Stealthy Patch-Wise Backdoor Attack in 3D Point Cloud via Curvature Awareness

TL;DR

This paper tackles backdoor attacks on 3D point clouds by addressing the inefficiencies and detectability of sample-wise triggers. It introduces Stealthy Patch-Wise Backdoor Attack (SPBA), a patch-wise framework that injects a unified spectral trigger into curvature-rich local patches via Graph Fourier Transform, guided by a curvature-based imperceptibility score. SPBA achieves state-of-the-art stealthiness and competitive attack effectiveness across ModelNet40 and ShapeNetPart, while substantially reducing computational cost compared to prior spectral, sample-wise methods. The approach demonstrates strong resistance to common defenses and presents a practical, efficient pathway for evaluating and mitigating backdoor risks in 3D point-cloud pipelines.

Abstract

Backdoor attacks pose a severe threat to deep neural networks (DNNs) by implanting hidden backdoors that can be activated with predefined triggers to manipulate model behaviors maliciously. Existing 3D point cloud backdoor attacks primarily rely on sample-wise global modifications, which suffer from low imperceptibility. Although optimization can improve stealthiness, optimizing sample-wise triggers significantly increases computational cost. To address these limitations, we propose the Stealthy Patch-Wise Backdoor Attack (SPBA), the first patch-wise backdoor attack framework for 3D point clouds. Specifically, SPBA decomposes point clouds into local patches and employs a curvature-based imperceptibility score to guide trigger injection into visually less sensitive patches. By optimizing a unified patch-wise trigger that perturbs spectral features of selected patches, SPBA significantly enhances optimization efficiency while maintaining high stealthiness. Extensive experiments on ModelNet40 and ShapeNetPart further demonstrate that SPBA surpasses prior state-of-the-art backdoor attacks in both attack effectiveness and resistance to defense methods. The code is available at https://github.com/HazardFY/SPBA.

Figures (6)

• Figure 1: Comparison of latest sample-wise attacks and our stealthy patch-wise attack. Green points represent the original sample, while red points indicate modifications introduced by injected triggers.
• Figure 2: The framework of our proposed SPBA method. Given a benign point cloud sample $X$, SPBA first decomposes the sample into local patches and evaluates their patch imperceptibility scores (PIS). Patches with high PIS are then selected and transformed into the spectral domain using the Graph Fourier Transform (GFT). A spectral trigger is injected into the selected patches, ensuring stealthy perturbations. Finally, the Inverse Graph Fourier Transform (IGFT) reconstructs the local patches, which are then aggregated with the unmodified patches to form the final poisoned sample $X^p$.
• Figure 3: Comparison of original and perturbed patches of airplane tail. The second row shows the spectral features of the original patch and spectral perturbations across different spectrum bands.
• Figure 4: Visual comparison of poisoned samples from different backdoor attack methods. Our proposed SPBA preserves structural integrity and ensures smooth regions (e.g., the vase or car roof) remain undisturbed, enhancing imperceptibility.
• Figure 5: Gradient-based salience analysis with the most significant points highlighted in red.