3D perception of objects is critical for many real-world applications, such as autonomous cars and robots. Among them, most state-of-the-art (SOTA) 3D perception systems are based on deep learning models. Recently, the research community found that 3D object classifiers on point cloud based on deep learning are easily fooled by adversarial point cloud craft by attackers. To overcome this, adversarial defenses are considered the most effective ways to improve the robustness of deep learning models, and most adversarial defenses on point cloud are focused on input transformation. However, all previous defense methods decrease the natural accuracy, and the nature of the point cloud classifiers itself has been overlooked. To this end, in this paper, we propose a novel adversarial defense for 3D point cloud classifiers that makes full use of the nature of the point cloud classifiers. Due to the disorder of point cloud, all point cloud classifiers have the property of permutation invariant to the input point cloud. Based on this nature, we design invariant transformations defense (IT-Defense). We show that, even after accounting for obfuscated gradients, our IT-Defense is a resilient defense against SOTA 3D attacks. Moreover, IT-Defense does not hurt clean accuracy compared to previous SOTA 3D defenses. Our code will be available at: https://github.com/cuge1995/ IT-Defense.

中文翻译：

---

防御的艺术：让网络愚弄攻击者


物体的 3D 感知对于许多现实世界的应用至关重要，例如自动驾驶汽车和机器人。其中，大多数最先进（SOTA）的3D感知系统都是基于深度学习模型。最近，研究社区发现，基于深度学习的点云 3D 对象分类器很容易被攻击者的对抗性点云技术所愚弄。为了克服这个问题，对抗性防御被认为是提高深度学习模型鲁棒性的最有效方法，而大多数点云上的对抗性防御都集中在输入转换上。然而，以前的所有防御方法都降低了自然准确性，并且点云分类器本身的性质被忽视了。为此，在本文中，我们提出了一种新颖的 3D 点云分类器对抗性防御，充分利用点云分类器的性质。由于点云的无序性，所有点云分类器都具有对输入点云的排列不变性。基于这种性质，我们设计了不变变换防御（IT-Defense）。我们表明，即使在考虑了模糊梯度之后，我们的 IT 防御仍然能够有效防御 SOTA 3D 攻击。此外，与之前的 SOTA 3D 防御相比，IT-Defense 不会损害干净的准确性。我们的代码可在以下网址获取：https://github.com/cuge1995/IT-Defense。