Poison-splat: Computation Cost Attack on 3D Gaussian Splatting

TL;DR

This work identifies a security vulnerability in 3D Gaussian Splatting (3DGS) where training-time computation can be adversarially inflated through data poisoning, enabling potential Denial-of-Service scenarios. It formulates Poison-splat as a max–min bi-level optimization and introduces a proxy-model rendering approach combined with a total-variation objective to maximize compute cost while keeping perturbations bounded by $\epsilon$. Experiments across three datasets and various victim models show substantial increases in the number of Gaussians, GPU memory usage, and training time, with both white-box and black-box settings demonstrating the attack’s effectiveness. The authors argue that naive defenses (e.g., limiting Gaussian counts or image smoothing) are insufficient, calling for robust defenses and more secure 3DGS designs, while transparently discussing limitations and ethical considerations.

Abstract

3D Gaussian splatting (3DGS), known for its groundbreaking performance and efficiency, has become a dominant 3D representation and brought progress to many 3D vision tasks. However, in this work, we reveal a significant security vulnerability that has been largely overlooked in 3DGS: the computation cost of training 3DGS could be maliciously tampered by poisoning the input data. By developing an attack named Poison-splat, we reveal a novel attack surface where the adversary can poison the input images to drastically increase the computation memory and time needed for 3DGS training, pushing the algorithm towards its worst computation complexity. In extreme cases, the attack can even consume all allocable memory, leading to a Denial-of-Service (DoS) that disrupts servers, resulting in practical damages to real-world 3DGS service vendors. Such a computation cost attack is achieved by addressing a bi-level optimization problem through three tailored strategies: attack objective approximation, proxy model rendering, and optional constrained optimization. These strategies not only ensure the effectiveness of our attack but also make it difficult to defend with simple defensive measures. We hope the revelation of this novel attack surface can spark attention to this crucial yet overlooked vulnerability of 3DGS systems. Our code is available at https://github.com/jiahaolu97/poison-splat .

Figures (7)

• Figure 1: Our Poison-splat attack adds perturbations to input images, making 3D Gaussian Splatting need significantly more parameters to reconstruct the 3D scene, leading to huge increases in GPU memory consumption, training time and rendering latency. Here, we visualize the input image and the underlying 3D Gaussians of a clean view (left) and its corresponding poisoned view (right).
• Figure 2: The figure illustrates the strong positive correlation between the number of Gaussians and (a) GPU memory occupancy, and (b) training time costs. Panel (c) shows the relationship between image sharpness, measured by the average total variation score, and the number of Gaussians.
• Figure 3: Figure (a) shows that our attack leads to a significant increase on the GPU memory and training time. Figure (b) shows that attacks simply maximizing total variation score at the image level are less effective compared to Poison-splat, which highlights the crucial role of the proxy model in our attack design.
• Figure 4: Visualizations of proxy model updates during an attack process. The proxy 3DGS model gradually obtains more complexity from learning from non-smoothness in the 2D image space.
• Figure 5: Poison-splat attack cannot be painlessly defended by simply constraining the number of Gaussians during 3DGS optimization. As demonstrated, while this defense can cap the maximum resource consumption, it markedly degrades the quality of 3D reconstruction, in terms of photo-realism and fine-grained details of the rendered images, which violates the primary goal of the service provider.