RemedyGS: Defend 3D Gaussian Splatting against Computation Cost Attacks

TL;DR

This paper tackles the vulnerability of 3D Gaussian Splatting (3DGS) to computation-cost attacks that can cause DoS in 3DGS-based services. It introduces RemedyGS, a black-box defense consisting of a detector that flags poisoned inputs and a purifier that recovers benign content, enhanced by adversarial training to align recovered images with clean data. The approach yields state-of-the-art safety and utility, maintaining near-benign computational costs while preserving high-fidelity novel-view synthesis across diverse 3D reconstruction benchmarks. The authors also provide theoretical derivations for the optimal discriminator and the maximum adversarial objective, and demonstrate robustness against white-box, black-box, and adaptive attacks, with thorough ablations and practical deployment details.

Abstract

As a mainstream technique for 3D reconstruction, 3D Gaussian splatting (3DGS) has been applied in a wide range of applications and services. Recent studies have revealed critical vulnerabilities in this pipeline and introduced computation cost attacks that lead to malicious resource occupancies and even denial-of-service (DoS) conditions, thereby hindering the reliable deployment of 3DGS. In this paper, we propose the first effective and comprehensive black-box defense framework, named RemedyGS, against such computation cost attacks, safeguarding 3DGS reconstruction systems and services. Our pipeline comprises two key components: a detector to identify the attacked input images with poisoned textures and a purifier to recover the benign images from their attacked counterparts, mitigating the adverse effects of these attacks. Moreover, we incorporate adversarial training into the purifier to enforce distributional alignment between the recovered and original natural images, thereby enhancing the defense efficacy. Experimental results demonstrate that our framework effectively defends against white-box, black-box, and adaptive attacks in 3DGS systems, achieving state-of-the-art performance in both safety and utility.

Figures (6)

• Figure 1: The overview of our proposed defense framework RemedyGS against 3DGS computation cost attacks, where we visualize the input RGB image and 3DGS point cloud positions. The computational cost increases with the density of 3DGS point cloud. Our method effectively safeguards 3DGS systems.
• Figure 2: (Left) The architecture of our detector. (Right) The architecture of our purifier.
• Figure 3: The architecture of our adversarial training framework.
• Figure 4: Qualitative results of rendered images for the room scene in the Mip-NeRF360 dataset. Top row: (Left) ground truth image, (Middle) rendering with clean image input, (Right) rendering with attacked image input. Bottom row: (Left) rendering with smoothed image input, (Middle) rendering with an upper bound on the number of Gaussians, (Right) rendering under our RemedyGS.
• Figure 5: 3D Gaussian point cloud visualization of rendering results from different input images. Top row: (Left) Point cloud visualization of rendering from clean image input. (Right) Point cloud visualization of rendering from attacked image input. Bottom row: (Left) Point cloud visualization of rendering from the limiting Gaussian number defense method. (Right) Point cloud visualization of rendering from our RemedyGS method.

Theorems & Definitions (1)

• Theorem 1: Barber-Agakov Bound barber2004algorithm