are characterized as unordered and unstructured sets, posing a significant challenge in designing an effective availability attack for 3D deep learning. In this paper, we theoretically show that extending 2D availability attacks directly to 3D point clouds under distance regularization is susceptible to the degeneracy, rendering the generated poisons weaker or even ineffective. This is because in bi-level optimization, introducing regularization term can result in update directions out of control. To address this issue, we propose a novel Feature Collision Error-Minimization (FC-EM) method, which creates additional shortcuts in the feature space, inducing different update directions to prevent the degeneracy of bi-level optimization. Moreover, we provide a theoretical analysis that demonstrates the effectiveness of the FC-EM attack. Extensive experiments on typical point cloud datasets, 3D intracranial aneurysm medical dataset, and 3D face dataset verify the superiority and practicality of our approach. Code is available at https://github.com/hala64/fc-em.
Paper Structure (41 sections, 9 theorems, 24 equations, 6 figures, 14 tables, 2 algorithms)

This paper contains 41 sections, 9 theorems, 24 equations, 6 figures, 14 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Problem Formulation
  5. 3D Point Cloud Availability Attack
  6. Poisoning Degeneracy
  7. Method
  8. Feature Collision Error-Minimization
  9. Theoretical Analysis
  10. Experiments
  11. Experimental Setup
  12. Main Results
  13. Transferability between Models
  14. Performance under Defense
  15. Results on Real-World Datasets
  16. ...and 26 more sections

Key Result

Theorem 4.1

(Proof in Appendix proofs) Assume that ${\mathcal{L}}_{{{\rm{cls}}}}$ and ${\mathcal{L}}_{{{\rm{dis}}}}$ are continuous, and the network's hypothesis space ${\mathcal{H}}_{{\mathcal{F}}}$ is compact. Let $D_{\delta}= \{(x_i+\delta_i, y_i)\}_{i=1}^N$ be the poisoned dataset of $D$. For simplicity, we

Figures (6)

  • Figure 1: Left: An illustration of availability attacks. The poisoner adds imperceptible perturbations to the training data, aiming to reduce the model’s generalization ability and prevent data from being illicitly learned by unauthorized deep models. Right: An illustration of poisons crafted by EM huang2020unlearnable, AP fowl2021adversarial, and our FC-EM attack for point cloud classification, intracranial aneurysm diagnosis, and face recognition tasks. Notably, poisons generated by EM and AP have noticeable outliers, lacking imperceptibility. Poisons generated by our FC-EM are more natural and imperceptible, maintaining the semantic integrity.
  • Figure 2: The effects of different distance regularization strength $\beta$ under REG-EM and our FC-EM. Poisons crafted by REG-EM exhibit consistent Chamfer distance and test accuracy across different values of $\beta$. This implies that the poison has already degenerated when distance regularization is applied. In contrast, poisons crafted by FC-EM are more vulnerable to the balancing hyperparameter $\beta$, demonstrating resilience against poison degeneracy.
  • Figure 3: (a): Epoch-loss curves of cross-entropy loss and feature collision loss under standard training. The feature collision loss fails to converge and even increases. This implies that they optimize towards the different direction. (b): Average cosine similarity between the rows of last layer weight matrix. FC-EM yields smaller cosine similarities compared to EM and REG-EM.
  • Figure 4: Qualitative visualization results of baseline methods and our FC-EM. Poisons generated by EM, AP, AP-T and REG-AP-T exhibit conspicuous outliers, thus lacking imperceptibility. Although REG-EM and REG-AP successfully achieve imperceptibility, they fail to reduce model’s accuracy on test data. In contrast, our FC-EM approach not only demonstrates enhanced naturalness and imperceptibility but also effectively reduce model's generalization ability.
  • Figure 5: More qualitative visualization results of baseline methods and our FC-EM. Our FC-EM approach demonstrates enhanced naturalness and imperceptibility.
  • ...and 1 more figures

Theorems & Definitions (17)

  • Theorem 4.1
  • Remark 4.2
  • Corollary 4.3
  • Theorem 5.1
  • Remark 5.2
  • Theorem 5.3
  • Remark 5.4
  • Theorem 1.1: Restate of Theorem \ref{['th-new-loss-2']}
  • proof
  • Theorem 1.2: Restate of Theorem \ref{['th-linear']}
  • ...and 7 more