Generating 3D Adversarial Point Clouds

Machine learning models especially deep neural networks (DNNs) have been successfully applied to a variety of applications. However, DNNs are known to be vulnerable to adversarial examples which are carefully crafted instances aiming to cause learning models to make incorrect predictions. Recently, adversarial examples have been extensively studied for 2D image, natural language and audio datasets, while the robustness of 3D models has not yet been explored. Given the wide safety-critical applications of 3D models, such as PointNet for Lidar data in autonomous driving, it is important to understand the vulnerability of 3D models under various adversarial attacks. Due to the special format of point cloud data, it is challenging to generate adversarial examples in the point cloud space. In this work, we propose novel algorithms to generate adversarial point clouds against PointNet, which is the most widely used model dealing with point cloud data. We mainly propose two types of attacks on point clouds: unnoticeable adversarial point clouds, and manufacturable adversarial point clusters for physical attacks. For unnoticeable point clouds, we propose to either shift existing or add new points negligibly to craft "unnoticeable" perturbation. For adversarial point clusters, we propose to generate a small number of explicit "manufacturable adversarial point clusters" which are noticeable but of meaningful clusters. The goal of these adversarial point clusters is to realize "physical attacks" by 3D printing the synthesized objects and sticking them to the original object. In addition, we propose 7 perturbation measurement metrics tailored to different attacks and conduct extensive experiments to evaluate the proposed algorithms on the ModelNet40 dataset. Overall, our attack algorithms achieve about 100% attack success rate for all targeted attacks.