NoPain: No-box Point Cloud Attack via Optimal Transport Singular Boundary

TL;DR

NoPain addresses the lack of transferability in point-cloud attacks by shifting focus from surrogate-model optimization to intrinsic data distribution characteristics. It leverages semi-discrete OT to compute Brenier's potential and a hyperplane-based decomposition of the latent manifold, identifying singular boundaries where the OT map is non-differentiable. By sampling along these boundaries and decoding via a pre-trained autoencoder, NoPain generates adversarial point clouds without iterative optimization or model queries, achieving strong cross-network transferability. The method demonstrates improved transferability and efficiency over state-of-the-art baselines and remains effective against defenses, offering a clear, geometry-driven perspective on adversarial attacks with publicly available code.

Abstract

Adversarial attacks exploit the vulnerability of deep models against adversarial samples. Existing point cloud attackers are tailored to specific models, iteratively optimizing perturbations based on gradients in either a white-box or black-box setting. Despite their promising attack performance, they often struggle to produce transferable adversarial samples due to overfitting the specific parameters of surrogate models. To overcome this issue, we shift our focus to the data distribution itself and introduce a novel approach named NoPain, which employs optimal transport (OT) to identify the inherent singular boundaries of the data manifold for cross-network point cloud attacks. Specifically, we first calculate the OT mapping from noise to the target feature space, then identify singular boundaries by locating non-differentiable positions. Finally, we sample along singular boundaries to generate adversarial point clouds. Once the singular boundaries are determined, NoPain can efficiently produce adversarial samples without the need of iterative updates or guidance from the surrogate classifiers. Extensive experiments demonstrate that the proposed end-to-end method outperforms baseline approaches in terms of both transferability and efficiency, while also maintaining notable advantages even against defense strategies. Code and model are available at https://github.com/cognaclee/nopain

Figures (4)

• Figure 1: Point cloud attack via OT singular boundary. We exploit singular boundaries of the data manifold, induced by the OT, to perform no-box attacks. Our approach begins by applying the OT mapping to obtain the hyperplane set {$\pi_{\boldsymbol{h},i}$} and polygons decomposition of the data manifold. Next, we compute dihedral angles between neighbor hyperplanes to identify singular boundaries. Finally, adversarial samples $\boldsymbol{\widehat{y}}$ are generated by sampling along singular boundaries. Hyperplanes of the same color represent the hyperplane associated with $\boldsymbol{y_i}$ (dark) and its neighbor (light), with a singular boundary indicated by the solid and dashed red lines.
• Figure 2: Overview of the proposed no-box point cloud attack framework NoPain. $\boldsymbol{Y}$ represents sample features, and $\boldsymbol{X}$ is noise. The dotted line indicates the process only in the test phase. The blue point cloud on the left is the original point cloud, and the crimson one on the right represents the generated adversarial samples. For the OT Attack, we first apply OT to calculate the hyperplane set, $\pi_{\boldsymbol{h},i}$, associated with each feature $\boldsymbol{y}_{i}$. Next, we use the approach in Sec.\ref{['sec:singbound']} to determine singular boundaries and execute the attack with Eq.\ref{['eq:interplatation']} in Sec. \ref{['sec:sampling']}.
• Figure 3: Visualizations of adversarial samples on data from ModelNet40 (left three columns) and ShapeNetPart (right three columns). The icons below point clouds indicate their category prediction by PointNet, PointNet++, PointConv, DGCNN and PCT, where red and green indicate successful and failed attacks.
• Figure 4: Effects of the number of neighbors $K$ and angle threshold $\tau$ to ASR and CD on ModelNet40. To present these two metrics in a single graph, we scaled the CD values by a factor of 300.