based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang - - PowerPoint PPT Presentation
LG-GAN: Label Guided Adversarial Network for Flexible Targeted Attack of Point Cloud- based Deep Networks Hang Zhou 1 Dongdong Chen 2 Jing Liao 3 Kejiang Chen 1 Xiaoyi Dong 1 Kunlin Liu 1 Weiming Zhang 1 Gang Hua 4 Nenghai Yu 1 1 University of
1University of Science and Technology of China 2Microsoft Research 3City University of Hong Kong 4Wormpex AI Research
Current attack methods:
High attack success rate/slow runtime/visible outliers
Fast runtime/low attack success rate
point cloud
based adversarial example gradient based adversarial example
Generation based adversarial examples will avoid creating
rates.
real/fake? π¬
NΓ3 NΓ3
ΰ· π¬ Label encoder
padding
Target label π’ Multi-level Feature integration Reconstruction loss Attacked model Prediction Classification loss Decoder
aggregation interpolation
β¦ β¦ β¦
FC
Point cloud encoder
sampling feature learning
conv conv conv N N/2 N/4 N/8
Prediction Discriminative loss Discriminator
feature learning
residual graph conv pooling conv
residual block
conv conv
β¦
βπ£ = βπππ‘ + π½βπ ππ + πΎβπππ‘ Generator: βπππ‘ = β π’ log β ΰ· π¬ + 1 β π’ log β 1 β ΰ· π¬ where βπ ππ is β2 distance βπππ‘ ΰ· π¬ = 1 β πΈπ ΰ· π¬
2 2
Discriminator: βπΈ π¬, ΰ· π¬ = 1 2 πΈπ ΰ· π¬
2 2 + 1
2 1 β πΈπ π¬
2 2
ΰ· π¬ = π£π π¬, π’
clean plane C&W L2 attack C&W chamfer attack C&W hausdorff attack C&W cluster attack C&W object attack IFGM attack (to toilet) LG attack (to sofa) LG-GAN attack (to lamp) Single-layered LG-GAN attack (to vase)
Table: Attack success rate (%, second to fourth column), distance (fifth-sixth column) between original sample and adversarial sample (meter per object) and generating time (second per object) on attacking PointNet. βTargetβ stands for white-box
percentage of random dropped points is 60%βΌ90%; for DUP-Net defense model, k = 50 and Ξ± = 0.9 from [39]. The default LG-GAN (ours) consists of multi-layered label embedding, β2 loss and GAN loss.