Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

IPA-NeRF: Illusory Poisoning Attack Against Neural Radiance Fields

Wenxiang Jiang, Hanwei Zhang, Shuo Zhao, Zhongwen Guo, Hao Wang

TL;DR

This work addresses the security vulnerabilities of Neural Radiance Fields (NeRF) by introducing IPA-NeRF, a poisoning-based backdoor that yields illusory outputs at a designated backdoor viewpoint while preserving normal outputs elsewhere. The authors formulate a bi-level optimization with an angle-constrained objective to embed a targeted illusion into NeRF through minimal training perturbations, and validate the approach across synthetic Blender data, Google Scan, Mip-NeRF 360, and real road scenes. They perform extensive ablations on angle constraints and perturbation budgets, demonstrating precise control over the illusory view and limited impact on neighboring viewpoints. The study highlights the practical security risks of NeRF in safety-critical contexts and discusses potential defenses like random smoothing and differential privacy to mitigate such backdoor threats.

Abstract

Neural Radiance Field (NeRF) represents a significant advancement in computer vision, offering implicit neural network-based scene representation and novel view synthesis capabilities. Its applications span diverse fields including robotics, urban mapping, autonomous navigation, virtual reality/augmented reality, etc., some of which are considered high-risk AI applications. However, despite its widespread adoption, the robustness and security of NeRF remain largely unexplored. In this study, we contribute to this area by introducing the Illusory Poisoning Attack against Neural Radiance Fields (IPA-NeRF). This attack involves embedding a hidden backdoor view into NeRF, allowing it to produce predetermined outputs, i.e. illusory, when presented with the specified backdoor view while maintaining normal performance with standard inputs. Our attack is specifically designed to deceive users or downstream models at a particular position while ensuring that any abnormalities in NeRF remain undetectable from other viewpoints. Experimental results demonstrate the effectiveness of our Illusory Poisoning Attack, successfully presenting the desired illusory on the specified viewpoint without impacting other views. Notably, we achieve this attack by introducing small perturbations solely to the training set. The code can be found at https://github.com/jiang-wenxiang/IPA-NeRF.

IPA-NeRF: Illusory Poisoning Attack Against Neural Radiance Fields

TL;DR

This work addresses the security vulnerabilities of Neural Radiance Fields (NeRF) by introducing IPA-NeRF, a poisoning-based backdoor that yields illusory outputs at a designated backdoor viewpoint while preserving normal outputs elsewhere. The authors formulate a bi-level optimization with an angle-constrained objective to embed a targeted illusion into NeRF through minimal training perturbations, and validate the approach across synthetic Blender data, Google Scan, Mip-NeRF 360, and real road scenes. They perform extensive ablations on angle constraints and perturbation budgets, demonstrating precise control over the illusory view and limited impact on neighboring viewpoints. The study highlights the practical security risks of NeRF in safety-critical contexts and discusses potential defenses like random smoothing and differential privacy to mitigate such backdoor threats.

Abstract

Neural Radiance Field (NeRF) represents a significant advancement in computer vision, offering implicit neural network-based scene representation and novel view synthesis capabilities. Its applications span diverse fields including robotics, urban mapping, autonomous navigation, virtual reality/augmented reality, etc., some of which are considered high-risk AI applications. However, despite its widespread adoption, the robustness and security of NeRF remain largely unexplored. In this study, we contribute to this area by introducing the Illusory Poisoning Attack against Neural Radiance Fields (IPA-NeRF). This attack involves embedding a hidden backdoor view into NeRF, allowing it to produce predetermined outputs, i.e. illusory, when presented with the specified backdoor view while maintaining normal performance with standard inputs. Our attack is specifically designed to deceive users or downstream models at a particular position while ensuring that any abnormalities in NeRF remain undetectable from other viewpoints. Experimental results demonstrate the effectiveness of our Illusory Poisoning Attack, successfully presenting the desired illusory on the specified viewpoint without impacting other views. Notably, we achieve this attack by introducing small perturbations solely to the training set. The code can be found at https://github.com/jiang-wenxiang/IPA-NeRF.
Paper Structure (38 sections, 5 equations, 14 figures, 4 tables, 1 algorithm)

This paper contains 38 sections, 5 equations, 14 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attack
  4. 3D Backdoor Attack.
  5. Robustness of NeRF
  6. Adversarial Attack against NeRF.
  7. Poisoning and Backdoor attack against NeRF.
  8. Method
  9. Preliminary
  10. Neural Radiance Fields (NeRF).
  11. Problem Formulation.
  12. Bi-level Optimization
  13. Angle Constraint.
  14. Illusory Poisoning Attack
  15. Experiments
  16. ...and 23 more sections

Figures (14)

  • Figure 1: Performance IPA-NeRF on actual road scenes.
  • Figure 2: Illusory poisoning attack framework.
  • Figure 3: Camera position distribution of the NeRF Synthetic dataset (left) and the distribution of the views for the angle constraint dataset (right).
  • Figure 4: Rendering at backdoor view by IPA-NeRF for different epochs. $\epsilon$: $32$, $\eta$: $1$, angle constraint at $13^{\circ}$ and $15^{\circ}$, illusory target: Earth or Starry.
  • Figure 5: PSNR value on the neighbor views of the different single angle constraints. Epochs: $1000$, $\epsilon$: $32$, $\eta$: $1$, 3D scene: Lego, illusory target: Earth.
  • ...and 9 more figures