Abstract:
3D point clouds are playing pivotal roles in many safety-critical applications like autonomous driving, where adversarially robust 3D deep learning models are desired. In this study, we conduct the first security analysis of state-of-the-art (SOTA) defenses against 3D adversarial attacks and design adaptive evaluations on them. Our 100% adaptive attack success rates demonstrate that SOTA countermeasures are still fragile. We further present an in-depth study showing how adversarial training (AT) performs in point cloud classification and identify that the required symmetric function (pooling operation) is paramount to 3D models' robustness. Through systematic analysis, we unveil that the default-used fixed pooling (e.g., MAX pooling) generally weakens AT's effectiveness. Interestingly, we also discover that sorting-based parametric pooling significantly improves the models' robustness. Based on the above insights, we propose DeepSym, a deep symmetric pooling operation, to architecturally advance the robustness of PointNet to 47.0% under AT without sacrificing nominal accuracy, outperforming the original design and a strong baseline by +28.5% (~ 2.6x) and +6.5%, respectively.
