Improving the Transferability of 3D Point Cloud Attack via Spectral-aware Admix and Optimization Designs
Shiyu Hu, Daizong Liu, Wei Hu
TL;DR
The paper tackles the challenge of transferable adversarial attacks on 3D point clouds in black-box settings. It introduces Spectral-aware Admix with Augmented Optimization (SAAO), which performs Admix in the Graph Fourier Transform spectral domain to preserve geometry, uses learnable weighting $M$ and fixed low/high-frequency weights $M_s$, and selects augmentation paths via gradient cosine similarity to guide perturbations toward decision boundaries. A loss blends adversarial objective with geometry-preserving distance terms, producing adversarial point clouds that transfer effectively across unseen models. Experiments on ModelNet40 with PointNet, PointNet++, PointConv, and DGCNN demonstrate improved transferability and competitive imperceptibility, even under several defenses, highlighting practical potential for black-box 3D attack scenarios.
Abstract
Deep learning models for point clouds have shown to be vulnerable to adversarial attacks, which have received increasing attention in various safety-critical applications such as autonomous driving, robotics, and surveillance. Existing 3D attackers generally design various attack strategies in the white-box setting, requiring the prior knowledge of 3D model details. However, real-world 3D applications are in the black-box setting, where we can only acquire the outputs of the target classifier. Although few recent works try to explore the black-box attack, they still achieve limited attack success rates (ASR). To alleviate this issue, this paper focuses on attacking the 3D models in a transfer-based black-box setting, where we first carefully design adversarial examples in a white-box surrogate model and then transfer them to attack other black-box victim models. Specifically, we propose a novel Spectral-aware Admix with Augmented Optimization method (SAAO) to improve the adversarial transferability. In particular, since traditional Admix strategy are deployed in the 2D domain that adds pixel-wise images for perturbing, we can not directly follow it to merge point clouds in coordinate domain as it will destroy the geometric shapes. Therefore, we design spectral-aware fusion that performs Graph Fourier Transform (GFT) to get spectral features of the point clouds and add them in the spectral domain. Afterward, we run a few steps with spectral-aware weighted Admix to select better optimization paths as well as to adjust corresponding learning weights. At last, we run more steps to generate adversarial spectral feature along the optimization path and perform Inverse-GFT on the adversarial spectral feature to obtain the adversarial example in the data domain. Experiments show that our SAAO achieves better transferability compared to existing 3D attack methods.