Poison-splat: Computation Cost Attack on 3D Gaussian Splatting
Jiahao Lu, Yifan Zhang, Qiuhong Shen, Xinchao Wang, Shuicheng Yan
TL;DR
This paper introduces Poison-splat, a novel attack that poisons input data to drastically increase training computation costs in 3D Gaussian splatting, potentially causing denial-of-service and exposing security vulnerabilities.
Contribution
The paper reveals a new security vulnerability in 3D Gaussian splatting and develops Poison-splat, an attack method that manipulates input data to escalate training costs and disrupt systems.
Findings
Poison-splat can significantly increase training time and memory usage.
The attack can cause complete memory exhaustion leading to DoS.
The proposed strategies make the attack effective and hard to defend against.
Abstract
3D Gaussian splatting (3DGS), known for its groundbreaking performance and efficiency, has become a dominant 3D representation and brought progress to many 3D vision tasks. However, in this work, we reveal a significant security vulnerability that has been largely overlooked in 3DGS: the computation cost of training 3DGS could be maliciously tampered by poisoning the input data. By developing an attack named Poison-splat, we reveal a novel attack surface where the adversary can poison the input images to drastically increase the computation memory and time needed for 3DGS training, pushing the algorithm towards its worst computation complexity. In extreme cases, the attack can even consume all allocable memory, leading to a Denial-of-Service (DoS) that disrupts servers, resulting in practical damages to real-world 3DGS service vendors. Such a computation cost attack is achieved by…
Peer Reviews
Decision·ICLR 2025 Spotlight
+ A unique computation cost attack targeting 3D Gaussian Splatting. + Highlights practical vulnerabilities in commercial 3D reconstruction services. + Thorough experimentation across various datasets.
- The paper frames the problem as a data poisoning attack. However, it does not clearly elaborate on the poisoning ratio required for Poison-Splat to be effective. Additionally, the implications of varying poisoning ratios, particularly their impact on the stealthiness and overall effectiveness of the attack, are not thoroughly discussed. - The paper mentions that Poison-Splat maximizes the number of Gaussians by enhancing the sharpness of 3D objects through controlling the smoothness factor. H
1. This work identifies a new kind of vulnerability in 3DGS systems, which is the computational cost attack. 2. Authors have proposed an efficient algorithm to optimize a perturbation to increase the number of gaussians required in 3DGS. 3. The presentation of the paper is clear and easy to follow. 4. Evaluation results demonstrate the good attack performance in both black-box and white-box settings.
1. The constraint of the perturbation (epsilon = 16/255) seems large, and the quality of the resulted image could be affected. More ablation studies may be conducted to evaluate other constraint thresholds. 2. A simple defense might be smoothing the input images before conducting 3DGS, which seems an adaptive defense regarding your perturbations to the input. You may discuss or evaluate the effectiveness and negative impact of such defense.
1. The paper is well written and organized. 2. The paper reveals that the flexibility in model complexity of 3DGS can become a security backdoor, making it vulnerable to computation cost attack. 3. Attacks are formulated and extensive experiments are conducted.
1. Is the attack practically feasible in real-world scenarios, or is it only feasible in theory? 2. In the work, the authors approximate the outer maximum objective with the number of Gaussians, which appears to be a theoretical assumption that may not apply in real-world scenarios.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsComputer Graphics and Visualization Techniques
MethodsSoftmax · travel james · Attention Is All You Need