探索基于3D变换的后处理对3D对抗性点云迁移性的影响

doi:10.11871/jfdc.issn.2096-742X.2026.02.010

数据与计算发展前沿 ›› 2026, Vol. 8 ›› Issue (2): 123-140.

CSTR: 32002.14.jfdc.CN10-1649/TP.2026.02.010

doi: 10.11871/jfdc.issn.2096-742X.2026.02.010

探索基于3D变换的后处理对3D对抗性点云迁移性的影响

何邦彦^1,²(),李琦³,孙哲南³,王蕊^1,^2,^*()

¹ 中国科学院信息工程研究所，北京 100085
² 中国科学院大学，网络空间安全学院，北京 100190
³ 中国科学院自动化研究所，模式识别实验室，北京 100190

收稿日期:2025-03-31 出版日期:2026-04-20 发布日期:2026-04-23
通讯作者: *王蕊（E-mail: wangrui@iie.ac.cn）
作者简介:何邦彦，中国科学院信息工程研究所，博士研究生，研究方向为计算机视觉、对抗安全。
本文承担工作为：方法的提出和实现、文献整理及论文撰写。
HE Bangyan is a Ph.D. candidate at the Institute of Information Engineering, Chinese Academy of Sciences. He is a CCF student member. His research interests include computer vision and adversarial security.
In this paper, he is mainly responsible for method proposal and implementation, literature compilation and paper writing.
E-mail: hebangyan@iie.ac.cn|王蕊，中国科学院信息工程研究所，研究员，博士生导师，主要研究方向为人工智能安全、计算机视觉、深度学习、多媒体内容分析等。
本文承担工作为：方法讨论、优化建议，及写作指导。
WANG Rui is a researcher and doctoral supervisor at the Institute of Information Engineering, Chinese Academy of Sciences. Her main research interests include artificial intelligence security, computer vision, deep learning, multimedia content analysis, etc.
In this paper, she is mainly responsible for method discussion, optimization suggestions, and writing guidance.
E-mail: wangrui@iie.ac.cn
基金资助:
国家自然科学基金面上项目“细粒度图像语义理解关键技术研究”(62176253)

Exploring the Impact of 3D Transformation-Based Post-Processing on the Transferability of 3D Adversarial Point Clouds

HE Bangyan^1,²(),LI Qi³,SUN Zhenan³,WANG Rui^1,^2,^*()

¹ Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100085, China
² School of Cyberspace Security, University of Chinese Academy of Sciences, Beijing 100190, China
³ NLPR & MAIS, Institute of Automation, Chinese Academy of Sciences, Beijing 100190, China

Received:2025-03-31 Online:2026-04-20 Published:2026-04-23

摘要/Abstract

摘要：

【目的】 探究将3D变换作为后处理策略对3D对抗性点云迁移性的影响。【文献范围】通过查阅大量相关文献，研究涵盖了3D点云识别、3D对抗性点云以及3D变换等领域的成果。【应用背景】基于深度神经网络的3D点云识别模型，已在多种安全关键场景中广泛应用。然而，这类模型在面对对抗性攻击时的鲁棒性问题不容小觑。在此背景下，深入研究3D对抗性点云的迁移性，能够为构建更稳健、可靠的点云模型提供有力支持。这对于提升模型在实际应用中的安全性和可靠性，具有重要意义。【方法】 选用ModelNet40、ModelNet-C和ShapeNetPart三个基准数据集，选取旋转、缩放等七种3D变换操作，PointNet等五种点云模型架构，以及PointCAT、TRADES和MART三种对抗训练方法进行实验。并基于有效性分析，提出了组合优化策略。【结果】 实验结果表明，旋转操作在增强3D对抗性点云迁移性方面效果显著。尽管对抗训练降低了白盒攻击的成功率，但经过特定3D变换（如旋转）的3D对抗性点云仍能实现有效攻击。此外，不同的3D变换对不同模型的影响差异明显。本文提出的组合优化策略可进一步提升3D对抗性点云的迁移性。【局限】本文仅针对特定的数据集、变换操作、模型架构以及对抗训练方法进行，可能存在一定的局限性。【结论】 旋转操作对提升3D对抗性点云的迁移性最为明显；同时，现有对抗训练方法在面对3D变换后处理时存在局限性；此外，本文提出的组合优化策略可进一步提升3D对抗性点云的迁移性。

关键词: 3D点云识别, 对抗迁移性, 可信人工智能

Abstract:

[Purpose] To investigate the impact of 3D transformation as a post-processing strategy on the transferability of 3D adversarial point clouds. [Literature Review] By reviewing a large number of relevant literature, the research covers the achievements in the fields of 3D point cloud recognition, 3D adversarial point clouds, and 3D transformations. [Application Background] 3D point cloud recognition models based on deep neural networks have been widely applied in various safety-critical scenarios. However, the robustness issue of such models when facing adversarial attacks should not be underestimated. Against this backdrop, in-depth research on the transferability of 3D adversarial point clouds can provide strong support for the construction of more robust and reliable point cloud models. This is of great significance for enhancing the security and reliability of the models in practical applications. [Methods] Three benchmark datasets, namely ModelNet40, ModelNet-C, and ShapeNetPart, were selected. Seven 3D transformation operations such as rotation and scaling, five point cloud model architectures like PointNet, and three adversarial training methods including PointCAT, TRADES, and MART were employed for the experiments. Based on validity analysis, a combined optimization strategy was proposed. [Results] The experimental results demonstrate that the rotation operation has a significant effect on enhancing the transferability of 3D adversarial point clouds. Although adversarial training reduces the success rate of white-box attacks, 3D adversarial point clouds that have undergone specific 3D transformations (such as rotation) can still achieve effective attacks. Additionally, the impacts of different 3D transformations on various models vary significantly. The combined optimization strategy proposed in this paper can further improve the transferability of 3D adversarial point clouds. [Limitations] This paper only focuses on specific datasets, transformation operations, model architectures, and adversarial training methods, which may have certain limitations. [Conclusions] Rotation operations exert the most significant effect on improving the transferability of 3D adversarial point clouds. Meanwhile, existing adversarial training methods demonstrate limitations when coping with post-processing of 3D transformations. Furthermore, the combinatorial optimization strategy proposed in this paper can further enhance the transferability of 3D adversarial point clouds.

Key words: 3D point cloud recognition, adversarial transferability, trustworthy AI

何邦彦, 李琦, 孙哲南, 王蕊. 探索基于3D变换的后处理对3D对抗性点云迁移性的影响[J]. 数据与计算发展前沿, 2026, 8(2): 123-140.

HE Bangyan, LI Qi, SUN Zhenan, WANG Rui. Exploring the Impact of 3D Transformation-Based Post-Processing on the Transferability of 3D Adversarial Point Clouds[J]. Frontiers of Data and Computing, 2026, 8(2): 123-140, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2026.02.010.

图/表 12

图1

表1

3D变换的转换矩阵及3D变换的影响机制"

3D变换	转换矩阵	影响机制
旋转	$\left[\begin{array}{ccc}1& 0& 0\\ 0& \mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{1}& -\mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{1}\\ 0& \mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{1}& \mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{1}\end{array}\right]\bullet \left[\begin{array}{ccc}\mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{2}& 0& \mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{2}\\ 0& 1& 0\\ -\mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{2}& 0& \mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{2}\end{array}\right]\bullet \left[\begin{array}{ccc}\mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{3}& -\mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{3}& 0\\ \mathrm{s}\mathrm{i}\mathrm{n}{\alpha }_{3}& \mathrm{c}\mathrm{o}\mathrm{s}{\alpha }_{3}& 0\\ 0& 0& 1\end{array}\right]$(α₁、α₂、α₃均为超参数)	改变点云的全局空间方向。
缩放	$\left[\begin{array}{ccc}\lambda & 0& 0\\ 0& \lambda & 0\\ 0& 0& \lambda \end{array}\right]$ (λ为超参数)	均匀缩放点云尺寸，保持几何结构但改变空间密度。
切变	$\left[\begin{array}{ccc}1& {s}_{2}& {s}_{1}\\ {s}_{3}& 1& {t}_{1}\\ {t}_{3}& {t}_{2}& 1\end{array}\right]$ (s₁、s₂、s₃、t₁、t₂、t₃均为超参数)	对点云施加线性错切，影响局部邻域关系。
扭曲	$\left[\begin{array}{ccc}\mathrm{c}\mathrm{o}\mathrm{s}\theta & -\mathrm{s}\mathrm{i}\mathrm{n}\theta & 0\\ \mathrm{s}\mathrm{i}\mathrm{n}\theta & \mathrm{c}\mathrm{o}\mathrm{s}\theta & 0\\ 0& 0& 1\end{array}\right]$ (θ为超参数)	非线性变形点云，影响全局和局部结构。
锥化	$\left[\begin{array}{ccc}1+\eta & 0& 0\\ 0& 1+\eta & 0\\ 0& 0& 1\end{array}\right]$ (η为超参数)	非均匀缩放点云，导致局部变形。
弯曲	$\left[\begin{array}{ccc}1& -\varphi & 0\\ \varphi & 1& 0\\ 0& 0& 1\end{array}\right]$ ($\varphi $为超参数)	对各点的空间坐标进行调整，改变点云在空间中的分布。
平移	$\left[\begin{array}{ccc}{\beta }_{x}& {\beta }_{x}& {\beta }_{x}\\ {\beta }_{y}& {\beta }_{y}& {\beta }_{y}\\ {\beta }_{z}& {\beta }_{z}& {\beta }_{z}\end{array}\right]$ (β_x、β_y、β_z均为超参数)	整体移动点云位置，不改变结构。

表1

表2

ModelNet40数据集上组织的迁移攻击，源模型为PointNet"

最大扰动幅度 (→)		0.18				0.45
目标模型 (→)		PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
攻击 (↓)	3D变换 (↓)	PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
3D-Adv^[3]	无	97.50	5.24	1.39	4.70	97.46	4.91	2.41	4.70
	旋转	90.79	86.48	89.22	85.04	90.83	86.34	89.33	84.95
	切变	50.61	26.32	23.81	10.84	50.61	26.58	24.24	10.80
	缩放	57.83	7.80	3.93	5.73	57.83	8.24	3.45	5.78
	扭曲	52.97	19.95	15.20	11.56	52.97	18.77	14.97	11.60
	锥化	62.82	20.86	16.72	11.20	62.82	20.02	16.16	11.34
	弯曲	57.63	9.57	7.27	7.12	58.17	9.36	7.42	6.99
	平移	73.04	5.40	2.32	19.22	72.99	5.61	2.62	19.27
KNN^[25]	无	100.00	11.64	2.60	9.77	100.00	10.13	3.39	9.54
	旋转	91.97	88.35	89.67	87.37	92.15	88.21	89.42	87.90
	切变	85.52	35.46	27.50	18.46	86.02	33.99	26.74	18.64
	缩放	94.83	14.22	5.36	11.25	94.96	13.65	4.92	11.25
	扭曲	89.47	27.44	16.27	18.32	89.56	27.79	17.37	17.92
	锥化	94.14	28.03	18.76	17.74	94.37	27.97	17.86	17.52
	弯曲	96.05	17.00	9.23	12.54	96.10	16.53	9.25	12.23
	平移	80.16	12.72	3.21	28.81	80.30	11.35	3.60	28.18
AdvPC^[6]	无	100.00	31.76	12.21	14.92	100.00	31.79	13.32	14.92
	旋转	92.19	91.03	92.29	90.05	92.28	91.46	91.87	90.10
	切变	80.48	55.00	37.69	23.92	80.62	55.44	38.39	24.15
	缩放	88.61	36.16	16.05	15.37	88.61	35.63	15.76	15.41
	扭曲	83.48	49.09	27.94	23.39	83.48	49.42	27.08	23.34
	锥化	89.01	47.46	32.15	23.16	89.01	47.50	32.23	22.85
	弯曲	92.78	37.99	18.73	17.78	92.87	37.34	18.45	17.69
	平移	79.44	32.77	13.00	36.29	79.57	32.72	12.84	36.38
AOF^[26]	无	100.00	56.95	35.05	28.94	100.00	58.17	35.43	30.33
	旋转	93.46	93.40	94.08	92.34	93.69	93.42	94.09	92.29
	切变	91.42	72.21	56.83	40.41	91.97	71.99	55.85	41.13
	缩放	93.55	59.38	37.46	29.30	93.65	59.80	38.45	30.73
	扭曲	91.33	67.83	49.84	39.65	91.24	68.54	50.20	40.91
	锥化	94.01	67.16	54.11	38.66	94.24	68.50	53.41	39.61
	弯曲	95.91	62.10	41.72	34.12	95.91	62.43	40.51	35.83
	平移	85.79	57.63	35.89	51.48	86.56	58.95	35.10	52.55

表2

表3

ModelNet40数据集上组织的迁移攻击，源模型为DGCNN"

最大扰动幅度 (→)		0.18				0.45
目标模型 (→)		PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
攻击 (↓)	3D变换 (↓)	PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
3D-Adv^[3]	无	0.95	6.34	5.30	88.98	0.95	6.19	4.91	88.98
	旋转	91.47	87.37	90.67	86.92	92.37	88.55	90.96	89.11
	切变	16.61	32.47	28.44	36.60	15.52	33.12	28.99	37.86
	缩放	6.31	13.34	7.70	71.59	6.22	13.53	8.26	71.68
	扭曲	9.71	23.32	19.20	40.19	10.12	23.28	18.33	40.14
	锥化	19.02	24.66	21.90	39.96	18.97	25.03	22.89	40.77
	弯曲	4.04	11.72	9.51	45.59	4.04	11.72	9.51	45.59
	平移	67.77	7.75	5.29	56.99	68.63	7.57	4.90	57.57
KNN^[25]	无	5.22	30.98	20.14	100.00	5.17	32.05	21.39	100.00
	旋转	91.47	90.21	92.09	91.40	91.92	90.08	92.58	91.58
	切变	22.51	54.46	43.75	98.70	22.61	54.86	44.51	98.34
	缩放	11.26	36.48	23.23	100.00	11.48	37.96	23.63	100.00
	扭曲	12.89	46.96	36.84	97.58	13.39	48.75	38.40	97.80
	锥化	24.19	45.98	35.95	98.07	24.06	47.10	36.58	98.57
	弯曲	8.03	37.34	27.78	99.96	8.35	38.73	28.85	99.96
	平移	72.13	33.08	20.84	99.51	72.13	33.62	20.70	99.64
AdvPC^[6]	无	6.67	60.00	41.84	93.91	7.17	60.18	41.89	93.82
	旋转	92.96	92.70	93.96	92.65	92.83	92.66	93.91	92.34
	切变	24.88	74.62	58.44	82.80	25.37	74.75	58.48	82.71
	缩放	14.39	61.86	44.23	92.43	14.80	62.18	44.45	92.47
	扭曲	18.93	70.55	54.16	83.74	19.84	70.69	53.99	83.78
	锥化	31.32	70.91	58.89	84.32	31.73	71.18	58.89	84.54
	弯曲	11.35	64.93	46.81	88.04	12.39	65.20	46.76	88.13
	平移	71.86	61.67	41.98	87.77	71.95	61.75	41.98	87.77
AOF^[26]	无	12.35	63.35	53.74	98.25	14.98	62.77	52.50	98.25
	旋转	92.65	94.08	94.84	92.88	92.60	94.35	94.62	93.46
	切变	27.78	76.90	68.93	84.54	30.05	76.09	68.26	84.95
	缩放	18.57	65.00	56.76	95.56	21.83	64.82	55.10	94.85
	扭曲	24.56	73.86	64.01	86.69	27.24	73.24	65.12	86.34
	锥化	36.50	74.31	67.55	87.63	38.77	72.56	66.56	85.71
	弯曲	16.80	68.58	58.11	89.25	19.79	67.47	57.79	88.58
	平移	72.63	63.98	54.24	88.49	73.31	63.36	53.40	87.81

表3

表4

表5

表6

表7

表8

ModelNet40数据集上组织的迁移攻击，目标模型已进行对抗训练（TRADES和MART）"

最大扰动幅度 (→)		0.18				0.45
对抗训练方式 (→)		TRADES^[23]		MART^[24]		TRADES^[23]		MART^[24]
目标模型 (→)		PointNet	DGCNN	PointNet	DGCNN	PointNet	DGCNN	PointNet	DGCNN
攻击 (↓)	3D变换 (↓)	PointNet	DGCNN	PointNet	DGCNN	PointNet	DGCNN	PointNet	DGCNN
3D-Adv^[3]	无	6.34	2.04	4.85	1.85	6.34	2.04	4.85	1.80
	旋转	92.21	89.86	92.23	89.96	92.21	89.86	92.23	90.05
	切变	24.61	14.66	19.89	12.31	24.57	14.66	19.94	12.40
	缩放	6.47	2.44	6.83	2.82	6.47	2.44	6.83	2.87
	扭曲	17.18	12.89	13.26	11.34	17.18	12.89	13.31	11.34
	锥化	20.01	10.76	14.25	8.70	19.96	10.76	14.35	8.75
	平移	14.90	5.36	17.62	9.72	14.86	5.36	17.71	9.72
KNN^[25]	无	11.62	5.89	7.87	5.04	11.53	5.76	8.11	4.86
	旋转	93.12	91.01	92.53	90.70	93.16	91.19	92.73	90.61
	切变	29.49	18.78	24.59	15.83	29.95	18.56	24.79	15.55
	缩放	11.67	6.20	9.90	5.69	11.67	6.20	9.95	5.65
	扭曲	21.19	17.76	16.28	15.22	21.29	17.63	16.53	15.22
	锥化	26.21	14.08	18.60	11.89	26.12	14.17	18.56	11.99
	平移	19.01	9.30	22.76	13.74	19.23	9.26	23.06	13.74
AdvPC^[6]	无	8.07	9.03	6.88	7.54	8.25	9.17	6.88	7.59
	旋转	93.57	92.87	92.53	92.18	93.57	92.87	92.53	92.18
	切变	29.35	23.21	24.44	20.68	29.49	23.25	24.49	20.59
	缩放	8.57	9.70	9.10	8.56	8.66	9.79	9.15	8.65
	扭曲	22.29	21.97	17.91	18.37	22.33	22.01	17.91	18.46
	锥化	25.52	18.73	17.76	16.80	25.62	18.73	17.76	16.98
	平移	16.23	13.91	21.08	17.35	16.27	13.99	21.18	17.35
AOF^[26]	无	17.59	21.52	15.88	19.30	20.46	23.21	18.70	20.41
	旋转	94.67	94.11	92.92	93.89	94.94	94.38	93.37	94.12
	切变	37.47	36.85	33.00	33.04	38.83	38.40	35.43	34.71
	缩放	17.87	22.32	17.17	19.90	20.78	24.00	20.53	21.19
	扭曲	31.72	35.96	26.08	31.47	34.18	37.29	29.00	32.48
	锥化	35.41	32.37	27.02	30.17	36.96	33.66	29.39	30.96
	平移	23.25	26.48	29.05	30.59	26.53	28.03	31.17	31.65

表8

表9

图2

参考文献 49

[1]	HU Q, LIU D, HU W. Density-insensitive unsupervised domain adaption on 3d object detection[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023: 17556-17566.
[2]	SINKO M, KAMENCAY P, HUDEC R, et al. 3D registration of the point cloud data using ICP algorithm in medical image analysis[C]// 2018 ELEKTRO, IEEE, 2018: 1-6.
[3]	XIANG C, QI C R, LI B. Generating 3d adversarial point clouds[C]// Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019: 9136-9144.
[4]	LOU T, JIA X, GU J, et al. Hide in thicket: Generating imperceptible and rational adversarial perturbations on 3d point clouds[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2024: 24326-24335.
[5]	TANG K, KE W, PENG W, et al. Imperceptible Adversarial Attacks on Point Clouds Guided by Point-to-Surface Field[C]// ICASSP 2025-2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), IEEE, 2025: 1-5.
[6]	HAMDI A, ROJAS S, THABET A, et al. Advpc: Transferable adversarial perturbations on 3d point clouds[C]// Computer Vision-ECCV 2020: 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part XII 16. Springer International Publishing, 2020: 241-257.
[7]	CAI X, TAO Y, LIU D, et al. Frequency-Aware GAN for Imperceptible Transfer Attack on 3D Point Clouds[C]// Proceedings of the 32nd ACM International Conference on Multimedia, 2024: 6162-6171.
[8]	ZHANG J, DONG Y, ZHU J, et al. Improving transferability of 3D adversarial attacks with scale and shear transformations[J]. Information Sciences, 2024, 662: 120245. doi: 10.1016/j.ins.2024.120245
[9]	QIAN F, ZOU Y, XU M, et al. A comprehensive understanding of the impact of data augmentation on the transferability of 3D adversarial examples[J]. ACM Transactions on Knowledge Discovery from Data, 2025, 19(2): 1-41.
[10]	WANG X, LI M, LIU W, et al. Unlearnable 3D point clouds: Class-wise transformation is all you need[J]. Advances in Neural Information Processing Systems, 2024, 37: 99404-99432.
[11]	CHU W, LI L, LI B. Tpc: Transformation-specific smoothing for point cloud models[C]// International conference on machine learning, PMLR, 2022: 4035-4056.
[12]	HU S, LIU W, LI M, et al. Pointcrt: Detecting backdoor in 3d point cloud via corruption robustness[C]// Proceedings of the 31st ACM International Conference on Multimedia, 2023: 666-675.
[13]	WANG X, LI M, XU P, et al. PointAPA: Towards availability poisoning attacks in 3D point clouds[C]// European Symposium on Research in Computer Security. Cham: Springer Nature Switzerland, 2024: 125-145.
[14]	WU Z, SONG S, KHOSLA A, et al. 3d shapenets: A deep representation for volumetric shapes[C]// Proceedings of the IEEE conference on computer vision and pattern recognition, 2015: 1912-1920.
[15]	REN J, PAN L, LIU Z. Benchmarking and analyzing point cloud classification under corruptions[C]// International Conference on Machine Learning, PMLR, 2022: 18559-18575.
[16]	YI L, KIM V G, CEYLAN D, et al. A scalable active framework for region annotation in 3d shape collections[J]. ACM Transactions on Graphics (ToG), 2016, 35(6): 1-12.
[17]	QI C R, SU H, MO K, et al. Pointnet: Deep learning on point sets for 3d classification and segmentation[C]// Proceedings of the IEEE conference on computer vision and pattern recognition, 2017: 652-660.
[18]	QI C R, YI L, SU H, et al. Pointnet++: Deep hierarchical feature learning on point sets in a metric space[J]. Advances in neural information processing systems, 2017, 30: 5099-5108.
[19]	WU W, QI Z, FUXIN L. Pointconv: Deep convolutional networks on 3d point clouds[C]// Proceedings of the IEEE/CVF Conference on computer vision and pattern recognition, 2019: 9621-9630.
[20]	XIANG T, ZHANG C, SONG Y, et al. Walk in the cloud: Learning curves for point clouds shape analysis[C]// Proceedings of the IEEE/CVF international conference on computer vision, 2021: 915-924.
[21]	WANG Y, SUN Y, LIU Z, et al. Dynamic graph cnn for learning on point clouds[J]. ACM Transactions on Graphics (tog), 2019, 38(5): 1-12.
[22]	HUANG Q, DOND X, CHEN D, et al. PointCAT: Contrastive adversarial training for robust point cloud recognition[J]. IEEE Transactions on Image Processing, 2024, 33: 2183-2196. doi: 10.1109/TIP.2024.3372456 pmid: 38451765
[23]	ZHANG H, YU Y, JIAO J, et al. Theoretically principled trade-off between robustness and accuracy[C]// International conference on machine learning, PMLR, 2019: 7472-7482.
[24]	WANG Y, ZOU D, YI J, et al. Improving adversarial robustness requires revisiting misclassified examples[C]// International conference on learning representations, 2020: 8909-8922.
[25]	TSAI T, YANG K, HO T Y, et al. Robust adversarial objects against deep learning models[C]// Proceedings of the AAAI Conference on Artificial Intelligence, 2020, 34(1): 954-962.
[26]	LIU B, ZHANG J, ZHU J. Boosting 3D adversarial attacks with attacking on frequency[J]. IEEE Access, 2022, 10: 50974-50984. doi: 10.1109/ACCESS.2022.3171659
[27]	HE B, LIU J, LI Y, et al. Generating transferable 3d adversarial point cloud via random perturbation factorization[C]// Proceedings of the AAAI Conference on Artificial Intelligence 2023, 37(1): 764-772.
[28]	ZHOU H, CHEN K, ZHANG W, et al. Dup-net: Denoiser and upsampler network for 3d adversarial point clouds defense[C]// Proceedings of the IEEE/CVF international conference on computer vision, 2019: 1961-1970.
[29]	WU Z, DUAN Y, WANG H, et al. IF-Defense:3D Adversarial Point Cloud Defense via Implicit Function based Restoration[J/OL]. 2020, arXiv:2010.05272[2020-10-11]. https://arxiv.org/abs/2010.05272.
[30]	SUN J, NIE W, YU Z, et al. PointDP:Diffusion-driven Purification against Adversarial Attacks on 3D Point Cloud Recognition[J/OL]. 2022, arXiv:2208.09801[2022-8-21]. https://arxiv.org/abs/2208.09801.
[31]	CROITORU F A, HONDRU V, IONESCU R T, et al. Diffusion models in vision: A survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(9): 10850-10869. doi: 10.1109/TPAMI.2023.3261988
[32]	LIU D, YU R, SU H. Extending adversarial attacks and defenses to deep 3d point cloud classifiers[C]// 2019 IEEE International Conference on Image Processing (ICIP), IEEE, 2019: 2279-2283.
[33]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[J/OL]. 2014, arXiv:1412.6572[2014-12-11]. https://arxiv.org/abs/1412.6572.
[34]	DONG X, CHEN D, ZHOU H, et al. Self-robust 3d point recognition via gather-vector guidance[C]// 2020 IEEE/CVF conference on computer vision and pattern recognition (cvpr), IEEE, 2020: 11513-11521.
[35]	LI K, ZHANG Z, ZHONG C, et al. Robust structured declarative classifiers for 3d point clouds: Defending adversarial attacks with implicit gradients[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 15294-15304.
[36]	ZHANG J, CHEN L, OUYANG B, et al. Pointcutmix: Regularization strategy for point cloud classification[J]. Neurocomputing, 2022, 505: 58-67. doi: 10.1016/j.neucom.2022.07.049
[37]	JI Q, WANG L, SHI C, et al. Benchmarking and analyzing robust point cloud recognition: Bag of tricks for defending adversarial examples[C]// Proceedings of the IEEE/CVF International Conference on Computer Vision, 2023: 4295-4304.
[38]	SUN N, JIN B, GUO J, et al. 3D point cloud adversarial sample classification algorithm based on self-supervised learning and information gain[J]. IEEE Access, 2023, 11: 119544-119552. doi: 10.1109/ACCESS.2023.3326990
[39]	LIN J, YANG X, LI T, et al. Improving Adversarial Robustness for 3D Point Cloud Recognition at Test-Time through Purified Self-Training[J/OL]. 2024, arXiv:2409. 14940[2024-9-23]. https://arxiv.org/abs/2409.14940.
[40]	HUANG Y, ZHANG M, DING D, et al. Causalpc: Improving the robustness of point cloud classification by causal effect identification[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2024: 19779-19789.
[41]	WU L, ZHUANG J, CHEN H. Voco: A simple-yet-effective volume contrastive learning framework for 3d medical image analysis[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2024: 22873-22882.
[42]	CUI J, ZHONG Z, TIAN Z, et al. Generalized parametric contrastive learning[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024, 46(12): 7463-7474. doi: 10.1109/TPAMI.2023.3278694
[43]	WEN X, ZHAO B, ZHENG A, et al. Self-supervised visual representation learning with semantic grouping[J]. Advances in neural information processing systems, 2022, 35: 16423-16438.
[44]	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]// 2017 ieee symposium on security and privacy (sp), Ieee, 2017: 39-57.
[45]	GU S, RIGAZIO L. Towards Deep Neural Network Architectures Robust to Adversarial Examples[J/OL]., 2014, arXiv:1412.5068 [2014-12-11]. https://arxiv.org/abs/1412.5068.
[46]	DONG Y, LIAO F, PANG T, et al. Boosting adversarial attacks with momentum[C]// Proceedings of the IEEE conference on computer vision and pattern recognition, 2018: 9185-9193.
[47]	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[J]. arXiv preprint arXiv:1706.06083, 2017.
[48]	HAO L, HAO K, WEI B, et al. Boosting the transferability of adversarial examples via stochastic serial attack[J]. Neural Networks, 2022, 150: 58-67. doi: 10.1016/j.neunet.2022.02.025 pmid: 35305532
[49]	ZHANG J, LIU T, TAO D, et al. Going Deeper, Generalizing Better: An Information-Theoretic View for Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(11): 16683-16695. doi: 10.1109/TNNLS.2023.3297113

算法一：	3D对抗性点云的生成及3D变换的嵌入方式
输入：	良性点云P_ben，源模型${\mathrm{f}}_{\mathrm{s}}\left(\bullet \right)$，最大扰动幅度ε_∞，裁剪函数$C[\bullet,{\varepsilon }_{\mathrm{\infty }}]$，迭代次数N，迭代步长μ，损失函数$\mathcal{L}\left(\bullet \right)$。
输出：	3D变换后的3D对抗性点云${P}_{adv}^{t}$。
1:	${P}_{adv}^{0}\leftarrow {P}_{ben}+\mathit{\xi }$
2:	fori=1 to N do
3:	$\mathbf{g}\leftarrow {\nabla }_{{P}_{adv}}\mathcal{L}\left({f}_{s}\left({P}_{adv}^{i-1}\right)\right)$
4:	${P}_{adv}^{i}\leftarrow {P}_{adv}^{i-1}-\mu \bullet \mathit{g}$
5:	${P}_{adv}^{i}\leftarrow C[{P}_{adv}^{i},{\varepsilon }_{\mathrm{\infty }}]$
6:	end for
7:	${P}_{adv}^{t}\leftarrow \mathit{T}\bullet {P}_{adv}^{N}$

最大扰动幅度 (→)		0.18				0.45
目标模型 (→)		PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
攻击 (↓)	3D变换 (↓)	PointNet	PointNet++	PointConv	DGCNN	PointNet	PointNet++	PointConv	DGCNN
3D-Adv^[3]	无	85.39	10.34	6.28	6.26	85.39	10.37	6.28	6.26
	旋转	92.81	87.91	90.38	88.21	92.81	87.91	90.34	88.09
	切变	54.47	34.70	32.08	18.45	54.47	34.72	32.11	18.45
	缩放	56.24	14.07	10.39	10.00	56.27	14.14	10.49	10.01
	扭曲	53.96	26.74	21.72	17.56	53.90	26.74	21.69	17.44
	锥化	60.03	26.71	24.53	17.93	59.98	26.76	24.51	17.92
	弯曲	56.00	16.76	13.42	12.88	56.00	16.72	13.41	12.86
	平移	76.63	10.75	6.85	28.08	76.72	10.81	6.78	27.94
KNN^[25]	无	85.62	18.23	9.09	18.26	85.62	17.75	9.02	18.22
	旋转	93.60	89.33	90.06	89.77	93.59	89.42	90.25	89.93
	切变	79.51	43.87	36.17	27.18	79.47	43.75	35.78	26.63
	缩放	83.25	23.87	13.35	19.62	83.25	23.58	13.05	19.98
	扭曲	81.96	35.39	25.17	26.03	81.95	34.79	25.05	26.07
	锥化	85.05	35.68	26.69	26.17	85.16	35.58	26.29	25.96
	弯曲	84.44	25.52	16.46	21.50	84.39	25.45	16.37	21.11
	平移	82.45	18.38	10.16	38.56	82.51	17.96	9.84	38.33
AOF^[26]	无	85.62	47.63	35.42	31.46	85.62	48.09	35.86	32.04
	旋转	94.30	91.92	93.26	91.73	94.44	92.22	93.28	91.77
	切变	80.32	68.10	58.20	43.72	80.41	68.29	58.29	44.21
	缩放	82.23	52.73	39.41	32.19	82.21	53.00	39.13	33.29
	扭曲	82.77	61.61	50.50	41.75	82.81	62.14	50.59	42.41
	锥化	84.65	62.01	51.53	40.56	84.66	62.72	51.64	40.85
	弯曲	83.84	54.78	42.20	34.35	83.84	55.54	42.28	35.19
	平移	85.21	50.17	36.18	52.39	85.55	50.39	36.14	52.46

最大扰动幅度 (→)		0.18				0.45
目标模型 (→)		PointNet	PointNet++	CurveNet	DGCNN	PointNet	PointNet++	CurveNet	DGCNN
攻击 (↓)	3D变换 (↓)	PointNet	PointNet++	CurveNet	DGCNN	PointNet	PointNet++	CurveNet	DGCNN
3D-Adv^[3]	无	0.64	0.98	0.71	0.84	0.64	1.02	0.71	0.84
	旋转	89.22	87.24	85.55	87.69	89.54	89.19	86.93	88.76
	切变	13.54	13.99	8.83	11.20	12.90	14.51	8.70	10.67
	缩放	1.47	1.73	1.03	1.29	2.03	1.86	1.07	1.07
	扭曲	2.26	9.53	6.29	8.58	2.30	10.04	6.60	9.38
	锥化	4.33	8.70	7.09	10.13	3.45	8.87	6.87	9.69
	平移	22.29	1.20	2.81	4.93	21.74	0.89	2.94	4.89
KNN^[25]	无	2.49	2.04	2.63	2.18	2.44	1.73	2.68	2.27
	旋转	89.64	87.99	85.50	88.09	89.45	89.19	87.47	89.16
	切变	15.29	15.14	10.35	12.27	14.65	15.58	9.95	12.58
	缩放	3.04	2.35	2.81	2.18	3.55	2.61	2.63	2.18
	扭曲	3.59	10.68	7.85	10.18	3.78	10.27	7.58	10.36
	锥化	5.34	9.67	8.30	11.20	4.93	10.24	8.88	10.62
	平移	24.83	2.17	4.46	6.49	24.74	1.68	4.46	6.67
AdvPC^[6]	无	2.26	2.26	2.63	2.09	2.26	2.12	2.63	2.09
	旋转	90.05	88.88	85.95	88.67	90.14	90.34	88.00	89.82
	切变	15.29	15.94	10.88	12.71	15.85	15.36	10.57	12.76
	缩放	3.09	2.62	2.81	2.44	2.95	2.53	2.59	2.31
	扭曲	3.32	10.37	8.16	10.31	3.87	10.71	8.07	10.76
	锥化	5.39	9.89	8.70	11.60	4.88	9.93	9.01	11.29
	平移	23.45	2.48	4.24	6.71	22.85	2.35	4.06	6.44
AOF^[26]	无	4.97	3.24	3.75	3.78	6.77	3.59	4.01	3.64
	旋转	91.85	90.92	88.49	90.58	92.12	91.98	89.65	91.29
	切变	19.53	18.83	13.29	17.07	22.20	18.51	13.69	16.58
	缩放	5.76	4.35	4.24	4.09	7.46	4.34	4.01	4.22
	扭曲	5.62	12.54	8.88	12.09	8.15	13.05	10.08	12.62
	锥化	9.81	13.31	11.46	14.00	11.01	13.39	13.16	14.00
	平移	26.62	3.59	5.22	8.67	27.22	3.59	5.84	8.00

模型 (↓)	3D变换 (↓)	ASR (目标攻击) (%)				ASR (非目标攻击) (%)
模型 (↓)	3D变换 (↓)	IFGM^[45]	MIFGM^[46]	PGD^[47]	C&W^[44]	IFGM^[45]	MIFGM^[46]	PGD^[47]	C&W^[44]
PointNet^[17]	无	22.65	22.69	22.97	36.71	65.80	65.88	67.79	86.18
	旋转	2.31	2.92	2.59	2.71	89.42	91.94	90.28	89.59
	缩放	7.50	13.13	8.87	7.41	42.34	58.59	43.88	28.12
	切变	2.23	6.20	2.84	1.94	34.20	54.50	35.90	26.50
	锥化	6.52	10.82	8.02	7.94	42.22	56.85	44.33	31.20
	平移	0.97	2.07	1.18	1.34	32.29	42.42	32.13	30.43
	扭曲	4.29	9.44	6.16	5.23	32.13	53.24	35.53	21.39
DGCNN^[21]	无	40.56	21.56	47.97	70.83	48.82	48.62	51.74	97.08
	旋转	2.51	2.39	2.35	1.99	88.94	90.07	88.09	89.55
	缩放	21.47	19.12	23.87	32.01	40.32	46.96	42.71	51.74
	切变	3.36	8.06	3.48	5.63	31.77	46.39	33.97	33.39
	锥化	5.79	9.16	5.75	6.93	31.00	45.38	33.71	33.59
	平移	5.19	10.05	8.35	9.00	29.17	42.87	30.67	32.94
	扭曲	6.32	10.45	6.24	7.82	31.73	43.11	33.10	29.70

模型 (↓)	3D变换 (↓)	ASR (目标攻击) (%)				ASR (非目标攻击) (%)
模型 (↓)	3D变换 (↓)	IFGM^[45]	MIFGM^[46]	PGD^[47]	C&W^[44]	IFGM^[45]	MIFGM^[46]	PGD^[47]	C&W^[44]
PointNet^[17]	无	7.90	8.56	10.16	17.43	17.75	18.27	18.41	24.70
	旋转	5.32	6.12	5.85	5.85	80.79	80.06	79.68	79.47
	缩放	4.63	7.13	4.73	6.16	12.67	16.67	12.91	8.39
	切变	1.67	4.70	2.51	1.77	8.00	14.20	8.46	3.24
	锥化	3.86	5.88	4.70	4.59	11.59	15.90	12.73	7.20
	平移	1.57	2.51	1.01	1.32	15.31	17.47	14.68	15.03
	扭曲	3.65	5.22	4.31	4.18	10.26	15.27	11.62	6.09
DGCNN^[21]	无	27.91	14.89	33.89	54.18	27.11	27.56	31.87	66.63
	旋转	5.98	6.30	6.19	5.88	84.10	84.17	82.99	84.79
	缩放	18.20	14.09	21.57	32.08	23.07	27.66	27.17	42.21
	切变	5.53	9.74	7.20	7.45	18.37	26.86	22.37	18.58
	锥化	7.76	9.95	8.80	10.89	20.18	27.04	23.49	25.09
	平移	8.87	10.33	10.75	12.04	21.57	30.62	25.09	29.54
	扭曲	7.97	10.06	8.63	10.72	20.15	27.28	24.04	21.89

探索基于3D变换的后处理对3D对抗性点云迁移性的影响

Exploring the Impact of 3D Transformation-Based Post-Processing on the Transferability of 3D Adversarial Point Clouds

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 49

相关文章 1

编辑推荐

Metrics

本文评价