Modern autonomous driving systems use deep neural networks (DNNs) to process LiDAR point clouds in order to perceive the world[20, 34, 45]. Despite introducing significant performance improvements, DNNs have been previously found to be vulnerable to adversarial attacks when using image inputs [35, 15, 18, 2], where a small perturbation in the input pixels can cause drastic changes in the output predictions. The potential vulnerabilities, in conjunction with the safety-critical nature of self-driving, motivate us to investigate the possibility of disrupting autonomous driving systems with adversarial attacks.
Image perturbations alone however, are not enough for modern autonomous driving systems, which are typically equipped with LiDAR sensors producing point clouds as the primary main sensory input. Several previous works have shown successful attacks [36, 39, 43] with point cloud perturbations, generating salient modifications by adding, removing, and modifying points. Although these attacks work in theory, arbitrary to point clouds are not always physically realizable. For instance, a given point cloud may be impossible to generate from a LiDAR sensor due to the lasers’ fixed angular frequencies and light projection geometry.
Towards generating physically realizable attacks, Cao et al.  propose to learn an adversarial mesh capable of generating adversarial point clouds with a LiDAR renderer. However, their work only considers learning an adversarial mesh for a few specific frames. As a result, the learned 3D object is not universal and may not be reused in other 3D scenes. Moreover, they have only evaluated their attack on a very small in-house dataset that contains around a few hundred frames.
In contrast to , we aim to learn a universal and physically realizable adversary. Furthermore, we craft 3D objects in a novel setting where they are placed on top of vehicles as rooftop cargo. Such objects can be used in any scene and on any types of small vehicles, and can hide the entire host vehicle from a strong LiDAR detector  with a success rate of 80% at IoU 0.7. By comparison, placing a random object on the rooftop only produces a small drop in detection accuracy. We evaluated our learned adversarial object on a suite of common LiDAR detector architectures that take in various kinds of input representations, and we also report transferability of attacks across these models. Lastly, we conduct a pilot study on adversarial defense using data augmentation and adversarial training. Applying defense mechanisms significantly decreases the likelihood of missing detections of vehicles with strange roof-top cargo, which is a rare-seen but practical scenario for self-driving cars.
The contributions of this paper can be summarized as follows:
We propose a universal adversarial attack on LiDAR detectors with physically realizable 3D meshes.
We present a novel setting where the adversarial object makes the target vehicle invisible when placed on the vehicle rooftop.
We report a thorough evaluation across different detector, each using different input representations.
We present a successful defense mechanism via training with data augmentation.
In the following, we first review prior literature on adversarial attacks and in particular point cloud and 3D physical attacks. Next we present details of our proposed method to generate a physically realizable adversarial object, followed by empirical evaluations of our attack and defense on several LiDAR object detectors.
2 Related Work
Despite the impressive performance of deep learning models, they are surprisingly vulnerable to minuscule perturbations. Adversarial attacks add visually imperceptible noise to the input to drastically alters a neural network’s output and produce false predictions.
Adversarial examples were first discovered in the context of image classification networks . These vulnerabilities were later discovered in networks performing image detection and semantic segmentation as well . Attacks can either be white box [15, 28, 26], where the target model’s weights are available, or black box [4, 29, 10], where the adversary can only query the outputs of the target model. Various defense mechanisms, including adversarial training [15, 26], denoiser 
, Bayes classifier, certified defense [37, 32] have been proposed, and shown effective on a certain range of attack types.
Point cloud attacks:
With the rise of LiDAR sensors in robotics applications such as self-driving, point cloud data has become a popular input representation. Some recent research demonstrated the possibility of adversarial attacks on networks that take point cloud data as input.  proposed to add, remove, or perturb points; whereas  added clusters of adversarial points. [44, 36] proposed saliency-based approaches for removing points. Several structured methods have been also introduced to perturb point clouds with the goal of preserving physical fidelity .
Physical world attacks:
Perturbing image pixels or point locations alone may not guarantee that the attack can happen in the physical world. To address this issue, several works have produced physical adversaries and expose real world threats.  studies whether the image pixel perturbations can be realized by a physical printer.  produces a universal and robust adversarial sticker. When placed on any image with any pose, the sticker induces a targeted false classification.  proposes to train the attack with different view angles and distances to make it robust.  synthesizes robust adversarial 3D objects capable of fooling image classifiers when rendered into an image from any angle. [43, 24] consider perturbing other photo-realistic properties such as shape normal and lighting, using a differentiable renderer. Nevertheless, in these approaches, the final outputs are still projected to 2D image space.
In the context of self-driving and LiDAR perception,  propose LidarAdv, a method to learn adversarial meshes to fool LiDAR detectors. Our work is different from theirs in several important ways. First, LidarAdv only considers one frame during learning and hence is input specific; whereas we train our adversary on all frames and all vehicles, creating a universal adversary. Second, our adversary can be placed on a vehicle roof to hide it, whereas their adversarial object does not interact with other real world objects. Lastly, we are the first to conduct a thorough evaluation of a physically realizable adversarial attack on a suite of detectors and on a public large scale LiDAR benchmark. Besides learning a physical mesh,  proposes to use laser devices to spoof LiDAR points. These laser devices, however, are more difficult to set up and it is not trivial to create consistent point clouds as the sensor moves.
3 Physically Realizable Adversarial Examples
In this section, we present our method for learning an adversarial object to attack LiDAR detectors. There are many possible ways to place an object in a scene for an adversarial effect, as explored in . For example, one can hide the inserted adversarial object or change the object label (e.g., making the detector believe that the adversarial object is a pedestrian). In this paper, we instead focus on a novel setting, where we place the object on the rooftop of a vehicle and hide the vehicle from the detector, hence creating an “invisible” car, illustrated in Figure 2. Such a procedure can be easily reproduced in the real world and is also plausible even without the presence of a malicious attacker, since cars occasionally carry pieces of furniture or sports equipment on their rooftops.
For the rest of this section, we first describe the 3D representation of the adversarial example and how to render it into a point clouds. We then present our adversarial example generation algorithms. Lastly, a simple defense algorithm based on data augmentation is presented.
3.1 Surface Parameterization
Many parameterizations exist for 3D objects, including voxels, meshes, and implicit surfaces . Voxels are easy to compute but require significantly more memory than the alternatives to produce a high level of detail. Implicit surfaces, on the other hand, provide compact representations but are harder to render since they require solving for the numerical roots of the implicit functions. In this paper, we choose to represent our adversary with a mesh since it benefits from compact representations and allows for efficient and precise rendering. Given a mesh, we can compute the exact intersections of rays analytically and in a differentiable manner. The latter is important since it allows us to take gradients efficiently for white box attacks. Furthermore, meshes have previously demonstrated high-fidelity shape generation results on faces and human bodies [3, 22].
, we deform a template mesh by adding local learnable displacement vectorsfor each vertex and a global transformation for the entire mesh,
where is the initial vertex position, and is a global rotation matrix, and is a global translation vector. To ensure physical feasibility, box constraints are applied to the mesh vertices as well as the global translation.
In the experiments where we initialize the mesh from an isotropic sphere,
is fixed to be the identity matrix, since the sphere is rotation invariant. In the experiments where we deform common objects, we constrainto be rotations on the - plane:
where is the learnable rotation angle.
3.2 LiDAR Simulation
We aim to add an adversarial mesh into the scene in a realistic manner and choose the roof of vehicles as the location for placement, as placing objects on top is easier due to gravity and does not interfere with adjacent traffic. Furthermore, objects on top of vehicles are less prone to occlusion, whereas areas like the front hood or trunk top may be blocked by another vehicle. Finally, this is a realistic scenario as it common to strap furniture, canoes, bicycles, and other large items on top of vehicles. In this section we first describe how to render a mesh into LiDAR points. Next we introduce a technique to locate the rooftop region from a vehicle point cloud, where we can place the adversary.
LiDAR point rendering:
We then use location of the mesh in the scene to sample nearby rays with the same angular frequencies as the LiDAR sensor used to generate the original LiDAR scene. Given rays and mesh , the adversarial points are rendered with a differentiable raycaster . We compute the intersection of rays and mesh faces with the Moller-Trumbore intersection algorithm . We refer readers to the supplementary materials for more details on this. Then, we take the union of the rendered adversarial points and the original points to create the modified scene.
To approximate the center of a vehicle’s roof from its point cloud, as illustrated in Figure 3, we first fit a CAD model to the point cloud. Inspired by , we represent our internal collection of vehicle models as signed distance functions (SDFs), denoting as , and project this library of vehicles into a latent space using PCA. Since SDFs implicitly represent 3D surfaces as its zero level-set, we optimize the latent code such that all ground truth vehicle points evaluate as close to 0 as possible. Concretely, given a vehicle bounding box , and a set of points within the box, we find the optimal latent code such that
We then apply marching cubes  on to obtain a fitted CAD model. Lastly, we use vertices within the top 0.2m vertical range of the CAD model to approximate the roof region.
During the attack, we place the adversarial mesh with a fixed pose relative to the roof center of a target vehicle. Given a vehicle bounding box , we compute the roof center and apply transformation matrix
on the adversarial object.
3.3 Adversarial Example Generation
In this section, we first introduce the objective function being optimized to learn adversarial examples. Both white box and black box attack algorithms are presented next.
The overall loss function is a combination of the adversarial loss and the Laplacian loss for mesh smoothness:
To generate an adversarial example, we search for vertex perturbation and global transformation parameters that minimize the loss function.
For the adversarial loss, following prior work , we also find it necessary to suppress all relevant bounding box proposals. A proposal is relevant if 1) its confidence score is greater than 0.1 and 2) if its IoU with the ground truth bounding box is also greater than 0.1.
Our adversarial objective minimizes the confidence of the relevant candidates:
where is the set of relevant bounding box proposals and each proposal has a confidence score . We use binary cross entropy to minimize the confidence score of the relevant proposals, weighed by the IoU with the ground truth bounding box . Here, we choose to target negative classification labels instead of other bounding box parameters because missing detections are the most problematic.
In addition, a Laplacian loss  is applied to regularize mesh geometry and maintain surface smoothness:
where is the distance from to the centroid of its immediate neighbors :
3.3.2 Attack Algorithms
In this section we provide details for both white box and black box attacks for learning mesh vertices.
White box attack:
In a white box setting, we simulate the addition of the adversary in a differentiable manner, and hence can take the gradient from the objective to the mesh vertices. In addition, we re-parameterize local and global displacement vectors to apply box constraints, as  have demonstrated issues with other alternatives. Specifically, since clipping parameters during projected gradient descent creates a disparity between parameter updates and momentum updates, we instead re-parameterize mesh vertices to inherently obey box constraints:
where denotes element-wise multiplication,
denotes the sigmoid function,define limits on size, and define limits on translation. is the normalized initial position of vertex and is the normalized global translation. The function constrains each vertex to stay in its initial quadrant.
Black box attack:
A gradient-based attack is not always feasible in point cloud perception due to non-differentiable preprocessing stages that are common in modern point cloud detection models [41, 19]. For example, models like PIXOR 
represent the input as occupancy voxels, preventing gradients from reaching the point cloud. To address this problem, we employ a genetic algorithm to update the mesh parameters. Here, a population of candidates meshes are evolved to maximize the fitness score
. At every iteration, the candidate with the highest fitness is preserved while the rest are replaced. New candidates are generated by sampling mesh parameters from a pair of old candidates, with sampling probability proportional to fitness score. We then add gaussian noise to some new candidates sampled with a mutation probability. To jointly optimize over all samples, we perform inference on multiple examples and take the average fitness score at each iteration. In this black box setting, we find re-parameterization unnecessary for gradient-free optimization.
3.4 Defense Mechanisms
Given that rooftop objects are rarely observed in the training distribution and that our attack produces examples that are heavily out-of-distribution, we first propose random data augmentation as a simple defense mechanism. Next, we consider adversarial training  for a stronger defense against adversarial attacks.
When training with data augmentation, in every frame we generate a random watertight mesh and place it on a random vehicle using the methods presented previously. This method is not specific to the type of optimization employed by the attacker (e.g. white box or black box) and hence may generalize better when compared to regular adversarial training .
To generate a random watertight mesh, we first sample a set of vertices from a Gaussian and apply incremental triangulation to obtain a set of connected tetrahedrons . We then stochastically remove boundary tetrahedrons that do not disconnect into separate components. Finally, we take the remaining boundary faces of to obtain a watertight surface.
While adversarial training has empirically been found to be robust, it is expensive and infeasible when the cost of training an adversary is high. Thus, we employ a method similar to  and take one mesh update step per model update instead of a full optimization cycle. During training, the adversary is randomly re-initialized every steps using the same mesh generation method.
In this section, we first discuss the datasets and models used in our experiments in Section 4.1 and 4.2, and the experimental setup in Section 4.3. We then present experimental results on 1) white box and black box attacks, 2) attacks and transferability on various detection backbones, 3) common object attacks, and 4) adversarial defense using data augmentation training.
We use the KITTI dataset  for training and evaluation of our attacks. KITTI contains LiDAR point clouds and 3D bounding box labels for objects seen by the front camera of the autonomous vehicle. For our experiments, we focus on the “Car” class only and consider each object in a scene as a separate sample. Since our method relies on fitting meshes to point clouds, we discard all samples with less than 10 points. This results in 6864 vehicles in the training set and 6544 vehicles in the validation set. We do not use the test set as labels are not publicly available. For evaluation we only consider bounding boxes from a bird’s eye view.
4.2 Target LIDAR Detector Models
In this work, we attack detector models that process point clouds exclusively without any auxiliary inputs, since we only learn the shape of the adversarial mesh. We cover a variety of detector architectures with different input representations of the point cloud. Specifically we consider the following models:
PIXOR  is a detection network that processes input point clouds into occupancy voxels and generates bounding boxes in a bird’s eye view.
is a variant of PIXOR using density voxels as inputs. The value of each voxel is calculated from bilinear interpolation of nearby points’ distance to the voxel center:. The density variant allows us to compute gradients to point clouds easier.
Since we limit to the scope of learning the mesh shape only, we use the version of the above detectors that do not take LiDAR intensity as input.
4.3 Experimental Setup
In our experiments, we initialize the adversarial mesh to be a unit isotropic sphere with 162 vertices and 320 faces and scale it by (0.7m, 0.7m, 0.5m). Maximum global offset is 0.1m on the direction and no offset is allowed on the direction to prevent the mesh from moving into the vehicle or hovering in mid air. For the Laplacian loss, we set . During simulation, rays are sampled according to specs of the Velodyne HDL-64E sensor used to generate the datasets.
For the gradient-based optimization in white box attacks, we use Adam with learning rate 0.005. For the genetic algorithm in black box attacks, we initialize mutation std at 0.05, mutation probability at 0.01, use a population size of 16, and average 100 queries to compute fitness. We decay the mutation std and probability by a factor of 0.5 if the running fitness has not improved in 100 generations.
4.4 Evaluation Metrics
We consider the following two metrics for attack quality:
Attack success rate: Attack success rate measures the percentage at which the target vehicle is successfully detected originally and but not detected after the attack. We consider a vehicle successfully detected if the output IoU is greater than 0.7.
Recall-IoU curve: Since attack success rate depends on the IoU threshold, we also plot the recall percentage at a range of IoU threshold to get a more thorough measure of attack quality.
4.5 Results and Discussion
Comparison of White Box and Black Box
We conduct a white box and black box attack on a variant of PIXOR with density voxels. We visualize the IoU-recall curve for both experiments in Figure 5. and show that the attacks significantly drop the recall. When we use the initial icosphere mesh as a baseline, it has little impact on detection even though it is of the same size as the adversary. We further compare our black box attack against the white box alternative and show that they achieve similar performance.
Transferability Across Identical Architectures
We investigate the transferability of adversarial examples across similar models. To this end, we train two variations of the original PIXOR model using different seeds and learn adversarial meshes for each model separately. We then evaluate transferability between the pair of models using attack success rate as the metric. Results are summarized in Table 2 and there is a high degree of transferability between models with identical architecture. This allows strong transfer attacks with only knowledge of model architecture. .
|Couch||23.3%||93.1 %||68.6%||93.8 %||1.69m x 0.85m x 0.94m|
|Canoe||26.9%||99.6 %||59.5%||99.9 %||3.51m x 0.81m x 0.68m|
|Table||18.9%||99.8 %||48.0%||99.7 %||1.57m x 0.83m x 0.86m|
|Cabinet||20.7%||93.4 %||54.1%||94.2 %||1.29m x 0.91m x 0.76m|
|Chair||14.1%||99.9 %||23.3%||99.9 %||1.42m x 0.64m x 0.71m|
|Bike||19.6%||94.4 %||32.4%||92.3 %||1.70m x 0.76m x 1.08m|
Transferability Across Input Representations
In this section we attack four models described in Section 4.2, and use only black box attacks due to non-differentiable layers in some models. We provide IoU-Recall curves in Figure 6. Again, transferability between the models is considered and results are shown in Table 2.
First, our attack is able to hide objects with high probability on the PIXOR models and PointPillar but is significantly weaker on PointRCNN. We hypothesize that this is because PointRCNN treats every point as a bounding box anchor. Therefore, vehicles close to the sensor register significantly more LiDAR points and proposals, making it extremely difficult to suppress all proposals. We verify this hypothesis by visualizing the attack success rate at various locations across the scene in Figure 7. The success rate on attacking PointRCNN is close to 0 near the LiDAR sensor but grows substantially higher as the distance to the sensor increases and the number of points decreases.
In terms of transferability, the occupancy and density variants of PIXOR can share a significant portion of adversarial examples. The attacks generated from PointPillar and PointRCNN can also be used to attack PIXOR, but not vice versa. This suggests that additional layers of point-level reasoning before aggregating on the -dimension probably make the model more robust to rooftop objects.
In addition, two variations of PIXOR have different vulnerable regions even though they share the same backbone. Specifically, we note that vehicles close to the LiDAR sensor are the easiest targets when using a density voxel input representation. In contrast, vehicles closeby are the most robust to attacks when using occupancy voxels. We speculate that this is an effect of the input precision. For density voxels, the number of points is significantly higher near the LiDAR sensor, contributing to higher input precision, whereas occupancy voxels can only show a binary indicator whether a voxel contains a point or not.
Based on the above observations, we conclude that the choice of input representation and detection scheme may have significant implications on robustness to adversarial examples. For a more concrete comparison, we consider a variant of PIXOR using PointPillar’s pillar representation instead of voxelization and keep the backbone architecture identical. We compare this variant, PIXOR* against PIXOR and show the results in Figure 8. Here, we can see that with even with identical backbones and training routines, PIXOR* is significantly more robust to our attack purely due to a different input representation.
In this section, to make attacks more realistic, we learn adversaries that resemble common objects that may appear on top of a vehicle in the real world. Instead of deforming an icosphere, we initialize from a common object mesh and deform the vertices while constraining the maximum perturbation distances. We choose couch, chair, table, bike, and canoe as six common object classes, and we take the object meshes from ShapeNet . We apply uniform mesh re-sampling in meshlab  to reduce the number of faces and produce regular geometry prior to deformation. In these experiments we limit the maximum vertex perturbation to 0.03m so that the adversary will resemble the common object, and limit translation to 0.1m, and allow free rotation. In Table 3, we present the visualizations, results, and dimensions of the common objects. Moreover, the identity of the adversarial objects are unambiguous to a human, and we also verify that a PointNet  classifier trained on ShapeNet  is also able to correctly classify our perturbed objects. This confirms the possibility that the placement of common objects can also hurt LiDAR detectors.
We employ our proposed defense methods by retraining a PIXOR model with random data augmentation and adversarial training. To generate random meshes for data augmentation, we uniformly sample from , from , and we sample vertices from Gaussian . If all tetrahedrons are removed by decimation, the sampling process restarts. During training, for every scene we sample one vehicle at random for data augmentation. We only augment vehicles with at least 10 points in the scene, otherwise it is too difficult to fit a mesh for roof approximation. During adversarial training, we set and alternate between updating the mesh and the model.
For evaluation, we re-train an adversarial mesh on the defended model and observe that the attack success rate is reduced significantly, as shown in Table 4. In addition, we also launch attacks with common objects on the defended model and observe similar findings. Furthermore, for the standard detection task, our defended models achieve similar or better performance when evaluated on the KITTI validation set. Nevertheless, the defense is not yet perfect since there is still 5-20% attack success rate remaining. With more computational resources, full adversarial training could possibly close this gap.
We propose a robust, universal, and physical realizable adversarial example capable of hiding vehicles from LiDAR detectors. An attacker can 3D print the mesh and place it on any vehicle to make it “invisible” without prior knowledge of the scene. The attack will consistently cause target vehicles to disappear, severely impeding downstream tasks in autonomous driving systems. Even without any malicious intent, we show that problematic shapes can coincidentally appear with common objects such as a sofa. We further show that training with data augmentation using random meshes can significantly improve the robustness, but unfortunately still not 100% secure against our attack. By demonstrating the vulnerability of LiDAR perception against universal 3D adversarial objects, we emphasize the need for more robust models in safety-critical robotics applications like self-driving.
Genattack: practical black-box attacks with gradient-free optimization.
Proceedings of the Genetic and Evolutionary Computation Conference, pp. 1111–1119. Cited by: §3.3.2.
-  (2018) Synthesizing robust adversarial examples. Cited by: §1, §2.
-  (2018) Modeling facial geometry using compositional vaes. In CVPR, Cited by: §3.1.
Decision-based adversarial attacks: reliable attacks against black-box machine learning models. In ICLR, Cited by: §2.
-  (2017) Adversarial patch. arXiv preprint arXiv:1712.09665. Cited by: §2.
-  (2019) Adversarial sensor attack on lidar-based perception in autonomous driving. In CCS, Cited by: §2.
-  (2019) Adversarial objects against lidar-based autonomous driving systems. arXiv preprint arXiv:1907.05418. Cited by: §1, §1, §2, §3.
-  (2017) Towards evaluating the robustness of neural networks. In SP, Cited by: §3.3.2, §3.4.
-  (2015) ShapeNet: an information-rich 3d model repository. CoRR abs/1512.03012. Cited by: §4.5.
-  (2017) ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In AISec@CCS, Cited by: §2.
MeshLab: an Open-Source Mesh Processing Tool. In Eurographics Italian Chapter Conference, V. Scarano, R. D. Chiara, and U. Erra (Eds.), External Links: Cited by: §4.5.
-  (2017) SAMP: shape and motion priors for 4d vehicle reconstruction. In WACV, pp. 400–408. Cited by: §3.2.
-  (2018) Robust physical-world attacks on deep learning visual classification. In CVPR, Cited by: §2.
-  (2012) Are we ready for autonomous driving? the kitti vision benchmark suite. In CVPR, Cited by: §4.1.
-  (2015) Explaining and harnessing adversarial examples. ICLR. Cited by: §1, §2, §3.4.
-  (1996) Computer graphics: principles and practice. Vol. 12110, Addison-Wesley Professional. Cited by: §3.1, §3.2.
-  (2018) Neural 3d mesh renderer. In CVPR, Cited by: §3.1.
-  (2017) Adversarial examples in the physical world. In ICLR Workshop, Cited by: §1, §2.
-  (2019) PointPillars: fast encoders for object detection from point clouds. In CVPR, Cited by: §3.3.2, 4th item, Table 2.
-  (2019) Multi-task multi-sensor fusion for 3d object detection. In CVPR, Cited by: §1.
-  (2018) Defense against adversarial attacks using high-level representation guided denoiser. In CVPR, Cited by: §2.
Deformable shape completion with graph convolutional autoencoders. In CVPR, Cited by: §3.1.
-  (2019) Adversarial point perturbations on 3d objects. arXiv preprint arXiv:1908.06062. Cited by: §2.
-  (2019) Beyond pixel norm-balls: parametric adversaries using an analytically differentiable renderer. In ICLR, Cited by: §2.
-  (2019) Soft rasterizer: differentiable rendering for unsupervised single-view mesh reconstruction. Cited by: §3.1, §3.3.1.
-  (2018) Towards deep learning models resistant to adversarial attacks. In ICLR, Cited by: §2.
-  (1997-10) Fast, minimum storage ray-triangle intersection. J. Graph. Tools 2 (1), pp. 21–28. External Links: Cited by: §3.2.
-  (2016) DeepFool: A simple and accurate method to fool deep neural networks. In CVPR, Cited by: §2.
-  (2017) Practical black-box attacks against machine learning. In AsiaCCS, Cited by: §2, §4.5.
-  (2017) PointNet: deep learning on point sets for 3d classification and segmentation. In CVPR, Cited by: 4th item.
-  (2017) Pointnet++: deep hierarchical feature learning on point sets in a metric space. In NIPS, Cited by: 3rd item, §4.5.
-  (2018) Certified defenses against adversarial examples. In ICLR, Cited by: §2.
-  (2019) Towards the first adversarially robust neural network model on MNIST. In ICLR, Cited by: §2.
-  (2019) PointRCNN: 3d object proposal generation and detection from point cloud. In CVPR, Cited by: §1, 3rd item, Table 2.
-  (2014) Intriguing properties of neural networks. ICLR. Cited by: §1, §2.
-  (2019) Robustness of 3d deep learning in an adversarial setting. In CVPR, Cited by: §1, §2.
-  (2018) Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML, Cited by: §2.
-  (2020) Fast is better than free: revisiting adversarial training. In International Conference on Learning Representations, External Links: Cited by: §3.4.
-  (2019) Generating 3d adversarial point clouds. In CVPR, Cited by: §1, §2.
-  (2017) Adversarial examples for semantic segmentation and object detection. In ICCV, Cited by: §2, §3.3.1.
-  (2018) PIXOR: real-time 3d object detection from point clouds. In CVPR, Cited by: §1, §3.3.2, 1st item, Table 2.
-  (2019) Adversarial attack and defense on point sets. arXiv preprint arXiv:1902.10899. Cited by: §2.
-  (2019) Adversarial attacks beyond the image space. In CVPR, Cited by: §1, §2.
-  (2019) PointCloud saliency maps. In ICCV, Cited by: §2.
-  (2018) VoxelNet: end-to-end learning for point cloud based 3d object detection. In CVPR, Cited by: §1.