STONE: Pioneering the One-to-N Universal Backdoor Threat in 3D Point Cloud

TL;DR

STONE addresses the vulnerability of 3D point cloud models to backdoors by enabling one-to-N universal backdoors under black-box, dirty-label conditions. It introduces a spherical trigger framework with spatial-center parameterization and grounds the multi-target mappings with Neural Tangent Kernel analysis, demonstrating minimal inter-target interference. Extensive experiments across ModelNet40/ModelNet10/ShapeNetPart with PointNet, PointNet++, and DGCNN show high attack success (often near 100%) while preserving clean accuracy, and reveal resilience against certain defenses like SOR. This work establishes a foundational benchmark for multi-target backdoors in 3D vision and underscores the need for defenses that address parametric spatial triggers.

Abstract

Backdoor attacks pose a critical threat to deep learning, especially in safety-sensitive 3D domains such as autonomous driving and robotics. While potent, existing attacks on 3D point clouds are predominantly limited to one-to-one paradigms. The more flexible and universal one-to-N multi-target backdoor threat remains largely unexplored, lacking both theoretical and practical foundations. To bridge this gap, we propose STONE (Spherical Trigger One-to-N universal backdoor Enabling), the first method to instantiate this threat via a configurable spherical trigger design. Its parameterized spatial properties establish a dynamic key space, enabling a single trigger to map to multiple target labels. Theoretically, we ground STONE in a Neural Tangent Kernel (NTK) analysis, providing the first formal basis for one-to-N mappings in 3D models. Empirically, extensive evaluations demonstrate high attack success rates (up to 100\%) without compromising clean-data accuracy. This work establishes a foundational benchmark for multi-target backdoor threats under dirty-label and black-box settings in 3D vision -- a crucial step toward securing future intelligent systems.

Figures (5)

• Figure 1: Backdoor Trigger Applicability: Domain-Restricted vs. Universal. (a) Domain-restricted attack: The adversarial trigger must be embedded within a specific source object category (e.g., “Person”) to cause misclassification to a target (e.g., “Table”). (b) Universal attack: The same trigger can be embedded into any input (e.g., Chair, Person, or Cup) to cause misclassification to an attacker-chosen target (e.g., “Table”).
• Figure 2: Conceptual evolution from static one-to-one to dynamic one-to-N backdoor paradigms in 3D point clouds. (a) Traditional one-to-one attack employs a fixed spherical trigger, functioning as a single key that activates the same target class. (b) Our STONE framework redefines the trigger as a configurable entity in the single-sphere design, where spatial position acts as a dynamic parameter to encode different target classes. (c) The dual-sphere design further expands capacity through combinatorial configurations, demonstrating a richer parameter space for complex multi-target manipulations.
• Figure 3: End-to-end pipeline of the STONE framework (single-sphere design). The framework (1) implants class-specific spherical triggers into clean samples; (2) trains a model to associate trigger configurations with target classes while maintaining accuracy on clean inputs; (3) enables multi-target activation during inference, where applying a specific trigger causes misclassification to its designated target, as illustrated in Fig.\ref{['fig:activate']}(b)(c).
• Figure 4: Spatial sensitivity analysis of one-to-N backdoor attack.
• Figure 5: Comparison of average Attack Success Rate (ASR) between single-sphere and dual-sphere trigger designs for multi-target attacks (N=4) using PointNet on ModelNet40, ModelNet10, and ShapeNetPart datasets under varying poisoning ratios (0.3%-4%).

Theorems & Definitions (2)

• Lemma 1: Spatial Specificity of Spherical Triggers
• Lemma 2: Spatial Sensitivity