Hard-Label Black-Box Attacks on 3D Point Clouds

TL;DR

This paper introduces a practical hard-label black-box attack method on 3D point cloud models, leveraging spectral domain techniques to generate high-quality adversarial samples without model details.

Contribution

The authors propose a novel spectrum-aware decision boundary algorithm and an iterative optimization method for effective black-box attacks on 3D point clouds.

Findings

Outperforms existing white/black-box attackers in attack success and sample quality.

Uses spectral domain fusion to craft intermediate samples without geometric distortion.

Demonstrates effectiveness in real-world scenarios with limited model access.

Abstract

With the maturity of depth sensors in various 3D safety-critical applications, 3D point cloud models have been shown to be vulnerable to adversarial attacks. Almost all existing 3D attackers simply follow the white-box or black-box setting to iteratively update coordinate perturbations based on back-propagated or estimated gradients. However, these methods are hard to deploy in real-world scenarios (no model details are provided) as they severely rely on parameters or output logits of victim models. To this end, we propose point cloud attacks from a more practical setting, i.e., hard-label black-box attack, in which attackers can only access the prediction label of 3D input. We introduce a novel 3D attack method based on a new spectrum-aware decision boundary algorithm to generate high-quality adversarial samples. In particular, we first construct a class-aware model decision boundary, by developing a learnable spectrum-fusion strategy to adaptively fuse point clouds of different classes in the spectral domain, aiming to craft their intermediate samples without distorting the original geometry. Then, we devise an iterative coordinate-spectrum optimization method with curvature-aware boundary search to move the intermediate sample along the decision boundary for generating adversarial point clouds with trivial perturbations. Experiments demonstrate that our attack competitively outperforms existing white/black-box attackers in terms of attack performance and adversary quality.