Transferable universal adversarial attack against 3D object detection with latent feature disruption

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Systems Architecture Pub Date : 2025-05-22 DOI:10.1016/j.sysarc.2025.103446

Mumuxin Cai , Xupeng Wang , Ferdous Sohel , Dian Xiao , Hang Lei

{"title":"Transferable universal adversarial attack against 3D object detection with latent feature disruption","authors":"Mumuxin Cai , Xupeng Wang , Ferdous Sohel , Dian Xiao , Hang Lei","doi":"10.1016/j.sysarc.2025.103446","DOIUrl":null,"url":null,"abstract":"<div><div>3D object detection models are highly vulnerable to adversarial attacks, which expose their weaknesses and when addressed, help improve the robustness of the models. Existing adversarial attack methods against LiDAR scene are typically optimized for a single sample and perform poorly in terms of transferability. Adversarial attacks with universal and transferable abilities can bring further guidelines for the robustness study of 3D object detection. In this paper, we propose a universal adversarial perturbation attack against 3D object detection models, which suppresses the detection results and disrupts the latent features simultaneously. Specifically, the universal adversarial perturbation is generated to launch sample-agnostic attacks, which is encoded in elaborate perturbation voxel units and is adaptive to varying scales of LiDAR scenes, as well as 3D object detectors with different point cloud representations. The proposed transferable attack focuses on the latent feature space and deviates the detectors at outputs of shallow layers. Moreover, a layer activation loss function is designed, which suppresses the significant features extracted by the backbone network. Extensive experiments on multiple popular 3D object detectors and large-scale datasets demonstrate that the proposed method achieves superior attack success rates, exposing critical robustness issues in current LiDAR-based 3D object detection models.</div></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"166 ","pages":"Article 103446"},"PeriodicalIF":3.7000,"publicationDate":"2025-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1383762125001183","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

3D object detection models are highly vulnerable to adversarial attacks, which expose their weaknesses and when addressed, help improve the robustness of the models. Existing adversarial attack methods against LiDAR scene are typically optimized for a single sample and perform poorly in terms of transferability. Adversarial attacks with universal and transferable abilities can bring further guidelines for the robustness study of 3D object detection. In this paper, we propose a universal adversarial perturbation attack against 3D object detection models, which suppresses the detection results and disrupts the latent features simultaneously. Specifically, the universal adversarial perturbation is generated to launch sample-agnostic attacks, which is encoded in elaborate perturbation voxel units and is adaptive to varying scales of LiDAR scenes, as well as 3D object detectors with different point cloud representations. The proposed transferable attack focuses on the latent feature space and deviates the detectors at outputs of shallow layers. Moreover, a layer activation loss function is designed, which suppresses the significant features extracted by the backbone network. Extensive experiments on multiple popular 3D object detectors and large-scale datasets demonstrate that the proposed method achieves superior attack success rates, exposing critical robustness issues in current LiDAR-based 3D object detection models.

查看原文本刊更多论文

具有潜在特征干扰的三维目标检测的可转移通用对抗性攻击

3D对象检测模型非常容易受到对抗性攻击，这暴露了它们的弱点，当解决时，有助于提高模型的鲁棒性。现有的针对激光雷达场景的对抗性攻击方法通常针对单个样本进行了优化，并且在可转移性方面表现不佳。具有通用和可转移能力的对抗性攻击可以为三维目标检测的鲁棒性研究提供进一步的指导。在本文中，我们提出了一种针对三维目标检测模型的通用对抗性摄动攻击，该攻击可以抑制检测结果并同时破坏潜在特征。具体来说，生成通用的对抗性摄动来发起样本不可知攻击，该攻击被编码为精细的摄动体素单位，并自适应不同尺度的LiDAR场景，以及具有不同点云表示的3D目标探测器。提出的可转移攻击侧重于潜在特征空间，并在浅层输出处偏离检测器。设计了层激活损失函数，抑制骨干网提取的重要特征。在多个流行的3D目标检测器和大规模数据集上进行的大量实验表明，该方法具有较高的攻击成功率，揭示了当前基于lidar的3D目标检测模型的关键鲁棒性问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems Architecture 工程技术-计算机：硬件

CiteScore

8.70

自引率

15.60%

发文量

226

审稿时长

46 days

期刊介绍： The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.