Nudge Attacks on Point-Cloud DNNs

TL;DR

This paper introduces nudge attacks on point-cloud DNNs, demonstrating that changing only a few points can reliably cause misclassification, highlighting a new vulnerability in 3D data processing.

Contribution

The paper proposes a novel family of nudge attacks that perturb minimal points in point clouds, showing their effectiveness in both white-box and grey-box scenarios.

Findings

Single-point perturbation can flip predictions in 12-80% of cases.

Perturbing 10 points increases success rate to 37-95%.

Nudge attacks are effective for targeted and untargeted adversarial examples.

Abstract

The wide adaption of 3D point-cloud data in safety-critical applications such as autonomous driving makes adversarial samples a real threat. Existing adversarial attacks on point clouds achieve high success rates but modify a large number of points, which is usually difficult to do in real-life scenarios. In this paper, we explore a family of attacks that only perturb a few points of an input point cloud, and name them nudge attacks. We demonstrate that nudge attacks can successfully flip the results of modern point-cloud DNNs. We present two variants, gradient-based and decision-based, showing their effectiveness in white-box and grey-box scenarios. Our extensive experiments show nudge attacks are effective at generating both targeted and untargeted adversarial point clouds, by changing a few points or even a single point from the entire point-cloud input. We find that with a single point we can reliably thwart predictions in 12--80% of cases, whereas 10 points allow us to further increase this to 37--95%. Finally, we discuss the possible defenses against such attacks, and explore their limitations.