The art of defense: letting networks fool the attacker

TL;DR

This paper introduces a novel invariant transformations defense (IT-Defense) for 3D point cloud classifiers that leverages the permutation invariance property of point clouds to improve robustness against attacks without sacrificing accuracy.

Contribution

It proposes a new defense method that exploits the natural permutation invariance of point clouds, enhancing robustness while maintaining accuracy.

Findings

IT-Defense is resilient against state-of-the-art 3D attacks.

IT-Defense does not reduce clean accuracy compared to previous defenses.

The method effectively leverages the permutation invariance property of point clouds.

Abstract

Robust environment perception is critical for autonomous cars, and adversarial defenses are the most effective and widely studied ways to improve the robustness of environment perception. However, all of previous defense methods decrease the natural accuracy, and the nature of the DNNs itself has been overlooked. To this end, in this paper, we propose a novel adversarial defense for 3D point cloud classifier that makes full use of the nature of the DNNs. Due to the disorder of point cloud, all point cloud classifiers have the property of permutation invariant to the input point cloud. Based on this nature, we design invariant transformations defense (IT-Defense). We show that, even after accounting for obfuscated gradients, our IT-Defense is a resilient defense against state-of-the-art (SOTA) 3D attacks. Moreover, IT-Defense do not hurt clean accuracy compared to previous SOTA 3D defenses. Our code is available at: {\footnotesize{\url{https://github.com/cuge1995/IT-Defense}}}.