KNN-Defense: Defense against 3D Adversarial Point Clouds using Nearest-Neighbor Search

TL;DR

KNN-Defense enhances the robustness of 3D point cloud classifiers against adversarial attacks by restoring perturbed inputs through nearest-neighbor search in feature space, showing significant accuracy improvements on ModelNet40.

Contribution

The paper introduces KNN-Defense, a novel, lightweight method that leverages semantic similarity in feature space to defend against adversarial point cloud attacks.

Findings

Achieves up to 20.1% accuracy gain on PointNet under point-dropping attacks.

Significantly improves robustness across various 3D neural network architectures.

Demonstrates effectiveness and efficiency suitable for real-time applications.

Abstract

Deep neural networks (DNNs) have demonstrated remarkable performance in analyzing 3D point cloud data. However, their vulnerability to adversarial attacks-such as point dropping, shifting, and adding-poses a critical challenge to the reliability of 3D vision systems. These attacks can compromise the semantic and structural integrity of point clouds, rendering many existing defense mechanisms ineffective. To address this issue, a defense strategy named KNN-Defense is proposed, grounded in the manifold assumption and nearest-neighbor search in feature space. Instead of reconstructing surface geometry or enforcing uniform point distributions, the method restores perturbed inputs by leveraging the semantic similarity of neighboring samples from the training set. KNN-Defense is lightweight and computationally efficient, enabling fast inference and making it suitable for real-time and practical applications. Empirical results on the ModelNet40 dataset demonstrated that KNN-Defense significantly improves robustness across various attack types. In particular, under point-dropping attacks-where many existing methods underperform due to the targeted removal of critical points-the proposed method achieves accuracy gains of 20.1%, 3.6%, 3.44%, and 7.74% on PointNet, PointNet++, DGCNN, and PCT, respectively. These findings suggest that KNN-Defense offers a scalable and effective solution for enhancing the adversarial resilience of 3D point cloud classifiers. (An open-source implementation of the method, including code and data, is available at https://github.com/nimajam41/3d-knn-defense).