Physically Realizable Adversarial Examples for LiDAR Object Detection

by   James Tu, et al.
Princeton University

Modern autonomous driving systems rely heavily on deep learning models to process point cloud sensory data; meanwhile, deep models have been shown to be susceptible to adversarial attacks with visually imperceptible perturbations. Despite the fact that this poses a security concern for the self-driving industry, there has been very little exploration in terms of 3D perception, as most adversarial attacks have only been applied to 2D flat images. In this paper, we address this issue and present a method to generate universal 3D adversarial objects to fool LiDAR detectors. In particular, we demonstrate that placing an adversarial object on the rooftop of any target vehicle to hide the vehicle entirely from LiDAR detectors with a success rate of 80 attack results on a suite of detectors using various input representation of point clouds. We also conduct a pilot study on adversarial defense using data augmentation. This is one step closer towards safer self-driving under unseen conditions from limited training data.


page 3

page 7


Fooling LiDAR Perception via Adversarial Trajectory Perturbation

LiDAR point clouds collected from a moving vehicle are functions of its ...

Generating 3D Adversarial Point Clouds

Machine learning models especially deep neural networks (DNNs) have been...

Generating Unrestricted 3D Adversarial Point Clouds

Utilizing 3D point cloud data has become an urgent need for the deployme...

Exploring Adversarial Robustness of Multi-Sensor Perception Systems in Self Driving

Modern self-driving perception systems have been shown to improve upon p...

Towards Universal Physical Attacks On Cascaded Camera-Lidar 3D Object Detection Models

We propose a universal and physically realizable adversarial attack on a...

Adversarial Attacks on Camera-LiDAR Models for 3D Car Detection

Most autonomous vehicles (AVs) rely on LiDAR and RGB camera sensors for ...

Pattern-Aware Data Augmentation for LiDAR 3D Object Detection

Autonomous driving datasets are often skewed and in particular, lack tra...

1 Introduction

Modern autonomous driving systems use deep neural networks (DNNs) to process LiDAR point clouds in order to perceive the world

[20, 34, 45]. Despite introducing significant performance improvements, DNNs have been previously found to be vulnerable to adversarial attacks when using image inputs [35, 15, 18, 2], where a small perturbation in the input pixels can cause drastic changes in the output predictions. The potential vulnerabilities, in conjunction with the safety-critical nature of self-driving, motivate us to investigate the possibility of disrupting autonomous driving systems with adversarial attacks.

Image perturbations alone however, are not enough for modern autonomous driving systems, which are typically equipped with LiDAR sensors producing point clouds as the primary main sensory input. Several previous works have shown successful attacks [36, 39, 43] with point cloud perturbations, generating salient modifications by adding, removing, and modifying points. Although these attacks work in theory, arbitrary to point clouds are not always physically realizable. For instance, a given point cloud may be impossible to generate from a LiDAR sensor due to the lasers’ fixed angular frequencies and light projection geometry.

Towards generating physically realizable attacks, Cao et al. [7] propose to learn an adversarial mesh capable of generating adversarial point clouds with a LiDAR renderer. However, their work only considers learning an adversarial mesh for a few specific frames. As a result, the learned 3D object is not universal and may not be reused in other 3D scenes. Moreover, they have only evaluated their attack on a very small in-house dataset that contains around a few hundred frames.

Figure 1: In this work we produce a physically realizable adversarial object that can make vehicles “invisible”. After placing the object on the rooftop of a target vehicle, the vehicle will no longer be detected by a LiDAR detector.

In contrast to [7], we aim to learn a universal and physically realizable adversary. Furthermore, we craft 3D objects in a novel setting where they are placed on top of vehicles as rooftop cargo. Such objects can be used in any scene and on any types of small vehicles, and can hide the entire host vehicle from a strong LiDAR detector [41] with a success rate of 80% at IoU 0.7. By comparison, placing a random object on the rooftop only produces a small drop in detection accuracy. We evaluated our learned adversarial object on a suite of common LiDAR detector architectures that take in various kinds of input representations, and we also report transferability of attacks across these models. Lastly, we conduct a pilot study on adversarial defense using data augmentation and adversarial training. Applying defense mechanisms significantly decreases the likelihood of missing detections of vehicles with strange roof-top cargo, which is a rare-seen but practical scenario for self-driving cars.

The contributions of this paper can be summarized as follows:

  1. [noitemsep]

  2. We propose a universal adversarial attack on LiDAR detectors with physically realizable 3D meshes.

  3. We present a novel setting where the adversarial object makes the target vehicle invisible when placed on the vehicle rooftop.

  4. We report a thorough evaluation across different detector, each using different input representations.

  5. We present a successful defense mechanism via training with data augmentation.

In the following, we first review prior literature on adversarial attacks and in particular point cloud and 3D physical attacks. Next we present details of our proposed method to generate a physically realizable adversarial object, followed by empirical evaluations of our attack and defense on several LiDAR object detectors.

2 Related Work

Despite the impressive performance of deep learning models, they are surprisingly vulnerable to minuscule perturbations. Adversarial attacks add visually imperceptible noise to the input to drastically alters a neural network’s output and produce false predictions.

Image attacks:

Adversarial examples were first discovered in the context of image classification networks [35]. These vulnerabilities were later discovered in networks performing image detection and semantic segmentation as well [40]. Attacks can either be white box [15, 28, 26], where the target model’s weights are available, or black box [4, 29, 10], where the adversary can only query the outputs of the target model. Various defense mechanisms, including adversarial training [15, 26], denoiser [21]

, Bayes classifier 

[33], certified defense [37, 32] have been proposed, and shown effective on a certain range of attack types.

Point cloud attacks:

With the rise of LiDAR sensors in robotics applications such as self-driving, point cloud data has become a popular input representation. Some recent research demonstrated the possibility of adversarial attacks on networks that take point cloud data as input. [42] proposed to add, remove, or perturb points; whereas [39] added clusters of adversarial points. [44, 36] proposed saliency-based approaches for removing points. Several structured methods have been also introduced to perturb point clouds with the goal of preserving physical fidelity [23].

Physical world attacks:

Perturbing image pixels or point locations alone may not guarantee that the attack can happen in the physical world. To address this issue, several works have produced physical adversaries and expose real world threats. [18] studies whether the image pixel perturbations can be realized by a physical printer. [5] produces a universal and robust adversarial sticker. When placed on any image with any pose, the sticker induces a targeted false classification. [13] proposes to train the attack with different view angles and distances to make it robust. [2] synthesizes robust adversarial 3D objects capable of fooling image classifiers when rendered into an image from any angle. [43, 24] consider perturbing other photo-realistic properties such as shape normal and lighting, using a differentiable renderer. Nevertheless, in these approaches, the final outputs are still projected to 2D image space.

In the context of self-driving and LiDAR perception, [7] propose LidarAdv, a method to learn adversarial meshes to fool LiDAR detectors. Our work is different from theirs in several important ways. First, LidarAdv only considers one frame during learning and hence is input specific; whereas we train our adversary on all frames and all vehicles, creating a universal adversary. Second, our adversary can be placed on a vehicle roof to hide it, whereas their adversarial object does not interact with other real world objects. Lastly, we are the first to conduct a thorough evaluation of a physically realizable adversarial attack on a suite of detectors and on a public large scale LiDAR benchmark. Besides learning a physical mesh, [6] proposes to use laser devices to spoof LiDAR points. These laser devices, however, are more difficult to set up and it is not trivial to create consistent point clouds as the sensor moves.

3 Physically Realizable Adversarial Examples

Figure 2: Overall adversarial example generation pipeline. We start from a mesh representation, and use a LiDAR renderer to obtain the point clouds. By using roof approximation techniques, we attach the adversarial point cloud on top of the target vehicle, and we modify the mesh vertices so that the detection confidence score of the target vehicle is minimized.

In this section, we present our method for learning an adversarial object to attack LiDAR detectors. There are many possible ways to place an object in a scene for an adversarial effect, as explored in [7]. For example, one can hide the inserted adversarial object or change the object label (e.g., making the detector believe that the adversarial object is a pedestrian). In this paper, we instead focus on a novel setting, where we place the object on the rooftop of a vehicle and hide the vehicle from the detector, hence creating an “invisible” car, illustrated in Figure 2. Such a procedure can be easily reproduced in the real world and is also plausible even without the presence of a malicious attacker, since cars occasionally carry pieces of furniture or sports equipment on their rooftops.

For the rest of this section, we first describe the 3D representation of the adversarial example and how to render it into a point clouds. We then present our adversarial example generation algorithms. Lastly, a simple defense algorithm based on data augmentation is presented.

3.1 Surface Parameterization

Many parameterizations exist for 3D objects, including voxels, meshes, and implicit surfaces [16]. Voxels are easy to compute but require significantly more memory than the alternatives to produce a high level of detail. Implicit surfaces, on the other hand, provide compact representations but are harder to render since they require solving for the numerical roots of the implicit functions. In this paper, we choose to represent our adversary with a mesh since it benefits from compact representations and allows for efficient and precise rendering. Given a mesh, we can compute the exact intersections of rays analytically and in a differentiable manner. The latter is important since it allows us to take gradients efficiently for white box attacks. Furthermore, meshes have previously demonstrated high-fidelity shape generation results on faces and human bodies [3, 22].

During the learning of the adversarial mesh, following prior literature [25, 17]

, we deform a template mesh by adding local learnable displacement vectors

for each vertex and a global transformation for the entire mesh,


where is the initial vertex position, and is a global rotation matrix, and is a global translation vector. To ensure physical feasibility, box constraints are applied to the mesh vertices as well as the global translation.

In the experiments where we initialize the mesh from an isotropic sphere,

is fixed to be the identity matrix, since the sphere is rotation invariant. In the experiments where we deform common objects, we constrain

to be rotations on the - plane:


where is the learnable rotation angle.

Figure 3: Approximating rooftop from vehicle point clouds. We build a low dimensional representation of our vehicle object bank using PCA, and embed the target vehicle point clouds by optimizing the latent code. The top 0.2m is then cropped to be the rooftop region.

3.2 LiDAR Simulation

We aim to add an adversarial mesh into the scene in a realistic manner and choose the roof of vehicles as the location for placement, as placing objects on top is easier due to gravity and does not interfere with adjacent traffic. Furthermore, objects on top of vehicles are less prone to occlusion, whereas areas like the front hood or trunk top may be blocked by another vehicle. Finally, this is a realistic scenario as it common to strap furniture, canoes, bicycles, and other large items on top of vehicles. In this section we first describe how to render a mesh into LiDAR points. Next we introduce a technique to locate the rooftop region from a vehicle point cloud, where we can place the adversary.

LiDAR point rendering:

We then use location of the mesh in the scene to sample nearby rays with the same angular frequencies as the LiDAR sensor used to generate the original LiDAR scene. Given rays and mesh , the adversarial points are rendered with a differentiable raycaster . We compute the intersection of rays and mesh faces with the Moller-Trumbore intersection algorithm [27]. We refer readers to the supplementary materials for more details on this. Then, we take the union of the rendered adversarial points and the original points to create the modified scene.

Rooftop fitting:

To approximate the center of a vehicle’s roof from its point cloud, as illustrated in Figure 3, we first fit a CAD model to the point cloud. Inspired by [12], we represent our internal collection of vehicle models as signed distance functions (SDFs), denoting as , and project this library of vehicles into a latent space using PCA. Since SDFs implicitly represent 3D surfaces as its zero level-set, we optimize the latent code such that all ground truth vehicle points evaluate as close to 0 as possible. Concretely, given a vehicle bounding box , and a set of points within the box, we find the optimal latent code such that


We then apply marching cubes [16] on to obtain a fitted CAD model. Lastly, we use vertices within the top 0.2m vertical range of the CAD model to approximate the roof region.

During the attack, we place the adversarial mesh with a fixed pose relative to the roof center of a target vehicle. Given a vehicle bounding box , we compute the roof center and apply transformation matrix


on the adversarial object.

3.3 Adversarial Example Generation

In this section, we first introduce the objective function being optimized to learn adversarial examples. Both white box and black box attack algorithms are presented next.

3.3.1 Objective

The overall loss function is a combination of the adversarial loss and the Laplacian loss for mesh smoothness:


To generate an adversarial example, we search for vertex perturbation and global transformation parameters that minimize the loss function.

For the adversarial loss, following prior work [40], we also find it necessary to suppress all relevant bounding box proposals. A proposal is relevant if 1) its confidence score is greater than 0.1 and 2) if its IoU with the ground truth bounding box is also greater than 0.1.

Our adversarial objective minimizes the confidence of the relevant candidates:


where is the set of relevant bounding box proposals and each proposal has a confidence score . We use binary cross entropy to minimize the confidence score of the relevant proposals, weighed by the IoU with the ground truth bounding box . Here, we choose to target negative classification labels instead of other bounding box parameters because missing detections are the most problematic.

In addition, a Laplacian loss [25] is applied to regularize mesh geometry and maintain surface smoothness:


where is the distance from to the centroid of its immediate neighbors :


3.3.2 Attack Algorithms

In this section we provide details for both white box and black box attacks for learning mesh vertices.

White box attack:

In a white box setting, we simulate the addition of the adversary in a differentiable manner, and hence can take the gradient from the objective to the mesh vertices. In addition, we re-parameterize local and global displacement vectors to apply box constraints, as [8] have demonstrated issues with other alternatives. Specifically, since clipping parameters during projected gradient descent creates a disparity between parameter updates and momentum updates, we instead re-parameterize mesh vertices to inherently obey box constraints:

where denotes element-wise multiplication,

denotes the sigmoid function,

define limits on size, and define limits on translation. is the normalized initial position of vertex and is the normalized global translation. The function constrains each vertex to stay in its initial quadrant.

Black box attack:

A gradient-based attack is not always feasible in point cloud perception due to non-differentiable preprocessing stages that are common in modern point cloud detection models [41, 19]. For example, models like PIXOR [41]

represent the input as occupancy voxels, preventing gradients from reaching the point cloud. To address this problem, we employ a genetic algorithm

[1] to update the mesh parameters. Here, a population of candidates meshes are evolved to maximize the fitness score

. At every iteration, the candidate with the highest fitness is preserved while the rest are replaced. New candidates are generated by sampling mesh parameters from a pair of old candidates, with sampling probability proportional to fitness score. We then add gaussian noise to some new candidates sampled with a mutation probability. To jointly optimize over all samples, we perform inference on multiple examples and take the average fitness score at each iteration. In this black box setting, we find re-parameterization unnecessary for gradient-free optimization.

3.4 Defense Mechanisms

Given that rooftop objects are rarely observed in the training distribution and that our attack produces examples that are heavily out-of-distribution, we first propose random data augmentation as a simple defense mechanism. Next, we consider adversarial training [8] for a stronger defense against adversarial attacks.

Data augmentation:

When training with data augmentation, in every frame we generate a random watertight mesh and place it on a random vehicle using the methods presented previously. This method is not specific to the type of optimization employed by the attacker (e.g. white box or black box) and hence may generalize better when compared to regular adversarial training [15].

To generate a random watertight mesh, we first sample a set of vertices from a Gaussian and apply incremental triangulation to obtain a set of connected tetrahedrons . We then stochastically remove boundary tetrahedrons that do not disconnect into separate components. Finally, we take the remaining boundary faces of to obtain a watertight surface.

Adversarial training:

While adversarial training has empirically been found to be robust, it is expensive and infeasible when the cost of training an adversary is high. Thus, we employ a method similar to [38] and take one mesh update step per model update instead of a full optimization cycle. During training, the adversary is randomly re-initialized every steps using the same mesh generation method.

4 Experiments

In this section, we first discuss the datasets and models used in our experiments in Section 4.1 and 4.2, and the experimental setup in Section 4.3. We then present experimental results on 1) white box and black box attacks, 2) attacks and transferability on various detection backbones, 3) common object attacks, and 4) adversarial defense using data augmentation training.

Figure 4: Visualization of our universal adversarial object hiding different car instances at various orientations and locations.
SourceTarget PIXOR-1 PIXOR-2 PIXOR-1 77.3% 53.9% PIXOR-2 73.5% 72.1%
Table 1: Attack transferability between two PIXOR models with different seeds.
SourceTarget PIXOR PIXOR (d) PointRCNN PointPillar PIXOR [41] 77.3% 66.0% 20.1% 8.2% PIXOR (density) [41] 66.4% 80.9% 20.0% 7.7% PointRCNN [34] 33.3% 33.7% 32.3% 20.5% PointPillar [19] 54.9% 38.4% 28.4% 57.5%
Table 2: Attack transferability among different detector models.

4.1 Datasets

We use the KITTI dataset [14] for training and evaluation of our attacks. KITTI contains LiDAR point clouds and 3D bounding box labels for objects seen by the front camera of the autonomous vehicle. For our experiments, we focus on the “Car” class only and consider each object in a scene as a separate sample. Since our method relies on fitting meshes to point clouds, we discard all samples with less than 10 points. This results in 6864 vehicles in the training set and 6544 vehicles in the validation set. We do not use the test set as labels are not publicly available. For evaluation we only consider bounding boxes from a bird’s eye view.

4.2 Target LIDAR Detector Models

In this work, we attack detector models that process point clouds exclusively without any auxiliary inputs, since we only learn the shape of the adversarial mesh. We cover a variety of detector architectures with different input representations of the point cloud. Specifically we consider the following models:

  • [noitemsep]

  • PIXOR [41] is a detection network that processes input point clouds into occupancy voxels and generates bounding boxes in a bird’s eye view.

  • PIXOR (density)

    is a variant of PIXOR using density voxels as inputs. The value of each voxel is calculated from bilinear interpolation of nearby points’ distance to the voxel center:

    . The density variant allows us to compute gradients to point clouds easier.

  • PointRCNN [34] does not voxelize and instead processes the raw point cloud directly using a PointNet++ [31] backbone.

  • PointPillar [19] groups input points into discrete bins from BEV and uses PointNet [30] to extract features for each pillar.

Since we limit to the scope of learning the mesh shape only, we use the version of the above detectors that do not take LiDAR intensity as input.

4.3 Experimental Setup

Implementation details:

In our experiments, we initialize the adversarial mesh to be a unit isotropic sphere with 162 vertices and 320 faces and scale it by (0.7m, 0.7m, 0.5m). Maximum global offset is 0.1m on the direction and no offset is allowed on the direction to prevent the mesh from moving into the vehicle or hovering in mid air. For the Laplacian loss, we set . During simulation, rays are sampled according to specs of the Velodyne HDL-64E sensor used to generate the datasets.

For the gradient-based optimization in white box attacks, we use Adam with learning rate 0.005. For the genetic algorithm in black box attacks, we initialize mutation std at 0.05, mutation probability at 0.01, use a population size of 16, and average 100 queries to compute fitness. We decay the mutation std and probability by a factor of 0.5 if the running fitness has not improved in 100 generations.

4.4 Evaluation Metrics

We consider the following two metrics for attack quality:

  • [leftmargin=*, noitemsep]

  • Attack success rate: Attack success rate measures the percentage at which the target vehicle is successfully detected originally and but not detected after the attack. We consider a vehicle successfully detected if the output IoU is greater than 0.7.

  • Recall-IoU curve: Since attack success rate depends on the IoU threshold, we also plot the recall percentage at a range of IoU threshold to get a more thorough measure of attack quality.

Figure 5: Visualization of detection recall across range of IoUs for PIXOR with density voxels. Difference between white box and black box attacks is very small. Initial mesh does not affect detection as much as adversarial mesh.

4.5 Results and Discussion

Comparison of White Box and Black Box

We conduct a white box and black box attack on a variant of PIXOR with density voxels. We visualize the IoU-recall curve for both experiments in Figure 5. and show that the attacks significantly drop the recall. When we use the initial icosphere mesh as a baseline, it has little impact on detection even though it is of the same size as the adversary. We further compare our black box attack against the white box alternative and show that they achieve similar performance.

Figure 6: IoU-Recall curve for black box attacks on different detector architectures.
Figure 7: Bird’s eye view visualization of attack success rate at various locations in the scene using different detector models.
Transferability Across Identical Architectures

We investigate the transferability of adversarial examples across similar models. To this end, we train two variations of the original PIXOR model using different seeds and learn adversarial meshes for each model separately. We then evaluate transferability between the pair of models using attack success rate as the metric. Results are summarized in Table 2 and there is a high degree of transferability between models with identical architecture. This allows strong transfer attacks with only knowledge of model architecture. [29].

Object Initial Success Classification Adversarial Success Classification Dimensions
Couch 23.3% 93.1 % 68.6% 93.8 % 1.69m x 0.85m x 0.94m
Canoe 26.9% 99.6 % 59.5% 99.9 % 3.51m x 0.81m x 0.68m
Table 18.9% 99.8 % 48.0% 99.7 % 1.57m x 0.83m x 0.86m
Cabinet 20.7% 93.4 % 54.1% 94.2 % 1.29m x 0.91m x 0.76m
Chair 14.1% 99.9 % 23.3% 99.9 % 1.42m x 0.64m x 0.71m
Bike 19.6% 94.4 % 32.4% 92.3 % 1.70m x 0.76m x 1.08m
Table 3: Adversaries resembling common objects that could appear on the rooftop. Attack success rates on the initial and adversarial configurations are shown. A ShapeNet classifier stably recognizes our adversaries as the correct object class.
Arbitrary Couch Canoe Table Cabinet Chair Bike AP
Original 77.3% 68.6% 59.5% 48.0% 54.1% 23.3% 32.4% 74.37
Augmentation 14.4% 12.4% 19.6% 11.5% 7.3% 6.6% 14.0% 74.92
Adv Train 10.8% 5.6% 18.7% 4.9% 5.3% 6.3% 11.4% 73.97
Table 4: Attack success rates before and after applying defense training on PIXOR. In the final column, we evaluate the models on the standard KITTI validation set and show the average precision (AP) at 0.7 IoU.
Transferability Across Input Representations

In this section we attack four models described in Section 4.2, and use only black box attacks due to non-differentiable layers in some models. We provide IoU-Recall curves in Figure 6. Again, transferability between the models is considered and results are shown in Table 2.

First, our attack is able to hide objects with high probability on the PIXOR models and PointPillar but is significantly weaker on PointRCNN. We hypothesize that this is because PointRCNN treats every point as a bounding box anchor. Therefore, vehicles close to the sensor register significantly more LiDAR points and proposals, making it extremely difficult to suppress all proposals. We verify this hypothesis by visualizing the attack success rate at various locations across the scene in Figure 7. The success rate on attacking PointRCNN is close to 0 near the LiDAR sensor but grows substantially higher as the distance to the sensor increases and the number of points decreases.

In terms of transferability, the occupancy and density variants of PIXOR can share a significant portion of adversarial examples. The attacks generated from PointPillar and PointRCNN can also be used to attack PIXOR, but not vice versa. This suggests that additional layers of point-level reasoning before aggregating on the -dimension probably make the model more robust to rooftop objects.

In addition, two variations of PIXOR have different vulnerable regions even though they share the same backbone. Specifically, we note that vehicles close to the LiDAR sensor are the easiest targets when using a density voxel input representation. In contrast, vehicles closeby are the most robust to attacks when using occupancy voxels. We speculate that this is an effect of the input precision. For density voxels, the number of points is significantly higher near the LiDAR sensor, contributing to higher input precision, whereas occupancy voxels can only show a binary indicator whether a voxel contains a point or not.

Figure 8: We perform our attack on two similar models. PIXOR converts the input point cloud to occupancy voxels and PIXOR* separates points into columns and extracts features with a pointnet backbone. Although the models have the same backbone architecture, PIXOR* is significantly more robust due to the input representation.

Based on the above observations, we conclude that the choice of input representation and detection scheme may have significant implications on robustness to adversarial examples. For a more concrete comparison, we consider a variant of PIXOR using PointPillar’s pillar representation instead of voxelization and keep the backbone architecture identical. We compare this variant, PIXOR* against PIXOR and show the results in Figure 8. Here, we can see that with even with identical backbones and training routines, PIXOR* is significantly more robust to our attack purely due to a different input representation.

Common Objects

In this section, to make attacks more realistic, we learn adversaries that resemble common objects that may appear on top of a vehicle in the real world. Instead of deforming an icosphere, we initialize from a common object mesh and deform the vertices while constraining the maximum perturbation distances. We choose couch, chair, table, bike, and canoe as six common object classes, and we take the object meshes from ShapeNet [9]. We apply uniform mesh re-sampling in meshlab [11] to reduce the number of faces and produce regular geometry prior to deformation. In these experiments we limit the maximum vertex perturbation to 0.03m so that the adversary will resemble the common object, and limit translation to 0.1m, and allow free rotation. In Table 3, we present the visualizations, results, and dimensions of the common objects. Moreover, the identity of the adversarial objects are unambiguous to a human, and we also verify that a PointNet [31] classifier trained on ShapeNet [9] is also able to correctly classify our perturbed objects. This confirms the possibility that the placement of common objects can also hurt LiDAR detectors.

Adversarial Defense

We employ our proposed defense methods by retraining a PIXOR model with random data augmentation and adversarial training. To generate random meshes for data augmentation, we uniformly sample from , from , and we sample vertices from Gaussian . If all tetrahedrons are removed by decimation, the sampling process restarts. During training, for every scene we sample one vehicle at random for data augmentation. We only augment vehicles with at least 10 points in the scene, otherwise it is too difficult to fit a mesh for roof approximation. During adversarial training, we set and alternate between updating the mesh and the model.

For evaluation, we re-train an adversarial mesh on the defended model and observe that the attack success rate is reduced significantly, as shown in Table 4. In addition, we also launch attacks with common objects on the defended model and observe similar findings. Furthermore, for the standard detection task, our defended models achieve similar or better performance when evaluated on the KITTI validation set. Nevertheless, the defense is not yet perfect since there is still 5-20% attack success rate remaining. With more computational resources, full adversarial training could possibly close this gap.

5 Conclusion

We propose a robust, universal, and physical realizable adversarial example capable of hiding vehicles from LiDAR detectors. An attacker can 3D print the mesh and place it on any vehicle to make it “invisible” without prior knowledge of the scene. The attack will consistently cause target vehicles to disappear, severely impeding downstream tasks in autonomous driving systems. Even without any malicious intent, we show that problematic shapes can coincidentally appear with common objects such as a sofa. We further show that training with data augmentation using random meshes can significantly improve the robustness, but unfortunately still not 100% secure against our attack. By demonstrating the vulnerability of LiDAR perception against universal 3D adversarial objects, we emphasize the need for more robust models in safety-critical robotics applications like self-driving.


  • [1] M. Alzantot, Y. Sharma, S. Chakraborty, H. Zhang, C. Hsieh, and M. B. Srivastava (2019) Genattack: practical black-box attacks with gradient-free optimization. In

    Proceedings of the Genetic and Evolutionary Computation Conference

    pp. 1111–1119. Cited by: §3.3.2.
  • [2] A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok (2018) Synthesizing robust adversarial examples. Cited by: §1, §2.
  • [3] T. Bagautdinov, C. Wu, J. Saragih, P. Fua, and Y. Sheikh (2018) Modeling facial geometry using compositional vaes. In CVPR, Cited by: §3.1.
  • [4] W. Brendel, J. Rauber, and M. Bethge (2018)

    Decision-based adversarial attacks: reliable attacks against black-box machine learning models

    In ICLR, Cited by: §2.
  • [5] T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer (2017) Adversarial patch. arXiv preprint arXiv:1712.09665. Cited by: §2.
  • [6] Y. Cao, C. Xiao, B. Cyr, Y. Zhou, W. Park, S. Rampazzi, Q. A. Chen, K. Fu, and Z. M. Mao (2019) Adversarial sensor attack on lidar-based perception in autonomous driving. In CCS, Cited by: §2.
  • [7] Y. Cao, C. Xiao, D. Yang, J. Fang, R. Yang, M. Liu, and B. Li (2019) Adversarial objects against lidar-based autonomous driving systems. arXiv preprint arXiv:1907.05418. Cited by: §1, §1, §2, §3.
  • [8] N. Carlini and D. Wagner (2017) Towards evaluating the robustness of neural networks. In SP, Cited by: §3.3.2, §3.4.
  • [9] A. X. Chang, T. A. Funkhouser, L. J. Guibas, P. Hanrahan, Q. Huang, Z. Li, S. Savarese, M. Savva, S. Song, H. Su, J. Xiao, L. Yi, and F. Yu (2015) ShapeNet: an information-rich 3d model repository. CoRR abs/1512.03012. Cited by: §4.5.
  • [10] P. Chen, H. Zhang, Y. Sharma, J. Yi, and C. Hsieh (2017) ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In AISec@CCS, Cited by: §2.
  • [11] P. Cignoni, M. Callieri, M. Corsini, M. Dellepiane, F. Ganovelli, and G. Ranzuglia (2008)

    MeshLab: an Open-Source Mesh Processing Tool

    In Eurographics Italian Chapter Conference, V. Scarano, R. D. Chiara, and U. Erra (Eds.), External Links: ISBN 978-3-905673-68-5, Document Cited by: §4.5.
  • [12] F. Engelmann, J. Stückler, and B. Leibe (2017) SAMP: shape and motion priors for 4d vehicle reconstruction. In WACV, pp. 400–408. Cited by: §3.2.
  • [13] K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song (2018) Robust physical-world attacks on deep learning visual classification. In CVPR, Cited by: §2.
  • [14] A. Geiger, P. Lenz, and R. Urtasun (2012) Are we ready for autonomous driving? the kitti vision benchmark suite. In CVPR, Cited by: §4.1.
  • [15] I. J. Goodfellow, J. Shlens, and C. Szegedy (2015) Explaining and harnessing adversarial examples. ICLR. Cited by: §1, §2, §3.4.
  • [16] J. F. Hughes, A. V. Dam, M. McGuire, D. F. Sklar, J. D. Foley, S. K. Feiner, and K. Akeley (1996) Computer graphics: principles and practice. Vol. 12110, Addison-Wesley Professional. Cited by: §3.1, §3.2.
  • [17] H. Kato, Y. Ushiku, and T. Harada (2018) Neural 3d mesh renderer. In CVPR, Cited by: §3.1.
  • [18] A. Kurakin, I. J. Goodfellow, and S. Bengio (2017) Adversarial examples in the physical world. In ICLR Workshop, Cited by: §1, §2.
  • [19] A. H. Lang, S. Vora, H. Caesar, L. Zhou, J. Yang, and O. Beijbom (2019) PointPillars: fast encoders for object detection from point clouds. In CVPR, Cited by: §3.3.2, 4th item, Table 2.
  • [20] M. Liang, B. Yang, Y. Chen, R. Hu, and R. Urtasun (2019) Multi-task multi-sensor fusion for 3d object detection. In CVPR, Cited by: §1.
  • [21] F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu, and J. Zhu (2018) Defense against adversarial attacks using high-level representation guided denoiser. In CVPR, Cited by: §2.
  • [22] O. Litany, A. Bronstein, M. Bronstein, and A. Makadia (2018)

    Deformable shape completion with graph convolutional autoencoders

    In CVPR, Cited by: §3.1.
  • [23] D. Liu, R. Yu, and H. Su (2019) Adversarial point perturbations on 3d objects. arXiv preprint arXiv:1908.06062. Cited by: §2.
  • [24] H. D. Liu, M. Tao, C. Li, D. Nowrouzezahrai, and A. Jacobson (2019) Beyond pixel norm-balls: parametric adversaries using an analytically differentiable renderer. In ICLR, Cited by: §2.
  • [25] S. Liu, W. Chen, T. Li, and H. Li (2019) Soft rasterizer: differentiable rendering for unsupervised single-view mesh reconstruction. Cited by: §3.1, §3.3.1.
  • [26] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu (2018) Towards deep learning models resistant to adversarial attacks. In ICLR, Cited by: §2.
  • [27] T. Möller and B. Trumbore (1997-10) Fast, minimum storage ray-triangle intersection. J. Graph. Tools 2 (1), pp. 21–28. External Links: ISSN 1086-7651, Link, Document Cited by: §3.2.
  • [28] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard (2016) DeepFool: A simple and accurate method to fool deep neural networks. In CVPR, Cited by: §2.
  • [29] N. Papernot, P. D. McDaniel, I. J. Goodfellow, S. Jha, Z. B. Celik, and A. Swami (2017) Practical black-box attacks against machine learning. In AsiaCCS, Cited by: §2, §4.5.
  • [30] C. R. Qi, H. Su, K. Mo, and L. J. Guibas (2017) PointNet: deep learning on point sets for 3d classification and segmentation. In CVPR, Cited by: 4th item.
  • [31] C. R. Qi, L. Yi, H. Su, and L. J. Guibas (2017) Pointnet++: deep hierarchical feature learning on point sets in a metric space. In NIPS, Cited by: 3rd item, §4.5.
  • [32] A. Raghunathan, J. Steinhardt, and P. Liang (2018) Certified defenses against adversarial examples. In ICLR, Cited by: §2.
  • [33] L. Schott, J. Rauber, M. Bethge, and W. Brendel (2019) Towards the first adversarially robust neural network model on MNIST. In ICLR, Cited by: §2.
  • [34] S. Shi, X. Wang, and H. Li (2019) PointRCNN: 3d object proposal generation and detection from point cloud. In CVPR, Cited by: §1, 3rd item, Table 2.
  • [35] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus (2014) Intriguing properties of neural networks. ICLR. Cited by: §1, §2.
  • [36] M. Wicker and M. Kwiatkowska (2019) Robustness of 3d deep learning in an adversarial setting. In CVPR, Cited by: §1, §2.
  • [37] E. Wong and J. Z. Kolter (2018) Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML, Cited by: §2.
  • [38] E. Wong, L. Rice, and J. Z. Kolter (2020) Fast is better than free: revisiting adversarial training. In International Conference on Learning Representations, External Links: Link Cited by: §3.4.
  • [39] C. Xiang, C. R. Qi, and B. Li (2019) Generating 3d adversarial point clouds. In CVPR, Cited by: §1, §2.
  • [40] C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille (2017) Adversarial examples for semantic segmentation and object detection. In ICCV, Cited by: §2, §3.3.1.
  • [41] B. Yang, W. Luo, and R. Urtasun (2018) PIXOR: real-time 3d object detection from point clouds. In CVPR, Cited by: §1, §3.3.2, 1st item, Table 2.
  • [42] J. Yang, Q. Zhang, R. Fang, B. Ni, J. Liu, and Q. Tian (2019) Adversarial attack and defense on point sets. arXiv preprint arXiv:1902.10899. Cited by: §2.
  • [43] X. Zeng, C. Liu, Y. Wang, W. Qiu, L. Xie, Y. Tai, C. Tang, and A. L. Yuille (2019) Adversarial attacks beyond the image space. In CVPR, Cited by: §1, §2.
  • [44] T. Zheng, C. Chen, J. Yuan, B. Li, and K. Ren (2019) PointCloud saliency maps. In ICCV, Cited by: §2.
  • [45] Y. Zhou and O. Tuzel (2018) VoxelNet: end-to-end learning for point cloud based 3d object detection. In CVPR, Cited by: §1.