在過去的研究中已經顯示目前的深度學習神經網路(即Deep Neural Networks)對特殊設計過的輸入資料有著不足的安全性, 神經網路的辨識結果可以被惡意修改,影響神經網路的可靠性, 而該輸入資料則被稱為「對抗式範例」(Adversarial Examples)。 雖然目前該現象在許多領域都有被深度探討,例如傳統RGB影像,但相對而言三維資料(3D Data,例如點雲Point Cloud或點集合Point Set)的研究就相對稀少, 而三維資料的研究在考量現實生活的情境下也顯得非常重要,例如自駕車系統等等會搭載的光學雷達感測器。 在本篇論文中,我們提出針對PointNet++(一個針對點雲的辨識網路,且不需要額外的資料預處理)產生對抗式點雲的方法, 相對於先前的研究,我們不只產生對抗式點雲,也確保該點雲可以用以產生相對應的真實物體,使我們可以在現實世界中製造該物體以重現攻擊效果。 除此之外我們也針對一些現有針對點雲的防禦方法進行測試,確保我們的點雲不會輕易被現有方法防禦影響攻擊成效。

Previous work has shown that Deep Neural Networks (DNNs), including those currently in use in many fields, are extremely vulnerable to maliciously crafted inputs, known as adversarial examples. Despite extensive and thorough research of adversarial examples in many areas, adversarial 3D data, such as point clouds, remain comparatively unexplored. The study of adversarial 3D data is crucial considering its impact in real-life, high-stakes scenarios including autonomous driving. In this thesis, we propose a novel adversarial attack against PointNet++, a deep neural network that performs classification and segmentation tasks using features learned directly from raw 3D points. In comparison to existing works, our attack generates not only adversarial point clouds, but also robust adversarial objects that in turn generate adversarial point clouds when sampled both in simulation and after construction in real world. We also demonstrate that our objects can bypass existing defense mechanisms designed especially against adversarial 3D data.

1 Introduction ------------------------------------------- 1
2 Related Work ------------------------------------------- 4
2.1 Deep Learning on 3D Points -------------------------- 4
2.2 Adversarial Attacks and Defenses in Deep Learning --- 6
2.3 Adversarial 3D Points ------------------------------- 7
3 Proposed Methodology ----------------------------------- 8
3.1 Point-wise Adversarial Perturbation ----------------- 8
3.2 Point Cloud Distance Metrics ------------------------ 10
3.3 Point Cloud Smoothing ------------------------------- 11
3.4 Random Sampling ------------------------------------- 13
3.5 Surface Reconstruction ------------------------------ 14
4 Experimental Results ----------------------------------- 15
4.1 Experimental Setup ---------------------------------- 16
4.2 Evaluation of the Trained Models -------------------- 18
4.3 Adversarial Attack Evaluation ----------------------- 19
4.4 Surface Reconstruction and Re-sampling -------------- 21
4.5 Existing Defense Mechanisms ------------------------- 24
4.6 Physical Adversarial 3D Objects --------------------- 30
5 Conclusion --------------------------------------------- 32
6 References --------------------------------------------- 33

[1] C. R. Qi, H. Su, K. Mo, and L. J. Guibas, “Pointnet: Deep learning on point sets for 3d classification and segmentation,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 652–660, 2017.
[2] C. R. Qi, L. Yi, H. Su, and L. J. Guibas, “Pointnet++: Deep hierarchical feature learning on point sets in a metric space,” in Advances in neural information processing systems, pp. 5099–5108, 2017.
[3] D. Maturana and S. Scherer, “Voxnet: A 3d convolutional neural network for real-time object recognition,” in 2015 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pp. 922–928, IEEE, 2015.
[4] C. R. Qi, H. Su, M. Nießner, A. Dai, M. Yan, and L. J. Guibas, “Volumetric and multi-view cnns for object classification on 3d data,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 5648–5656, 2016.
[5] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199, 2013.
[6] C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille, “Adversarial examples for semantic segmentation and object detection,” in Proceedings of the IEEE International Conference on Computer Vision, pp. 1369–1378, 2017.
[7] K. Yang, J. Liu, C. Zhang, and Y. Fang, “Adversarial examples against the deep learning based network intrusion detection systems,” in MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), pp. 559–564, IEEE, 2018.
[8] X. Yuan, Y. Chen, Y. Zhao, Y. Long, X. Liu, K. Chen, S. Zhang, H. Huang, X. Wang, and C. A. Gunter, “Commandersong: A systematic approach for practical adversarial voice recognition,” in 27th USENIX Security Symposium (USENIX Security 18), pp. 49–64, 2018.
[9] C. Xiang, C. R. Qi, and B. Li, “Generating 3d adversarial point clouds,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 9136–9144, 2019.
[10] D. Liu, R. Yu, and H. Su, “Extending adversarial attacks and defenses to deep 3d point cloud classifiers,” arXiv preprint arXiv:1901.03006, 2019.
[11] H. Zhou, K. Chen, W. Zhang, H. Fang, W. Zhou, and N. Yu, “Deflecting 3d adversarial point clouds through outlier-guided removal,” arXiv preprint arXiv:1812.11017, 2018.
[12] C. R. Qi, W. Liu, C. Wu, H. Su, and L. J. Guibas, “Frustum pointnets for 3d object detection from rgb-d data,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 918–927, 2018.
[13] S. Shi, X. Wang, and H. Li, “Pointrcnn: 3d object proposal generation and detection from point cloud,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–779, 2019.
[14] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572, 2014.
[15] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The limitations of deep learning in adversarial settings,” in Proceedings of the Security and Privacy (S&P) on 2016 IEEE European Symposium, IEEE, 2016.
[16] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in Proceedings of the Security and Privacy (S&P) on 2017 IEEE Symposium, IEEE, 2017.
[17] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: a simple and accurate method to fool deep neural networks,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, IEEE, 2016.
[18] F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “Ensemble adversarial training: Attacks and defenses,” arXiv preprint arXiv:1705.07204, 2017.
[19] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in Security and Privacy (S&P), 2016 IEEE Symposium on, pp. 582–597, IEEE, 2016.
[20] C. Guo, M. Rana, M. Cisse, and L. van der Maaten, “Countering adversarial images using input transformations,” arXiv preprint arXiv:1711.00117, 2017.
[21] R. Jia and P. Liang, “Adversarial examples for evaluating reading comprehension systems,” arXiv preprint arXiv:1707.07328, 2017.
[22] Y. Cao, C. Xiao, B. Cyr, Y. Zhou, W. Park, S. Rampazzi, Q. A. Chen, K. Fu, and Z. M. Mao, “Adversarial sensor attack on lidar-based perception in autonomous driving,” arXiv preprint arXiv:1907.06826, 2019.
[23] H. Fan, H. Su, and L. J. Guibas, “A point set generation network for 3d object reconstruction from a single image,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 605–613, 2017.
[24] M. Kazhdan and H. Hoppe, “Screened poisson surface reconstruction,” ACM Transactions on Graphics (ToG), vol. 32, no. 3, p. 29, 2013.
[25] Z. Wu, S. Song, A. Khosla, F. Yu, L. Zhang, X. Tang, and J. Xiao, “3d shapenets: A deep representation for volumetric shapes,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1912–1920, 2015.
[26] J. Yang, Q. Zhang, R. Fang, B. Ni, J. Liu, and Q. Tian, “Adversarial attack and defense on point sets,” arXiv preprint arXiv:1902.10899, 2019.