Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Advertisement

Springer Nature Link
Log in

A Comprehensive Study of the Robustness for LiDAR-Based 3D Object Detectors Against Adversarial Attacks

  • Published:
International Journal of Computer Vision Aims and scope Submit manuscript

Abstract

Recent years have witnessed significant advancements in deep learning-based 3D object detection, leading to its widespread adoption in numerous applications. As 3D object detectors become increasingly crucial for security-critical tasks, it is imperative to understand their robustness against adversarial attacks. This paper presents the first comprehensive evaluation and analysis of the robustness of LiDAR-based 3D detectors under adversarial attacks. Specifically, we extend three distinct adversarial attacks to the 3D object detection task, benchmarking the robustness of state-of-the-art LiDAR-based 3D object detectors against attacks on the KITTI and Waymo datasets. We further analyze the relationship between robustness and detector properties. Additionally, we explore the transferability of cross-model, cross-task, and cross-data attacks. Thorough experiments on defensive strategies for 3D detectors are conducted, demonstrating that simple transformations like flipping provide little help in improving robustness when the applied transformation strategy is exposed to attackers. Finally, we propose balanced adversarial focal training, based on conventional adversarial training, to strike a balance between accuracy and robustness. Our findings will facilitate investigations into understanding and defending against adversarial attacks on LiDAR-based 3D object detectors, thus advancing the field. The source code is publicly available at https://github.com/Eaphan/Robust3DOD.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Data Availability

The Waymo Open Dataset (Sun et al., 2020b) and KITTI (Geiger et al., 2012) used in this manuscript are deposited in publicly available repositories respectively: https://waymo.com/open/data/perception and http://www.cvlibs.net/datasets/kitti.

References

  • Abdelfattah, M., Yuan, K., Wang, Z. J., & Ward, R. (2021). Adversarial attacks on camera-lidar models for 3D car detection. In 2021 IEEE/RSJ international conference on intelligent robots and systems (IROS) (pp. 2189–2194). IEEE.

  • Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning (Vol. 80, pp. 274–283).

  • Briñón-Arranz, L., Rakotovao, T., Creuzet, T., Karaoguz, C., & El-Hamzaoui, O. (2021). A methodology for analyzing the impact of crosstalk on lidar measurements. In Sensors (pp. 1–4). IEEE.

  • Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (pp. 39–57). IEEE.

  • Carrilho, A., Galo, M., & Dos Santos, R. C. (2018). Statistical outlier detection method for airborne lidar data. International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 42(1), 87–92.

    Article  Google Scholar 

  • Chen, C., Chen, Z., Zhang, J., & Tao, D. (2022). Sasa: Semantics-augmented set abstraction for point-based 3d object detection. In Proceedings of the AAAI Conference on Artificial Intelligence (Vol. 1, pp. 221–229).

  • Cheng, Z., Liang, J., Choi, H., Tao, G., Cao, Z., Liu, D., & Zhang, X. (2022). Physical attack on monocular depth estimation with optimal adversarial patches. In European conference on computer vision (pp. 514–532). Springer.

  • Choi, J., Song, Y., & Kwak, N. (2021). Part-aware data augmentation for 3d object detection in point cloud. In IEEE/RSJ International Conference on Intelligent Robots and Systems (pp. 3391–3397).

  • Deng, J., Shi, S., Li, P., Zhou, W., Zhang, Y., & Li, H. (2021). Voxel r-cnn: Towards high performance voxel-based 3d object detection. In Proceedings of the AAAI conference on artificial intelligence (pp. 1201–1209).

  • Dong, X., Chen, D., Zhou, H., Hua, G., Zhang, W., & Yu, N. (2020). Self-robust 3d point recognition via gather-vector guidance. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 11513–11521). IEEE.

  • Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., & Li, J. (2018). Boosting adversarial attacks with momentum. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 9185–9193)

  • Dziugaite, G. K., Ghahramani, Z., & Roy, D. M. (2016). A study of the effect of jpg compression on adversarial images. arXiv preprint arXiv:1608.00853

  • Geiger, A., Lenz, P., & Urtasun, R. (2012). Are we ready for autonomous driving? The kitti vision benchmark suite. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 3354–3361).

  • Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572

  • Guo, C., Rana, M., Cisse, M., & van der Maaten, L. (2018). Countering adversarial images using input transformations. In International conference on learning representations

  • Hahner, M., Sakaridis, C., Bijelic, M., Heide, F., Yu, F., Dai, D., & Van Gool, L. (2022). Lidar snowfall simulation for robust 3d object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 16364–16374).

  • Hamdi, A., Rojas, S., Thabet, A., & Ghanem, B. (2020). Advpc: Transferable adversarial perturbations on 3d point clouds. In European conference on computer vision (pp. 241–257). Springer.

  • He, C., Zeng, H., Huang, J., Hua, X. S., & Zhang, L. (2020). Structure aware single-stage 3d object detection from point cloud. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 11870–11879).

  • Herrmann, C., Sargent, K., Jiang, L., Zabih, R., Chang, H., Liu, C., Krishnan, D., & Sun, D. (2022). Pyramid adversarial training improves vit performance. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 13419–13429).

  • Hu, J. S., Kuai, T., & Waslander, S. L. (2022a). Point density-aware voxels for lidar 3d object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 8469–8478).

  • Hu, S., Zhang, J., Liu, W., Hou, J., Li, M., Zhang, L. Y., Jin, H., & Sun, L. (2023). Pointca: Evaluating the robustness of 3d point cloud completion models against adversarial examples. In Proceedings of the AAAI conference on artificial intelligence (Vol. 37, pp. 872–880).

  • Hu, Z., Huang, S., Zhu, X., Sun, F., Zhang, B., & Hu, X. (2022b). Adversarial texture for fooling person detectors in the physical world. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 13307–13316).

  • Jia, J., Cao, X., & Gong, N. Z. (2021). Intrinsic certified robustness of bagging against data poisoning attacks. In Proceedings of the AAAI conference on artificial intelligence (Vol. 35, pp. 7961–7969).

  • Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, 9, 5–38.

    Google Scholar 

  • Kong, L., Liu, Y., Li, X., Chen, R., Zhang, W., Ren, J., Pan, L., Chen, K., & Liu, Z. (2023). Robo3d: Towards robust and reliable 3d perception against corruptions. arXiv preprint arXiv:2303.17597

  • Kurakin, A., Goodfellow, I. J., & Bengio, S. (2017). Adversarial machine learning at scale. In International Conference on Learning Representations.

  • Kurakin, A., Goodfellow, I. J., & Bengio, S. (2018). Adversarial examples in the physical world. In Artificial intelligence safety and security (pp. 99–112). Chapman and Hall/CRC.

  • Lang, A., Vora, S., Caesar, H., Zhou, L., Yang, J., & Beijbom, O. (2019a). Pointpillars: Fast encoders for object detection from point clouds. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 12689–12697).

  • Lang, A. H., Vora, S., Caesar, H., Zhou, L., Yang, J., & Beijbom, O. (2019b). Pointpillars: Fast encoders for object detection from point clouds. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 12697–12705).

  • Lehner, A., Gasperini, S., Marcos-Ramiro, A., Schmidt, M., Mahani, M. A. N., Navab, N., Busam, B., & Tombari, F. (2022). 3d-vfield: Adversarial augmentation of point clouds for domain generalization in 3d object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 17295–17304).

  • Li, B., Chen, C., Wang, W., & Carin, L. (2019). Certified adversarial robustness with additive noise. In Advances in neural information processing systems (p. 32).

  • Lin, T. Y., Goyal, P., Girshick, R., He, K., & Dollár, P. (2017). Focal loss for dense object detection. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 2980–2988).

  • Liu, D., & Hu, W. (2022). Imperceptible transfer attack and defense on 3d point cloud classification. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45, 4727–4746.

    Google Scholar 

  • Liu, D., Yu, R., & Su, H. (2019). Extending adversarial attacks and defenses to deep 3d point cloud classifiers. In 2019 IEEE international conference on image processing (ICIP) (pp. 2279–2283). IEEE.

  • Liu, D., Yu, R., & Su, H. (2020). Adversarial shape perturbations on 3d point clouds. In European conference on computer vision (pp. 88–104). Springer.

  • Liu, H., Jia, J., & Gong, N. Z. (2021). Pointguard: Provably robust 3d point cloud classification. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 6186–6195).

  • Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks. In International conference on learning representations (pp. 1–28).

  • Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., & Pérez-Cabo, D. (2017). No bot expects the deepcaptcha! introducing immutable adversarial examples, with applications to captcha generation. IEEE Transactions on Information Forensics and Security, 12(11), 2640–2653.

    Article  Google Scholar 

  • Paszke, A., Gross, S., Massa, F., Lerer, A., Bradbury, J., Chanan, G., Killeen, T., Lin, Z., Gimelshein, N., Antiga, L., Desmaison, A., Köpf, A., Yang, E. Z., DeVito, Z., Raison, M., Tejani, A., Chilamkurthy, S., Steiner, B., Fang, L., Bai, J., & Chintala, S. (2019). Pytorch: An imperative style, high-performance deep learning library. In H. M. Wallach, H. Larochelle, A. Beygelzimer, F. d’Alché-Buc, E. B. Fox, & R. Garnett (Eds.), Advances in neural information processing systems (pp. 8024–8035).

  • Qi, C., Su, H., Mo, K., & Guibas, L. J. (2017). Pointnet: Deep learning on point sets for 3d classification and segmentation. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 652–660).

  • Shi, S., Guo, C., Jiang, L., Wang, Z., Shi, J., Wang, X., & Li, H. (2020a). Pv-rcnn: Point-voxel feature set abstraction for 3d object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 10529–10538).

  • Shi, S., Wang, X., & Li, H. (2019). Pointrcnn: 3d object proposal generation and detection from point cloud. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 770–779).

  • Shi, S., Wang, Z., Shi, J., Wang, X., & Li, H. (2020b). From points to parts: 3d object detection from point cloud with part-aware and part-aggregation network. IEEE Transactions on Pattern Analysis and Machine Intelligence, 43(8), 2647–2664.

  • Sun, J., Cao, Y., Chen, Q. A., & Mao, Z. M. (2020a). Towards robust \(\{\)LiDAR-based\(\}\) perception in autonomous driving: General black-box adversarial sensor attack and countermeasures. In 29th USENIX Security Symposium (USENIX Security 20) (pp. 877–894).

  • Sun, J., Cao, Y., Choy, C. B., Yu, Z., Anandkumar, A., Mao, Z. M., & Xiao, C. (2021). Adversarially robust 3d point cloud recognition using self-supervisions. Advances in Neural Information Processing Systems, 34, 15498–15512.

    Google Scholar 

  • Sun, P., Kretzschmar, H., Dotiwalla, X., Chouard, A., Patnaik, V., Tsui, P., Guo, J., Zhou, Y., Chai, Y., Caine, B., Vasudevan, V., Han, W., Ngiam, J., Zhao, H., Timofeev, A., Ettinger, S., Krivokon, M., Gao, A., Joshi, A., Zhange, Y., Shlens, J., Chen, Z., & Anguelov, D. (2020b). Scalability in perception for autonomous driving: Waymo open dataset. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 2443–2451).

  • Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. In International conference on learning representations (pp. 1–10).

  • Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., & McDaniel, P. (2018). Ensemble adversarial training: Attacks and defenses. In International conference on learning representations.

  • Tsai, T., Yang, K., Ho, T. Y., & Jin, Y. (2020). Robust adversarial objects against deep learning models. In Proceedings of the AAAI conference on artificial intelligence (Vol. 34, pp. 954–962).

  • Tu, J., Li, H., Yan, X., Ren, M., Chen, Y., Liang, M., Bitar, E., Yumer, E., & Urtasun, R. (2021). Exploring adversarial robustness of multi-sensor perception systems in self driving. In 5th annual conference on robot learning (pp. 1–12).

  • Tu, J., Ren, M., Manivasagam, S., Liang, M., Yang, B., Du, R., Cheng, F., & Urtasun, R. (2020). Physically realizable adversarial examples for lidar object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, computer vision foundation (pp. 13713–13722). IEEE.

  • Wen, Y., Lin, J., Chen, K., Chen, C. P., & Jia, K. (2020). Geometry-aware generation of adversarial point clouds. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44, 2984–2999.

    Article  Google Scholar 

  • Wicker, M., & Kwiatkowska, M. (2019). Robustness of 3d deep learning in an adversarial setting. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 11767–11775).

  • Xiang, C., Qi, C. R., & Li, B. (2019). Generating 3d adversarial point clouds. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 9136–9144).

  • Xu, W., Evans, D., & Qi, Y. (2017). Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155

  • Yan, Y., Mao, Y., & Li, B. (2018). Second: Sparsely embedded convolutional detection. Sensors, 18(10), 3337.

    Article  Google Scholar 

  • Yang, Z., Sun, Y., Liu, S., & Jia, J. (2020). 3dssd: Point-based 3d single stage object detector. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 11040–11048).

  • Zhang, Y., Hu, Q., Xu, G., Ma, Y., Wan, J., & Guo, Y. (2022). Not all points are equal: Learning highly efficient point-based detectors for 3d lidar point clouds. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 18953–18962).

  • Zheng, T., Chen, C., Yuan, J., Li, B., & Ren, K. (2019). Pointcloud saliency maps. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 1598–1606).

  • Zhou, H., Chen, K., Zhang, W., Fang, H., Zhou, W., & Yu, N. (2019). Dup-net: Denoiser and upsampler network for 3d adversarial point clouds defense. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 1961–1970).

  • Zhou, Y., & Tuzel, O. (2018). Voxelnet: End-to-end learning for point cloud based 3d object detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 4490–4499).

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, City University of Hong Kong, Kowloon, Hong Kong

    Yifan Zhang & Junhui Hou

  2. Department of Electronic Engineering, The Chinese University of Hong Kong, Shatin, Hong Kong

    Yixuan Yuan

Authors
  1. Yifan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Junhui Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yixuan Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Junhui Hou or Yixuan Yuan.

Ethics declarations

Conflict of interest

The authors declare that they do not have any commercial or associative interest that represents a conflict of interest in connection with the work submitted.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work was supported in part by the Hong Kong Research Grants Council under Grant 11202320 and Grant 11219422, and in part by the Hong Kong Innovation and Technology Fund under Grant MHP/117/21.

Appendices

Appendix

Table 18 The absolute mAP of various 3D detectors on the KITTI dataset under FGM-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 19 The absolute mAP of various 3D detectors on the KITTI dataset under MI-FGM-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 20 The absolute mAP of various 3D detectors on the KITTI dataset under PGD-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 21 The absolute mAP of various 3D detectors on the KITTI dataset under point detachment attacks with different ratios of dropped points
Full size table
Table 22 The absolute mAP of various 3D detectors on the KITTI dataset under point attachment attacks with different \(\epsilon \) values
Full size table
Table 23 The absolute mAP of various 3D detectors on the Waymo dataset under FGM-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 24 The absolute mAP of various 3D detectors on the Waymo dataset under MI-FGM-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 25 The absolute mAP of various 3D detectors on the Waymo dataset under PGD-based point perturbation attacks with different \(\epsilon \) values
Full size table
Table 26 The absolute mAP of various 3D detectors on the Waymo dataset under point detachment attacks with different ratios of dropped points
Full size table
Table 27 The absolute mAP of various 3D detectors on the Waymo dataset under point attachment attacks with different \(\epsilon \) values
Full size table

The appendix offers additional experimental results not covered in the main content. “Appendix A” presents quantitative results of detectors under adversarial attacks. In “Appendix B”, we provide qualitative illustrations of the adversarial attacks and the defense strategies we studied.

A. Result of Absolute mAP Under Attacks

In addition to the mAP ratio of detectors under adversarial attacks, we also report the absolute mAP values from Tables 18, 19, 20, 21, 22, 23, 24, 25, 26 and 27. As shown in Table 20, the PDV achieves the best detection accuracy on the clean input but sub-optimal performance under the PGD-based point perturbation attack. The result implies that we should also take the robustness of 3D detectors into consideration in addition to detection accuracy.

B. Visual Results

We present a qualitative analysis that helps us better understand the adversarial attacks against 3D object detectors and the effectiveness of defense.

In Fig. 11, we visually illustrate the detection results under PGD-based point perturbation attacks with varying \(\epsilon \) values. As the \(\epsilon \) value increases, indicating more pronounced perturbations, the performance of detectors tends to degrade. This decline is evidenced by more false-positive boxes and missed detections of objects. Besides, among the variety of detectors evaluated, the point-based ones, especially PointRCNN, seem to be more susceptible to this adversarial attack, revealing a crucial vulnerability.

Subsequently, Fig. 12 offers a granular perspective on the adversarial robustness of PointRCNN under varied point perturbation attack modalities. The iterative techniques, particularly the MI-FGM and PGD-based attacks, exhibit pronounced adversarial strength compared to the more single-step FGM method. Among these, the PGD-based attack conspicuously overshadows the rest in its disruptive prowess. This visual deduction is congruent with our quantitative findings presented in Sect. 6.2.

Turning to Fig. 13, we broach the subject of attack transferability It is interesting to see how an attack, originally crafted for PointRCNN, retains its disruptive capabilities when applied to other models. The visual results showcase increased false positives and overlooked objects, underscoring the wide-ranging effectiveness of such transferred attacks.

We also provide qualitative results in Fig. 14, we can clearly observe our proposed BAFT significantly improves the robustness of detectors under point perturbation attack. Besides, applying transformation-based defenses to the perturbed point clouds could slightly improve the robustness of detectors against adversarial attacks.

These visual representations not only offer a more intuitive understanding of the adversarial challenges but also highlight the specific vulnerabilities of prominent detection models.

Fig. 11
figure 11

Visual results of three detectors when PGD-based point perturbation attacks with various \(\epsilon \) values are applied. The predicted bounding boxes of car, pedestrian, and cyclist are visualized in green, cyan, and yellow, respectively. The ground-truth bounding boxes are visualized in red. Best viewed in color and zoom in for more details (Color figure online)

Full size image
Fig. 12
figure 12

Comparison of different types of point perturbation attacks applied on PointRCNN. The predicted bounding boxes of car, pedestrian, and cyclist are visualized in green, cyan, and yellow, respectively. The ground-truth bounding boxes are visualized in red. Best viewed in color and zoom in for more details (Color figure online)

Full size image
Fig. 13
figure 13

Detection results of state-of-the-art detectors on clean input and the transferred adversarial examples generated from PointRCNN under point perturbation attack. The predicted bounding boxes of car, pedestrian, and cyclist are visualized in green, cyan, and yellow, respectively. The ground-truth bounding boxes are visualized in red. Best viewed in color and zoom in for more details (Color figure online)

Full size image
Fig. 14
figure 14

Visual results of detectors on adversarial examples generated by point perturbation attack after applying various defenses. The predicted bounding boxes of car, pedestrian, and cyclist are visualized in green, cyan, and yellow, respectively. The ground-truth bounding boxes are visualized in red. Best viewed in color and zoom in for more details (Color figure online)

Full size image

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, Y., Hou, J. & Yuan, Y. A Comprehensive Study of the Robustness for LiDAR-Based 3D Object Detectors Against Adversarial Attacks. Int J Comput Vis 132, 1592–1624 (2024). https://doi.org/10.1007/s11263-023-01934-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11263-023-01934-3

Keywords

Search

Navigation