G&G Attack: General and Geometry-Aware Adversarial Attack on the Point Cloud

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The paper presents a method for adversarial attack on deep learning models developed for point clouds. The method is interesting and combines existing concepts and methods to develop a sound strategy for the adversarial attack.
The overall significance of the work is great, as research on testing the robustness of point cloud models is important, especially when research is concentrated on developing point cloud models for critical infrastructures such as self-driving cars or predictive maintenance.
Overall, the paper narrates a complete story. Here are some points for improvement:

• The related work could be improved by highlighting the significance of this research, for example, the development of robust models for critical infrastructures such as self-driving cars or predictive maintenance.
• Although the method is described in full detail, where each component is explained very well, I missed an overall summary at the end of the description. In other words, it would be nice to summarize the overall working of the model after describing each individual component (Figure 2 could be a starting point for that).
• Results are plainly described, and the presentation could be improved by highlighting the insights one can draw from these results. For example, in Table 3, CurveNet and PointCNN are outperforming the proposed model. A detailed discussion on the implications or the reasons could be useful.
• The conclusion section seemed rushed and focuses more on future ambitions (which is fine) instead of highlighting the insights and conclusions one can draw from this study. This could be easily fixed by combining and summarizing the insights.

Finally, I found the normalization of point clouds to a unit sphere counterintuitive. Since we are talking about outliers and geometry-aware attacks, it seems logical to evaluate the choice of normalization and its impact on results. For the development of the model, normalization comes in handy, but its use while developing attacks should be thoroughly evaluated. 

Comments on the Quality of English Language

•  
•   The paper has at many places grammatical mistakes or style mistakes. To mention a few lines, see e.g. lines 137, 156, 176, 195, 211, 272.

Author Response

Comments: The related work could be improved by highlighting the significance of this
research, for example, the development of robust models for critical infrastructures such as
self-driving cars or predictive maintenance.

RESPONSE: We sincerely appreciate the reviewer’s careful assessment. We have added the following description in the  Related Work  section. Deep neural networks are vulnerable to data leakage and backdoor attacks, raising significant concerns about their deployment in critical applications. In the context of point clouds, for example, attackers can manipulate LiDAR sensors by introducing adversarial objects with specific shapes and textures, causing the target vehicle to "disappear" from the sensor data. This can lead the autonomous driving system to make incorrect decisions, such as emergency braking or erratic lane changes. As a result, adversarial attacks on point clouds can enhance our understanding of how deep neural networks behave under adversarial conditions, facilitating the evaluation and improvement of robustness in black-box attack models. Furthermore, such attacks can contribute to the development of robust models for critical infrastructure applications, such as autonomous vehicles and predictive maintenance.

Comments: Although the method is described in full detail, where each component is explained very well, I missed an overall summary at the end of the description. In other words, it would be nice to summarize the overall working of the model after describing each individual component (Figure 2 could be a starting point for that).

RESPONSE: We sincerely appreciate the reviewer’s careful assessment. We have added the
following description in the Methods section.
Upon entering the attack network, a clean point cloud undergoes two distinct types of attacks.
The first attack is based on geometric perception. Using a novel point cloud sensitivity map, a key
subset of points is identified. Then, the output features of the maximum pooling layer from the
surrogate model are extracted using Integrated Gradients (IG). The Fast Gradient Sign Method
(FGSM) is employed to perturb the key subset in the direction of the IG descent. The second
attack utilizes an autoencoder. A robust autoencoder is designed to generalize the entire original
point cloud, inducing subtle shifts in the positions of most points. The adversarial point cloud is
then constructed by adding the masks generated from both attacks to the original point cloud.
Afterward, the modified point cloud is tested, and the resulting logits, gradients, curvatures, and
other critical parameters are integrated to form a loss function. The Adam optimization algorithm
is used for multiple iterations until the attack successfully deceives the target model.

Comments: Results are plainly described, and the presentation could be improved by highlighting the insights one can draw from these results. For example, in Table 3, CurveNet and PointCNN are outperforming the proposed model. A detailed discussion on the implications or the reasons could be useful.).

RESPONSE: We sincerely appreciate the reviewer’s valuable suggestions. We have added the following description in the "Main Results" .

From the table, we can see that AOF outperforms the G\&G Attack when targeting CurveNet. One of the key reasons for this is that AOF applies the Graph Fourier Transform (GFT) to the point cloud, focusing specifically on the low-frequency components. During the upsampling phase of the DupNet defense, AOF is able to more effectively capture the fundamental shape of the point cloud. By perturbing the low-frequency components, AOF disrupts the internal relational structures that CurveNet relies on. As a result, AOF achieves a higher attack success rate. However, due to the sharp increase in perturbation frequency, AOF is less imperceptible than G\&G Attack.

In contrast, X-conv, which leverages spatial local correlations, operates only on representative points that contain rich information. The PointCNN, built with dual-layer X-conv, is highly sensitive to the number of key points. Meanwhile, the Saliency Map effectively reduces the classification accuracy of PointCNN by removing critical subsets of points.

 

Comments: The conclusion section seemed rushed and focuses more on future ambitions (which is fine) instead of highlighting the insights and conclusions one can draw from this study. This could be easily fixed by combining and summarizing the insights.

RESPONSE: Thank you for your valuable suggestions. We have rewritten the conclusion section, adding relevant insights and conclusions from this study.

This paper introduces a novel and advanced method for performing black-box transfer query attacks on point cloud data. The method employs a powerful autoencoder for point cloud reconstruction, combined with a global attack strategy based on the Adam optimizer, designed to disrupt the neighborhood information of surface points within the point cloud. Specifically, we achieve global attack strategies by constructing a new autoencoder with a multi-head architecture, which disturbs the local geometric structure of surface points, thereby enhancing the effectiveness of the attack. Additionally, we introduce secondary "modifications" on key points using a novel point cloud sensitivity map. Simultaneously, local attacks are carried out based on the SimBA method, utilizing integrated gradients (IG) and tangential synthesis directions. This approach strikes a balance between the invisibility and effectiveness of the attack, ensuring that the adversarial samples remain sufficiently concealed while still significantly impairing the performance of the target model.

Our method demonstrates excellent transferability, maintaining a high attack success rate (ASR) across different models and environments. After testing under specially designed defense mechanisms against adversarial 3D samples, our attack method successfully bypasses these defenses, significantly improving the ASR. These experimental results validate the effectiveness and robustness of our approach.

Looking ahead, we plan to release the generated adversarial point clouds on the Amazon Mechanical Turk platform to collect human user preference data, which will support future qualitative evaluations. This will help us gain deeper insights into human perception differences and reactions to adversarial samples in 3D point clouds. Furthermore, we will organize the collected adversarial samples into the ModelNet40 attack dataset and release it publicly, providing a valuable resource for the academic community and further promoting research on classifier robustness and interpretability. Building on this, our goal is to continue proposing and deploying more high-quality 3D point cloud attack methods. This will not only enhance the diversity and accuracy of attack effectiveness but also drive deeper advancements in adversarial sample research and defense strategies in this field. Through these efforts, we aim to advance 3D point cloud attack techniques and provide stronger theoretical support and practical references for research in related areas.

Comments: Finally, I found the normalization of point clouds to a unit sphere counterintuitive. Since we are talking about outliers and geometry-aware attacks, it seems logical to evaluate the choice of normalization and its impact on results. For the development of the model, normalization comes in handy, but its use while developing attacks should be thoroughly evaluated.

RESPONSE: Thank you for your valuable suggestions. I think my previous explanation may have been somewhat unclear. The normalization method based on the global coordinate system involves mapping the point cloud data to a unit sphere or cube, ensuring that the points have a consistent distribution and scale within the same coordinate system. This aids in improving the accuracy and efficiency of subsequent tasks. However, our attack leverages displacements of the points, and this process must be performed within a relative coordinate system.

 

Comments: The paper has at many places grammatical mistakes or style mistakes. To mention a few lines, see e.g. lines 137, 156, 176, 195, 211, 272.).

RESPONSE: We sincerely appreciate your valuable suggestions. To ensure clarity and consistency, we have diligently provided explanations for all symbols, terms and grammar throughout the entire text.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

In this paper, authors identify that Deep Neural Networks (DNNs) used for 3D point cloud classification are vulnerable to adversarial attacks, especially when imperceptible perturbations are introduced. The proposed method, termed General and Geometry-aware (G&G) Attack, overcomes challenges such as outliers, poor generalization, and limited transferability by combining global reconstruction and local perturbations. Experimental results demonstrate that G&G Attack significantly improves the attack success rate (ASR) in black-box transferability attacks, outperforming existing methods by approximately 38% in ASR with reduced query counts.

In general, the paper's contributions are suitable for publications with good organization and presentation structure.

Some  minor comments:

- The section number should start from 1. Introduction

- Can more experiments with real-world point cloud datasets, such as those used in autonomous driving (e.g., KITTI)?

- Can you test the G&G Attack against state-of-the-art defenses, such as dynamic graph-based denoising or robust geometric feature learning methods?

- What is  the computational cost of the G&G Attack and are there any lightweight variants of the attack?

- Is there any human evaluation or task-specific metrics (e.g., the impact on downstream object detection accuracy)

-  It is unclear whether the performance drop is due solely to the attack or if the models have intrinsic vulnerabilities. Is there any  baseline evaluations on clean data and simple random noise perturbations for a holistic comparison?

Author Response

Comments: The section number should start from 1. Introduction.

RESPONSE: We sincerely appreciate the reviewer’s careful assessment. It seems that the official template of Applied Science does not support starting the numbering from 1; it always starts from 0 with the Introduction. I will also actively raise this issue with the editor.

Comments:. Can more experiments with real-world point cloud datasets, such as those used in autonomous driving (e.g., KITTI)?

RESPONSE: We sincerely appreciate the reviewer’s careful assessment. Our model still has some limitations. Specifically, it struggles to effectively attack point clouds containing millions of points in complex scenarios. This is primarily because, to maintain imperceptibility, we typically select only a few hundred attack points. In point clouds with large amounts of redundant information, such as those in complex environments, the attack success rate is too low. Our next research goal is to investigate how to apply our attack algorithm to real-world scenarios. We are currently conducting experiments, and we encourage you to continue following our research progress. Thank you once again for your valuable feedback!

Comments: Can you test the G\&G Attack against state-of-the-art defenses, such as dynamic graph-based denoising or robust geometric feature learning methods?

RESPONSE: Thank you sincerely for your valuable feedback. We sincerely appreciate the valuable suggestions from the reviewer. To bolster our argument, we have included SI-ADV \cite{ref11}, published in Computer Vision and Pattern Recognition (CVPR) 2022 and L3A-attack \cite{ref66}, published in Computers \& Security 2024, in our comparative analysis as depicted in Tables \ref{tab:No_Defence}, \ref{tab:SOR} and \ref{tab:DUPNet}. Both of these are advanced attack methods, yet our approach maintains certain advantages over them.

\par Since 2021, there appears to be limited groundbreaking work in point cloud defense. We are committed to monitoring developments and expanding our search scope. In future research, we plan to apply our method to incorporate the latest defense strategies.

 

Comments: It is unclear whether the performance drop is due solely to the attack or if the models have intrinsic vulnerabilities. Is there any  baseline evaluations on clean data and simple random noise perturbations for a holistic comparison?

RESPONSE: Thank you for your valuable suggestions. We have added the
following description in the "Ablation Study" .
Our method integrates gradient, normal vectors, and other relevant surface point information from the point cloud to determine the attack direction. Curvature, acting as an adaptive hyperparameter, plays a pivotal role in weighting these components, effectively guiding the attack direction. To investigate the impact of noise on local curvature, we conducted comparative experiments. In these experiments, we introduced various types of noise, including Gaussian and random noise, into the clean point clouds, and observed the effects on attack success rates and imperceptibility metrics. The results are presented in Table \ref{image/table_noise_arrow.png}.

To evaluate the attack success rate (ASR) and imperceptibility of our method under different noise conditions, we added Gaussian noise and random noise to the clean point clouds. The Gaussian noise had a mean of $\mu$ = 0, with standard deviations of $\sigma$ = 0.01 and $\sigma$ = 0.1, while the random noise coefficients were set to $\eta$ = 0.5 and $\eta$ = 0.8. In each iteration, the specified noise was applied to the point clouds for testing.

In the case of PointNet++ \cite{ref23}, the attack success rate (ASR) experienced a significant reduction, while in DGCNN, the decline in ASR was more modest. The persistent weakening effect of different types and intensities of noise on attack performance is noteworthy. PointNet++ \cite{ref23} extracts multi-layer perceptrons (MLPs) from each local point cloud using a grouping technique, whereas DGCNN determines node attributes based on a neighborhood defined in feature space using a graph neural network. This makes PointNet++ more sensitive to small local disturbances, leading to a sharp decrease in ASR. In contrast, our attack method relies more heavily on the global structure of the point cloud, so introducing noise causes shifts in key points and changes in local curvature, thereby reducing the attack’s effectiveness.

Additionally, we observed that as the noise coefficient increases, the attack time decreases. This can be attributed, in part, to the fact that the noise itself disrupts the point cloud, introducing sufficiently strong disturbances that hinder the model’s ability to classify accurately. We plan to conduct further research to explore these phenomena in greater depth, with the goal of gaining a more comprehensive understanding of their impact and underlying mechanisms.

Author Response File: Author Response.pdf