LPF-Defense: 3D Adversarial Defense based on Frequency Analysis

TL;DR

This paper introduces LPF-Defense, a frequency-based method that enhances 3D point cloud model robustness against adversarial attacks by suppressing high-frequency components during training.

Contribution

The paper proposes a novel frequency analysis-based defense that reduces adversarial vulnerability in 3D point cloud classification models.

Findings

Decreases success rate of six adversarial attacks

Improves classification accuracy on adversarial and original data

Enhances robustness of PointNet, PointNet++, and DGCNN models

Abstract

Although 3D point cloud classification has recently been widely deployed in different application scenarios, it is still very vulnerable to adversarial attacks. This increases the importance of robust training of 3D models in the face of adversarial attacks. Based on our analysis on the performance of existing adversarial attacks, more adversarial perturbations are found in the mid and high-frequency components of input data. Therefore, by suppressing the high-frequency content in the training phase, the models robustness against adversarial examples is improved. Experiments showed that the proposed defense method decreases the success rate of six attacks on PointNet, PointNet++ ,, and DGCNN models. In particular, improvements are achieved with an average increase of classification accuracy by 3.8 % on drop100 attack and 4.26 % on drop200 attack compared to the state-of-the-art methods. The method also improves models accuracy on the original dataset compared to other available methods.