高斯劈裂攻击：基于高斯劈裂的多视角3D对抗性攻击

IF 7.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Pattern Recognition Pub Date : 2025-09-28 DOI:10.1016/j.patcog.2025.112466

Lingzhuang Meng , Mingwen Shao , Yuanjian Qiao , Wenjie Liu , Xiang Lv

{"title":"高斯劈裂攻击：基于高斯劈裂的多视角3D对抗性攻击","authors":"Lingzhuang Meng , Mingwen Shao , Yuanjian Qiao , Wenjie Liu , Xiang Lv","doi":"10.1016/j.patcog.2025.112466","DOIUrl":null,"url":null,"abstract":"<div><div>Existing multi-view adversarial attack methods utilize Neural Radiance Fields (NeRF) to generate adversarial samples from different viewpoints of an object effectively deceiving deep neural networks. However, these methods <em>simply add noise to the rendered images and fail to construct explicit 3D adversarial samples</em> limited by the implicit representation of NeRF. To address the above limitation, we propose a novel <strong>G</strong>aussian <strong>S</strong>plitting <strong>Attack</strong> (<strong>GSAttack</strong>) scheme based on Gaussian Splatting to <strong>generate explicit 3D adversarial samples that deceive the classifier in various viewpoints</strong>. Specifically, we first quantify the contribution of each Gaussian based on its gradient in adversarial attack. Subsequently, we split tiny Gaussians from the high contribution Gaussians as initial 3D perturbations, which are then optimized by adversarial loss to ensure deception in diverse viewpoints. Furthermore, to ensure the invisibility of 3D perturbation, we devise position and color losses to make the perturbations tightly bound to the object surface and minimize the color differences. Owing to these ingenious designs, our 3D perturbations are more natural in space and effective attack neural network. Experimental results show that the 3D adversarial samples generated by our GSAttack can effectively deceive the classifier over a wider range of viewpoints and achieve superior visualization compared to existing schemes.</div></div>","PeriodicalId":49713,"journal":{"name":"Pattern Recognition","volume":"172 ","pages":"Article 112466"},"PeriodicalIF":7.6000,"publicationDate":"2025-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Gaussian splitting attack: Gaussian splatting-based multi-view 3D adversarial attack\",\"authors\":\"Lingzhuang Meng , Mingwen Shao , Yuanjian Qiao , Wenjie Liu , Xiang Lv\",\"doi\":\"10.1016/j.patcog.2025.112466\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Existing multi-view adversarial attack methods utilize Neural Radiance Fields (NeRF) to generate adversarial samples from different viewpoints of an object effectively deceiving deep neural networks. However, these methods <em>simply add noise to the rendered images and fail to construct explicit 3D adversarial samples</em> limited by the implicit representation of NeRF. To address the above limitation, we propose a novel <strong>G</strong>aussian <strong>S</strong>plitting <strong>Attack</strong> (<strong>GSAttack</strong>) scheme based on Gaussian Splatting to <strong>generate explicit 3D adversarial samples that deceive the classifier in various viewpoints</strong>. Specifically, we first quantify the contribution of each Gaussian based on its gradient in adversarial attack. Subsequently, we split tiny Gaussians from the high contribution Gaussians as initial 3D perturbations, which are then optimized by adversarial loss to ensure deception in diverse viewpoints. Furthermore, to ensure the invisibility of 3D perturbation, we devise position and color losses to make the perturbations tightly bound to the object surface and minimize the color differences. Owing to these ingenious designs, our 3D perturbations are more natural in space and effective attack neural network. Experimental results show that the 3D adversarial samples generated by our GSAttack can effectively deceive the classifier over a wider range of viewpoints and achieve superior visualization compared to existing schemes.</div></div>\",\"PeriodicalId\":49713,\"journal\":{\"name\":\"Pattern Recognition\",\"volume\":\"172 \",\"pages\":\"Article 112466\"},\"PeriodicalIF\":7.6000,\"publicationDate\":\"2025-09-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Pattern Recognition\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S003132032501129X\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Pattern Recognition","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S003132032501129X","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

摘要

现有的多视点对抗攻击方法利用神经辐射场（Neural Radiance Fields, NeRF）从目标的不同视点生成对抗样本，有效地欺骗深度神经网络。然而，这些方法只是在渲染图像中添加噪声，并且由于NeRF的隐式表示的限制，无法构建明确的3D对抗样本。为了解决上述限制，我们提出了一种基于高斯飞溅的新型高斯分裂攻击（GSAttack）方案，以生成显式的3D对抗样本，从不同的角度欺骗分类器。具体来说，我们首先根据每个高斯函数在对抗性攻击中的梯度来量化其贡献。随后，我们从高贡献高斯中分离出微小高斯作为初始三维扰动，然后通过对抗性损失进行优化，以确保在不同视点中欺骗。此外，为了保证三维摄动的不可见性，我们设计了位置和颜色损失，使摄动与物体表面紧密结合，使色差最小化。由于这些巧妙的设计，我们的三维扰动在空间上更加自然，有效的攻击神经网络。实验结果表明，与现有方案相比，我们的GSAttack生成的3D对抗样本可以在更大的视点范围内有效地欺骗分类器，并获得更好的可视化效果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Gaussian splitting attack: Gaussian splatting-based multi-view 3D adversarial attack

Existing multi-view adversarial attack methods utilize Neural Radiance Fields (NeRF) to generate adversarial samples from different viewpoints of an object effectively deceiving deep neural networks. However, these methods simply add noise to the rendered images and fail to construct explicit 3D adversarial samples limited by the implicit representation of NeRF. To address the above limitation, we propose a novel Gaussian Splitting Attack (GSAttack) scheme based on Gaussian Splatting to generate explicit 3D adversarial samples that deceive the classifier in various viewpoints. Specifically, we first quantify the contribution of each Gaussian based on its gradient in adversarial attack. Subsequently, we split tiny Gaussians from the high contribution Gaussians as initial 3D perturbations, which are then optimized by adversarial loss to ensure deception in diverse viewpoints. Furthermore, to ensure the invisibility of 3D perturbation, we devise position and color losses to make the perturbations tightly bound to the object surface and minimize the color differences. Owing to these ingenious designs, our 3D perturbations are more natural in space and effective attack neural network. Experimental results show that the 3D adversarial samples generated by our GSAttack can effectively deceive the classifier over a wider range of viewpoints and achieve superior visualization compared to existing schemes.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Pattern Recognition 工程技术-工程：电子与电气

CiteScore

14.40

自引率

16.20%

发文量

683

审稿时长

5.6 months

期刊介绍： The field of Pattern Recognition is both mature and rapidly evolving, playing a crucial role in various related fields such as computer vision, image processing, text analysis, and neural networks. It closely intersects with machine learning and is being applied in emerging areas like biometrics, bioinformatics, multimedia data analysis, and data science. The journal Pattern Recognition, established half a century ago during the early days of computer science, has since grown significantly in scope and influence.