Towards a 3D Transfer-based Black-box Attack via Critical Feature Guidance

TL;DR

This paper introduces CFG, a transfer-based black-box attack method on 3D point cloud classifiers, which enhances attack transferability by targeting critical features consistent across different neural network architectures.

Contribution

The paper proposes a novel attack method that exploits the invariance of critical features in 3D point cloud models to improve transferability without model information.

Findings

CFG outperforms existing attack methods significantly.

The method maintains imperceptibility of adversarial examples.

Experiments on ModelNet40 and ScanObjectNN validate effectiveness.

Abstract

Deep neural networks for 3D point clouds have been demonstrated to be vulnerable to adversarial examples. Previous 3D adversarial attack methods often exploit certain information about the target models, such as model parameters or outputs, to generate adversarial point clouds. However, in realistic scenarios, it is challenging to obtain any information about the target models under conditions of absolute security. Therefore, we focus on transfer-based attacks, where generating adversarial point clouds does not require any information about the target models. Based on our observation that the critical features used for point cloud classification are consistent across different DNN architectures, we propose CFG, a novel transfer-based black-box attack method that improves the transferability of adversarial point clouds via the proposed Critical Feature Guidance. Specifically, our method regularizes the search of adversarial point clouds by computing the importance of the extracted features, prioritizing the corruption of critical features that are likely to be adopted by diverse architectures. Further, we explicitly constrain the maximum deviation extent of the generated adversarial point clouds in the loss function to ensure their imperceptibility. Extensive experiments conducted on the ModelNet40 and ScanObjectNN benchmark datasets demonstrate that the proposed CFG outperforms the state-of-the-art attack methods by a large margin.