based deep networks
play

based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang - PowerPoint PPT Presentation

LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud- based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang Chen 1 Xiaoyi Dong 1 Kunlin Liu 1 Weiming Zhang 1 Gang Hua 4 Nenghai Yu 1 1 University of


  1. LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud- based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang Chen 1 Xiaoyi Dong 1 Kunlin Liu 1 Weiming Zhang 1 Gang Hua 4 Nenghai Yu 1 1 University of Science and Technology of China 2 Microsoft Research 3 City University of Hong Kong 4 Wormpex AI Research

  2. Problem Point shifting/adding/dropping Neural network Adversarial Threat! example attack house car

  3. Motivation Related work Current attack methods: β€’ Optimization-based: High attack success rate/ slow runtime / visible outliers β€’ Gradient-based: Fast runtime/ low attack success rate Motivation Generation based adversarial examples will avoid creating optimization gradient original outliers and be fast in generation with high attack success based based point rates. adversarial adversarial cloud example example

  4. Framework Reconstruction loss Point cloud encoder Decoder sampling feature learning aggregation interpolation FC 𝒬 conv conv conv N N/2 N Γ— 3 N/4 N/8 ΰ·  𝒬 … … … Label 𝑒 encoder Multi-level Feature Target padding N Γ— 3 label integration Attacked Classification loss Prediction model Discriminator feature learning residual block real/fake? residual pooling graph conv conv conv Prediction Discriminative loss conv …

  5. Objective loss functions Generator: β„’ 𝒣 = β„’ π‘‘π‘šπ‘‘ + 𝛽ℒ 𝑠𝑓𝑑 + 𝛾ℒ 𝑒𝑗𝑑 β„’ π‘‘π‘šπ‘‘ = βˆ’ 𝑒 log β„‹ ΰ·  𝒬 + 1 βˆ’ 𝑒 log β„‹ 1 βˆ’ ΰ·  𝒬 ΰ·  where 𝒬 = 𝒣 πœ„ 𝒬, 𝑒 β„’ 𝑠𝑓𝑑 is β„“ 2 distance 2 β„’ 𝑒𝑗𝑑 ΰ·  1 βˆ’ 𝐸 πœ„ ΰ·  𝒬 = 𝒬 2 Discriminator: 𝒬 = 1 2 + 1 β„’ 𝐸 𝒬, ΰ·  2 𝐸 πœ„ ΰ·  2 𝒬 2 1 βˆ’ 𝐸 πœ„ 𝒬 2 2

  6. Results clean plane C&W L2 attack C&W chamfer attack C&W hausdorff attack C&W cluster attack Single-layered LG-GAN C&W object attack IFGM attack (to toilet) LG attack (to sofa) LG-GAN attack (to lamp) attack (to vase)

  7. Results Table: Attack success rate (%, second to fourth column), distance (fifth-sixth column) between original sample and adversarial sample (meter per object) and generating time (second per object) on attacking PointNet. β€œTarget” stands for white-box attacks. The hyper-parameter setting of two gray-box attacks is: for the simple random sampling (SRS) defense model, percentage of random dropped points is 60% ∼ 90%; for DUP-Net defense model, k = 50 and Ξ± = 0.9 from [39]. The default LG-GAN (ours) consists of multi-layered label embedding, β„“ 2 loss and GAN loss.

  8. Thank You

Recommend


More recommend