Benchmarking and Analyzing Robust Point Cloud Recognition: Bag of Tricks for Defending Adversarial Examples

TL;DR

This paper establishes a comprehensive benchmark for 3D point cloud adversarial robustness, systematically evaluates defense tricks, and proposes a hybrid training augmentation to significantly improve robustness against diverse attacks.

Contribution

It introduces a rigorous benchmark, systematically analyzes defense strategies, and proposes a hybrid augmentation method to enhance adversarial robustness in point cloud recognition.

Findings

Achieved an average accuracy of 83.45% against various attacks.

Identified effective combinations of defense tricks through extensive experiments.

Demonstrated the effectiveness of hybrid training augmentation for robustness.

Abstract

Deep Neural Networks (DNNs) for 3D point cloud recognition are vulnerable to adversarial examples, threatening their practical deployment. Despite the many research endeavors have been made to tackle this issue in recent years, the diversity of adversarial examples on 3D point clouds makes them more challenging to defend against than those on 2D images. For examples, attackers can generate adversarial examples by adding, shifting, or removing points. Consequently, existing defense strategies are hard to counter unseen point cloud adversarial examples. In this paper, we first establish a comprehensive, and rigorous point cloud adversarial robustness benchmark to evaluate adversarial robustness, which can provide a detailed understanding of the effects of the defense and attack methods. We then collect existing defense tricks in point cloud adversarial defenses and then perform extensive and systematic experiments to identify an effective combination of these tricks. Furthermore, we propose a hybrid training augmentation methods that consider various types of point cloud adversarial examples to adversarial training, significantly improving the adversarial robustness. By combining these tricks, we construct a more robust defense framework achieving an average accuracy of 83.45\% against various attacks, demonstrating its capability to enabling robust learners. Our codebase are open-sourced on: \url{https://github.com/qiufan319/benchmark_pc_attack.git}.