LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud- based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang Chen 1 Xiaoyi Dong 1 Kunlin Liu 1 Weiming Zhang 1 Gang Hua 4 Nenghai Yu 1 1 University of Science and Technology of China 2 Microsoft Research 3 City University of Hong Kong 4 Wormpex AI Research
Problem Point shifting/adding/dropping Neural network Adversarial Threat! example attack house car
Motivation Related work Current attack methods: β’ Optimization-based: High attack success rate/ slow runtime / visible outliers β’ Gradient-based: Fast runtime/ low attack success rate Motivation Generation based adversarial examples will avoid creating optimization gradient original outliers and be fast in generation with high attack success based based point rates. adversarial adversarial cloud example example
Framework Reconstruction loss Point cloud encoder Decoder sampling feature learning aggregation interpolation FC π¬ conv conv conv N N/2 N Γ 3 N/4 N/8 ΰ· π¬ β¦ β¦ β¦ Label π’ encoder Multi-level Feature Target padding N Γ 3 label integration Attacked Classification loss Prediction model Discriminator feature learning residual block real/fake? residual pooling graph conv conv conv Prediction Discriminative loss conv β¦
Objective loss functions Generator: β π£ = β πππ‘ + π½β π ππ + πΎβ πππ‘ β πππ‘ = β π’ log β ΰ· π¬ + 1 β π’ log β 1 β ΰ· π¬ ΰ· where π¬ = π£ π π¬, π’ β π ππ is β 2 distance 2 β πππ‘ ΰ· 1 β πΈ π ΰ· π¬ = π¬ 2 Discriminator: π¬ = 1 2 + 1 β πΈ π¬, ΰ· 2 πΈ π ΰ· 2 π¬ 2 1 β πΈ π π¬ 2 2
Results clean plane C&W L2 attack C&W chamfer attack C&W hausdorff attack C&W cluster attack Single-layered LG-GAN C&W object attack IFGM attack (to toilet) LG attack (to sofa) LG-GAN attack (to lamp) attack (to vase)
Results Table: Attack success rate (%, second to fourth column), distance (fifth-sixth column) between original sample and adversarial sample (meter per object) and generating time (second per object) on attacking PointNet. βTargetβ stands for white-box attacks. The hyper-parameter setting of two gray-box attacks is: for the simple random sampling (SRS) defense model, percentage of random dropped points is 60% βΌ 90%; for DUP-Net defense model, k = 50 and Ξ± = 0.9 from [39]. The default LG-GAN (ours) consists of multi-layered label embedding, β 2 loss and GAN loss.
Thank You
Recommend
More recommend
