LPF-Defense: 3D adversarial defense based on frequency analysis

Abstract

The 3D point clouds are increasingly being used in various application including safety-critical fields. It has recently been demonstrated that deep neural networks can successfully process 3D point clouds. However, these deep networks can be misclassified via 3D adversarial attacks intentionality designed to perturb some point cloud’s features. These misclassifications may be due to the network’s overreliance on features with unnecessary information in training sets. As such, identifying the features used by deep classifiers and removing features with unnecessary information from the training data can improve network’s robustness against adversarial attacks. In this paper, the LPF-Defense framework is proposed to discard this unnecessary information from the training data by suppressing the high-frequency content in the training phase. Our analysis shows that adversarial perturbations are found in the high-frequency contents of adversarial point clouds. Experiments showed that the proposed defense method achieves the state-of-the-art defense performance against six adversarial attacks on PointNet, PointNet++, and DGCNN models. The findings are practically supported by an expansive evaluation of synthetic (ModelNet40 and ShapeNet) and real datasets (ScanObjectNN). In particular, improvements are achieved with an average increase of classification accuracy by 3.8% on Drop100 attack and 4.26% on Drop200 attack compared to the state-of-the-art methods. The method also improves models’ accuracy on the original dataset compared to other available methods. (To facilitate research in this area, an open-source implementation of the method and data is released at https://github.com/kimianoorbakhsh/LPF-Defense.).

Introduction

Point clouds are irregular structures of 3D data, which are used in real-world applications (including healthcare, self-driving cars, drones, robotics, and many more [1, 2]). Since point clouds can be receipted directly from scanners, they can precisely capture shape details. Compared to 2D counterparts (which are projected forms of 3D data), these irregular structures capture more information from the environment. Therefore, some Deep Neural Networks (DNNs) like PointNet [3], PointNet++ [4], and DGCNN [5] are designed to be fed by these order-invariant point clouds. One limitation of DNNs is that they are vulnerable to shifting [6–12], adding [6, 11, 13–15], or dropping [14, 16, 17] a small number of points of the original point cloud. These adversarial perturbations lead to model misclassification by distorting some fundamental features of the point cloud. One possible explanation for these shortcomings is the overdependence of deep networks on features with unnecessary information in the training sets, which might not be attending in the object distribution that they attempt to describe. For this reason, identifying the features that deep classifiers use and removing features with unnecessary information from the training data can improve the networks’ robustness against adversarial attacks.

Some defense methods [6, 10–12, 14–22] have been proposed to improve robustness in point cloud classification. In general, modified input as a preprocess and modified training are two common methods to improve adversarial robustness. Adversarial training method [7, 23] as a modified training, trains a model on a mixture of adversarial and clean examples. In fact, they inject redundant feature information into models. The modified input method considers preprocessing the input data (before feeding them to the model) to eliminate adversarial perturbations. Removing some redundant feature information is done with different techniques [6, 7, 14, 24, 25].

In terms of adversarial attack and defense in the 2D frequency domain [26–31], discrete Fourier transforms (DFTs) and compression methods are two common methods that can be employed to generate attacks and defend against them.

In terms of adversarial attack and defense in the 3D frequency domain, there are two point cloud attacks that use discrete Fourier transform (graph-based) [32, 33], but no defense has been proposed so far. Because of the irregular structure of point clouds, these methods have their own challenges in using imaging methods such as DFT.

This paper proposes a defense method from a 3D frequency domain perspective. In the beginning, by using the spherical harmonic functions to analyze the properties of adversarial point perturbations, it comes to the conclusion that high-frequency components describe fine details of point clouds, whereas low-frequency components show the rough shape of point clouds. An example of such properties can be seen in Fig 1, which shows a sample point cloud in different frequencies under the spherical harmonic transformation with different high-frequency information. Our analysis shows that most perturbations happen in the high-frequency components for many existing 3D adversarial attacks. Toward this end, this paper proposes a novel adversarial defense method named Low Pass Frequency-Defense (LPF-Defense). The proposed defense drops the features that contain unnecessary information, from the original point cloud, and trains a model on the remaining features, leading to strong robustness against adversarial attacks.

Fig 1. Illustration of a sample point cloud in different frequencies under spherical harmonic transformation.

[Lower values of S remove more 3D points with high frequency information, resulting in a more spherical shape.].

In other words, the proposed defense method filters out high-frequency input data components as features with unnecessary information when feeding them as the training data. In fact, since the model has never learned the high-frequency components of point clouds, it can be robust against adversarial examples that most of their perturbations occur on high-frequency components. The overall scheme of the LPF-Defense is demonstrated in Fig 2.

Fig 2. An overview of proposed (LPF1 and LPF2) defense methods versus original method.

Original method fails in robustness against adversarial attacks at test time. Proposed defense methods have overcome this issue.

The remaining parts of this paper are organized as follows. Section 1 introduces the background of the frequency domain, adversarial attack, and defenses on 3D data. The proposed 3D defense method is presented in Section. Experimental results are discussed in Section, and Section concludes the paper.

In summary, the main contributions of this paper are given as follows:

• Analyzing 3D adversarial examples in terms of frequency domain.

• Proposing two defense methods based on frequency domain for 3D adversarial examples that have better performance than baselines and state-of-the-art defenses.

• Improving the robustness of models on standard inputs by training models using the low-frequency data information.

Related work

Frequency methods for point clouds

There are two ways to transform from the spatial domain to the frequency domain, namely the Fourier transform [34] and the spherical harmonic transform. Spherical harmonics [35] is the extension of the Fourier series from the circle (one angular component) to the sphere (two angular components). They are a set of orthogonal basis functions defined on the surface of a sphere. Each function defined on the surface of a sphere can be written as a weighted sum of these spherical harmonics. It is, therefore, necessary to represent the 3D point cloud as a function defined on the surface of a sphere. In this regard, Ramsing et al. [36] place the 3D mesh on the unit sphere. Then, rays are cast outward from the shape’s center to sample the points. They consider the sum of the first and the second mesh hit locations as the sample points.

Adversarial attack on point cloud

Adversarial attacks desire to make a classifier misclassify the input data. The attacks and defenses have been analyzed in-depth for 2D data [37–43], when they have been just started to be investigated in 3D space [6, 10, 17]. The 3D adversarial attacks are normally classified by different view points as follows:

• Targeted attacks [6, 10] in which the victim model classifies the data point to a specific target class, and untargeted attacks [17] in which the model may classify the point cloud to any class other than the original one.

• Point shift (shifts a few points only and the number of points remains constant) [6] vs. point add (adds a few points and increases the point numbers) [6, 10] vs. point drop (drops a few points and reduces the point numbers) [17].

• On-surface perturbation (perturbations are applied along the object surface.) [6] vs. out-surface perturbation (perturbations are applied outside the object surface; such as noise and outliers) [10, 17].

• Optimization-based (first the initial estimate of adversarial perturbation is considered as an optimization problem, then it is solved using some optimizers.) [6, 10] vs. gradient-based (first gradients of the cost function corresponding to each input point are acquired. They are then used to acquire an adversarial perturbation such that the proposed attack has a more tendency towards being misclassified) [17].

There are six different adversarial attacks (named Add-CD [6], Add-HD [6], Shift-L2 [6], Shift-KNN [10], Drop-100 and Drop-200 [17] that cover all the above categories and are sufficient to examine the ability of defense methods to what extent they are able to improve model robustness.

ADD-CD, ADD-HD and Shift-L2 [6] are attacks by shifting points with L_p-norm and adding a limited number of points, clusters, or objects with Chamfer and Hausdorff perturbation criteria. These criteria force the perturbations to shrink so that it is not noticeable to the human eye.

Later, Tsai et al. [10] tried to generate a stronger attack by adding different constraints and proposed a targeted attack called KNN. The KNN attack adds a term to the loss function as a KNN distance constraint (when chamfer criteria is another constraint that exists to the loss function) so that the points are not too far from the surface and mostly are on-surface perturbation.

Finally, [17] drops the most critical points based on saliency-based techniques. As such, it calculates a saliency score based in the gradient of the loss function with respect to the input point cloud and drops the points with the highest saliency scores in an iterative manner.

Adversarial defense on point cloud

Given that data quality is one of the most critical issues before performing any analysis, there are several forms of modified input methods to remove the adversarial noise. The Simple Random Sampling (SRS) [6], Statistical Outlier Removal (SOR) [24], saliency map removal [7], and Denoiser and UPsampler NETwork (DUP-Net) [24] are some defense techniques that enhance model robustness against 3D attacks by adding a preprocessing step before feeding input samples to victim models. These defenses focus on add and shift adversarial examples and cannot perform well on drop attacks. Hence, recent defenses, such as IF-defense [25], try to improve model robustness on all type of attacks. IF-defense [25] proposed the Implicit Function Defense (IF-Defense) to optimize and restore the input point coordinates by limiting the point perturbation and surface distortion.

In terms of modified training, adversarial training [7] is one of the most powerful defense techniques. In standard training the model is trained only on standard point clouds. On the other hand, in adversarial training the model is trained with standard data and adversarial examples. Authors in [7] train models with Shift-l2 attacks and authors in [23] train models with adaptive attacks. In that method, [23] add different types of attacks to the model. For example, an adaptive attack is designed to cover all types of attack to improve model robustness on all type of attacks. Improving the robustness of models is a major challenge that has been studied in a variety of ways.

Proposed method

Problem formulation

Let $K:{\mathbb{R}}^{n\times 3}\to {\mathbb{R}}^l$ be an l-class classifier. Suppose $D\in {\mathbb{R}}^{n\times 3}$ is a spatial representation of a 3D point cloud with n points, D = {d_j|j = 1, 2, …, n}, where each point, d_i, is represented by its xyz coordinates as a vector. Then, K_θ(D) computes the class of input point cloud D, which is parameterized by θ. An attacker seeks for achieving the smallest perturbation η such that

$$\begin{array}{c}\hfill \underset{\eta }{\text{minimize}}\Vert \eta \Vert \text{subject}\text{to}{K}_{\theta }\left(D\right)\ne K_{\theta }(D+\eta )\end{array}$$ (1)

changes the class of the point cloud with adversarial sample (D + η), denoted by symbol (D^adv). The main focus of this paper is to find a solution to improve adversarial robustness of classifiers, such that the class of the input point cloud D does not change when corrupted by the perturbation; i.e., K_θ(D) = K_θ(D^adv).

The proposed LPF-Defense is a defense that trains classifiers with the low-frequency version of the input point cloud (D_LP) (or mixture of (D_LP) and (D)). The defense filters out the high-frequency input data components (as features with unnecessary information) to defeat different types of adversarial attacks. Since the classifiers have learned the low-frequency components of point clouds, they can be robust against adversarial examples that most of their perturbations are on high-frequency components. In order to achieve this motivation, the proposed defense uses spherical harmonic transformation that can acquire a low-frequency version when applied to the input point cloud.

Low-frequency point cloud information extraction

The purpose of this section is to explain how to extract low-frequency point cloud information D_LP from an input point cloud D.

Projecting onto unit sphere

The first step is projecting the input point cloud (D) onto the unit sphere, centered at its centroid. In fact, each point d_i of the point cloud D should be converted to polar coordinate system (r_i, θ_i, ϕ_i), where r is the radial coordinate, θ ∈ [0, 2π] is the azimuth angle, and ϕ ∈ [0, π] is the polar angle. The projection

$$\begin{array}{c}\hfill D\underset{}{\overset{\text{project}}{\to }}f(\theta ,\varphi )\end{array}$$ (2)

is characterized as a non-negative function f(θ, ϕ) defined on an equiangular sampling grid on the sphere surface, in which θ and ϕ are the co-latitude and longitude, respectively. In more details, each grid point on the sphere surface is equivalent to r_i = f(θ_i, ϕ_i). Where, the value of f at a particular grid point (θ_*, ϕ_*) is defined as the radius r_i of the point in the point cloud that its polar coordinates (θ_i, ϕ_i) are the closest to (θ_*, ϕ_*). In this projection, several grid points might correspond to the same point in the point cloud. Also, there might be points with no grid points assigned to them. It is worth noting that the grid needs to be of sufficient resolution to capture the fine details of the input point cloud. After obtaining the projection on the sphere, spherical harmonics transform the data to the frequency domain.

Spherical harmonics

Spherical harmonics are a set of complete and orthogonal basis functions for representing any function on the unit sphere ${\mathbb{S}}^2$. According to [36], any continuous function $f:{\mathbb{S}}^2\to \mathbb{R}$ that satisfies a certain set of conditions can be written as

$$\begin{array}{c}\hfill f(\theta ,\varphi )=\sum _{l=0}^{\infty }\sum _{m=-l}^l{c}_l^m{Y}_l^m(\theta ,\varphi )\end{array}$$ (3)

where $Y_l^m(\theta ,\varphi )$ are the spherical harmonics base functions of degree l and order m, and $c_l^m$ is the corresponding coefficient of the base function. The spherical harmonics base functions are defined as

$$\begin{array}{c}\hfill Y_l^m(\theta ,\varphi )=N_l^m{P}_l^m\left(\text{cos}\left(\pi \right)\right)e^{im\theta }\end{array}$$ (4)

in which $N_l^m$ are the normalization coefficient, $P_l^m$ are the associated Legendre function, and $i=\sqrt[2]{-1}$ is the imaginary unit.

The coefficients $c_l^m$ that are the frequency domain representations of function f that can be calculated as

$$\begin{array}{c}\hfill c_l^m=\underset{0}{\overset{\pi }{\int }}\underset{0}{\overset{2\pi }{\int }}f(\theta ,\varphi )Y_l^m(\theta ,\varphi )\text{sin}\varphi d\varphi d\theta \end{array}$$ (5)

for a given function f. In implementations of this paper, the python library “pyshtools” [44] is used to perform spherical harmonics related operations.

Low pass filtering in frequency domain. After obtaining the point cloud projection onto the sphere, spherical harmonics are used to calculate the frequency domain coefficients. Each coefficient $c_l^m$ is then multiplied by a corresponding weight w_l, to calculate the updated coefficient ${\widehat{c}}_l^m$ as

$$\begin{array}{c}\hfill {\widehat{c}}_l^m\underset{}{\overset{\text{updated}\text{coefficient}}{\leftarrow }}{c}_l^m\times w_l\end{array}$$ (6)

which has the effect of low pass filtering. Weights w_l (0 ≤ l ≤ ∞) come from a Gaussian distribution $\mathcal{N}(0,\sigma )$ such that w_l=0 = 1. The higher order coefficients ($c_l^m$’s with higher l’s) are multiplied by a smaller weight, resulting in low pass filtering and thus diminishing noise and outliers. A low pass version of f(θ, ϕ) is defined as

$$\begin{array}{c}\hfill \widehat{f}(\theta ,\varphi )=\sum _{l=0}^{\infty }\sum _{m=-l}^l{\widehat{c}}_l^m{Y}_l^m(\theta ,\varphi )\end{array}$$ (7)

where is expanded with updated coefficient ${\widehat{c}}_l^m$. Our studies show that Gaussian filter performs better than box filters, (which are often used to cut-off frequencies).

Reconstructing the filtered point cloud. The final step is to transform the coefficients ${\widehat{c}}_l^m$ back into spatial domain for retrieving the low-passed $\widehat{f}:{\mathbb{S}}^2\to \mathbb{R}$. For each spherical angle pair (θ, ϕ) that have at least one point d_i from the point cloud assigned to them during the initial projection, a point is generated based on the new value of $\widehat{f}(\theta ,\varphi )$. These newly generated points reconstruct the low pass filtered point cloud D_LP as

$$\begin{array}{c}\hfill D_{LP}\underset{}{\overset{\text{project}}{\leftarrow }}\widehat{f}(\theta ,\varphi ).\end{array}$$ (8)

The point cloud size might be reduced after this process. The potential loss in the number of points can be compensated by randomly re-sampling existing points. Note that in contrast to [36], point clouds themselves are the primary input here and not their corresponding mesh. This is crucial to the semantics of defending against adversarial attacks, as one is only given the point cloud data to perform the defense on.

Frequency-based analysis attacks

The issue of defense is raised by introducing adversarial attacks. A better analysis of the adversarial attacks gives a better view of how to generate a defense. As a result, a more effective defense can be designed against it. The adversarial attack retains the original appearance of the object and deceives the model by modifying some points in a way that is not noticeable to the human eye. It is usual to suppose that adversarial perturbations affect more high-frequency components than low-frequency ones. This paper studies this assumption by analyzing the adversarial attacks in the frequency domain. For this purpose, the Dis_c function measures the average dissimilarity between the spherical harmonics coefficients of the original point cloud and the adversarial one in the data test

$$\begin{array}{c}\hfill {\text{Dis}}_{\mathrm{c}}=\frac{1}{N}\sum _{i=0}^N|\frac{{\left[c_l^m\right]}_i^{adv}-{\left[c_l^m\right]}_i^{org}}{{\left[c_l^m\right]}_i^{org}}|\end{array}$$ (9)

where N is the number of point clouds in the data test and ${\left[c_l^m\right]}_i^{adv}$ and ${\left[c_l^m\right]}_i^{org}$ are the coefficients corresponding to the spherical harmonics base functions in the original point cloud D and the adversarial one D^adv, respectively. Also, $c_l^m$ stands for the coefficients of Spherical Harmonics Transform. For visualization to perform well under different adversarial perturbations, normalization is performed by dividing the coefficients of original point clouds. According to the results obtained in Section, most adversarial perturbations occur at medium and high frequencies.

Adversarial defense with low-frequency information of point cloud

The two proposed LPF1 and LPF2 defenses are a defense that trains classifiers with the low-frequency version of the input point cloud D_LP only and a mixture of D_LP and D receptively. In both techniques, classifiers are tested with D_LP of adversarial examples. The general idea behind both proposed defenses is to use a training model that eliminates high-frequency input data components as features with unnecessary information in order to defeat different types of adversarial attacks. The LPF2 method appears similar to popular adversarial training but has some key differences. It focuses on data injection by removing their high-frequency components to achieve stable model performance. In contrast, adversarial training focuses on data injection by adding some high-frequency features to the model during the training phase, which can cause the instability of the 3D model when facing unseen attacks (other redundant features the model does not learn during training). Due to this fact, the LPF2 method enhances the model’s performance over standard adversarial training.

Experimental results

Settings

Datasets

The experiments in this paper used aligned benchmark ModelNet40 [45], real scanobjectNN [46], and ShapeNet [47] dataset for 3D object classification. The ModelNet40 dataset contains 40 object classes and 9,843 3D Computer-Aided Design (CAD) objects for training, and 2,468 3D CAD objects for testing. The ScanObjectNN dataset is an object dataset from real-world that scan objects in indoor environments. It contains 15 object classes and 11,416 objects for training, and 2,882 objects for testing. The ShapeNet dataset used in this paper is a subset of the full ShapeNet dataset. It covers 8 object categories with 12235 training objects and 616 testing objects. (The whole training dataset was not selected due to high computational cost of generating the attacks. These 8 objects include the following categoris: Display, Chair, Cabinet, Bag, Sofa, Pillow, Shelf, and Bed.)

3D models

Three state-of-the-art models, including PointNet [3], PointNet++ [4], and DGCNN [5] are adopted as victim classifiers that run on the ModelNet40 dataset. The models are trained with default settings. (The experiments were performed on a machine equipped with one NVIDIA Tesla P100-PCIe and 16 GB memory.)

Attack settings

The proposed method has been tested on un-targeted/targeted attacks. Attacks are fed to the pre-train victim model to evaluate the accuracy. Attacks are re-produced for each model for a fair comparison between LPF-Proposed and base defense methods according to IF-Defense [25] settings. A target class, which is not equal to the ground-truth class, has been randomly assigned to each data test for targeted adversarial attacks. This assignment of the target classes was maintained unchanged in all attacks to remove the randomness effect. So there are 2468 attack pairs (victim, target) to measure the accuracy. For un-targeted attacks, all test objects contain 2,468 objects fed to the model to estimate the accuracy. Therefore, the basic adversarial examples including the point shifting (Shift-L2) [6], the point adding (Add-CD and Add-HD) [6], the kNN attack (Shift-kNN) [10], and the point dropping (Drop-100 and Drop-200) [17] are employed for performance comparison purposes. When Shift-L2, Add-CD, Add-HD, and kNN attacks optimize a Carlini & Wagner (C&W) function with L2-norm, Chamfer, Hausdorff, and both Chamfer and K-nearest neighbors distance as a perturbation metric, respectively. The same as [25], a 10-step binary search with 500 iterations in each step is utilized to generate the Shift-L2, Add-CD, and Add-HD attacks. Also, 2500 iterations are used for Shift-KNN. Furthermore, for add points attacks (ADD-HD and ADD-CD), 512 points have been added to 1024 points in each point cloud. Drop-100 and Drop-200 attacks remove 100 and 200 points from 1024 points with the highest saliency scores, wherein every iteration, 5 points with the highest saliency scores are dropped. Then, a new saliency map is constructed for the remaining points. This process is repeated in next iterations to drop 100 and 200 points. Point dropping is under un-targeted settings and others are under targeted settings. All experiments in this paper were implemented using PyTorch.

Defense settings

To verify the validity of the proposed defense method, this method has been compared with the SRS [14], SOR [24], DUP-Net [24], If-Defense [25], Adv Training with Shift-L2 [7], and Adv training with PAGN [23] baselines. It is noteworthy that “adversarial” is simplified with “adv” in the text and tables. In SRS, the number of dropped random points is 500. In SOR, the hyperparameters are set to k = 2 and α = 1.1. If-Defense suggests three different versions. This paper reports the results of IF-Defense based on optimization with ConvONEt implicit function networks, which is the best version of the If-Defense. The rest of the settings are in accordance with related reference papers.

Effect of fourier and spherical harmonic transformations

Since the general purpose of this paper is to train the model with low-frequency information, both transformations are analyzed on model training. Fig 3 illustrates extracting the low-frequency information of a sample of ModelNet40 data with the Fourier and spherical harmonic transformation. As shown in Fig 3, spherical harmonic transformation removes corners and preserves point clouds’ uniform distribution. In contrast, the Fourier transformation extracts a skeleton of point clouds very narrowly. Due to the fact that points in the low-frequency version of data based on the Fourier transform are concentrated in certain regions and are not uniformly distributed, they gained less model performance than the spherical harmonics. This means that the uniform distribution of points on the surface of the point cloud has a high effect and therefore is essential in the training phase. In addition, the proposed LPF-Defense method seeks to eliminate high frequencies where attack perturbations probably are more concentrated, such as corners. Therefore, for the purpose of this paper, it seems more appropriate to use the spherical harmonic transformation.

Fig 3. Comparison of low-frequency point cloud information of a random ModelNet40 sample.

Spherical harmonic transformation removes corners and preserves point clouds’ uniform distribution. In contrast, Fourier transformation extracts a skeleton of point clouds very narrowly.

Analysis of adversarial attacks in spherical harmonic transformation

This part analyzes the effect of adversarial attacks on frequency components by Dis_c function that was introduced in Section. The distribution of perturbations (point shifting (Shift-L2) [6], the point adding (Add-CD) [6], and the point dropping (Drop-100) [17]) in the frequency domain is visualized in Fig 4. The top vertex of the triangle shows the coefficient of low-frequency components, and as it moves down, the coefficient of high-frequency components are displayed. Based on the results, most of the adversarial perturbation is found in the mid- and high-frequency components of attacks. In other words, adversarial attacks deceive the model by modifying high-frequency components. According to Fig 4, the frequency components in the 20 rows above the triangle (S = 20) change slightly and most of changes happen below that. This is seen in almost every three adversarial attacks. An approximate cut-off frequency range, S = 20, is now available for finding low-frequency versions.

Fig 4. Spherical harmonic coefficients for different adversarial perturbations on ModelNet40.

Upper vertex and two lower vertices of the triangle represent the lowest and highest frequency components in the frequency space. Results show that more remarkable changes occur in mid- and high-frequency ranges. [Lighter color reveals a more remarkable change for a particular frequency component between original point clouds and adversarial one.].

Cut-off frequency

Cut-off frequencies can be done in two ways of Box filter or Gaussian filter. Box filtering means, from one frequency onwards, all components are discarded (these frequencies would be set to zero). Gaussian filter means frequency components are weighted based on the Gaussian distribution (These frequencies would be high near zero and then decrease at higher frequencies according to the decay of the Gaussian distribution.) By setting the standard deviation, called S, the Gaussian filter can control the cut-off frequencies. In other words, the higher S gets, the higher the cut-off of high-frequencies occurs. In Fig 5, the results of two types of low pass filtering is observed. The ripple in the flat region is due to the frequency cut-off with the Boxing filter. If a Gaussian filter is used instead of the Boxing filter, this ripple will be removed. The frequency response of the Box filter looks like a Box (or a rectangle). The impulse response of such a filter is the sinc function. That is why ripples are seen in the flat regions (flat surfaces of cubes seem to bend in after filtering). Note that Gaussian in the time domain maps to Gaussian in the frequency domain and does not suffer from ripples, so there is no bending-in in the flat surfaces.

Fig 5. Effect of low pass filtering with Gaussian filter and Box filter.

(a) Original point cloud. (b) Gaussian low-pass-filtered with S = 5. (c) Box filter when all frequency components of degree more than 5 are eliminated. Gaussian filter performs a more natural blurring effect than box-like filters, when ripples are seen in the flat regions on (c).

Classification results

Tables 1 to 5 indicates the point cloud classification accuracy of the proposed defenses and other defense strategies on various attacks. The classification accuracy of defenses is shown as a percentage of the correctly classified test point clouds. A higher classification accuracy in the victim model indicates that the defense is more effective.

Table 1. Comparison of classification accuracy of proposed defenses with other defense strategies, under various attacks on PointNet and ModelNet40 datasets.

Defenses	Attacks
	Clean	Shift-L2 [6]	Add-CD [6]	Add-HD [6]	Shift-KNN [10]	Drop-100 [17]	Drop-200 [17]
No-defense	88.39%	0.00%	0.00%	0.00%	8.55%	60.02%	33.03%
SRS [14]	87.35%	77.65%	76.58%	73.27%	58.52%	63.82%	38.92%
SOR [24]	87.83%	82.75%	82.63%	82.46%	76.58%	64.33%	43.05%
DUP-Net [24]	87.69%	84.49%	83.80%	82.09%	80.28%	67.41%	46.83%
If-Defense [25]	84.36%	86.31%	86.84%	86.73%	82.74%	77.74%	66.97%
Adv Training (Shift-L2) [7]	88.18%	43.28%	49.35%	53.47%	39.22%	70.23%	65.79%
Adv Training (PAGN) [23]	87.01%	84.83%	61.75%	64.35%	65.46%	66.29%	49.61%
LPF1-Proposed	84.87%	84.97%	85.13%	84.85%	83.59%	77.10%	61.16%
LPF2-Proposed	91.78%	86.91%	87.32%	86.99%	86.02%	81.64%	68.52%

Table 5. Comparison of classification accuracy of proposed defenses with other defense strategies, under various attacks on PointNet and ShapeNet datasets.

Defenses	Attacks
	Clean	Shift-L2 [6]	Add-CD [6]	Add-HD [6]	Shift-KNN [10]	Drop-100 [17]	Drop-200 [17]
No-defense	94.16%	0.00%	0.00%	0.00%	18.51%	86.36%	80.03%
SRS [14]	93.67%	90.75%	87.5%	85.55%	91.88%	87.34%	81.17%
SOR [24]	94.32%	93.02%	93.83%	93.18%	92.69%	87.34%	82.14%
DUP-Net [24]	91.07%	92.86%	93.18%	92.86%	92.53%	88.31%	82.63%
If-Defense [25]	93.34%	93.51%	93.34%	93.18%	92.86%	89.12%	85.71%
LPF1-Proposed	91.88%	90.26%	90.75%	91.23%	90.1%	90.1%	86.04%
LPF2-Proposed	94.48%	93.34%	94.32%	93.83%	92.21%	91.07%	87.50%

According to the results shown in Tables 1 to 5, the three SRS, SOR, and DUP-NET defenses are effective against point add (add-CD, add-HD) and point shift (Shift-L2) attacks. The mechanism of these defenses allows them to eliminate out-surface perturbation points effectively. In this regard, KNN reduces the accuracy of these defenses as an On-surface perturbation attack, which keeps the perturbation points almost on the surface. Nevertheless, accuracy of defenses still makes sense. The problem occurs when there is a point drop attack and no point to remove. In such attacks, the model accuracy decreases sharply; however, DUP-NET has improved the performance by combining SOR and UPSampler networks by around 4%. But, because upsampler increases points close to the input points, the defense cannot resist when the number of dropped points becomes too large. Add, shift, and drop attacks can be improved with the proposed defense methods. If-Defense is another method of defense. This method combines SOR and resamples points from a mesh. Also, in order to improve the accuracy of drop attacks and other attacks on the surface, it defines two loss functions that preserve point geometry and point distribution on the surface. Compared to IF-Defense, the proposed method improves the model accuracy by an average of about 2% on attacks listed in Table 1.

Adversarial training (with Shift-L2) trains the models with original training data and Shift-L2 attacks [7]. Adversarial training (with PAGN), trains the models with original training data and adaptive attacks [23]. Adaptive attacks are designed to cover all types of attacks. In fact, these defenses draw the model’s attention to the high-frequency components of data (attacks). Note that the irregular structure of point clouds can lead to performance instability in such defenses. To better understanding of how works different methods, S1 Table shows summary of methods.

Both LPF1 and LPF2 use D_LP for training. In D_LP, high-frequency information (which in most adversarial examples is attacked by attackers) is removed. For example, a drop attack typically generates adversarial examples by removing corner points and edges. On the other hand, LPF1 and LPF2, during the training phase, have learned the data whose high-frequency information has been removed. Therefore, these attacks are more likely to be categorized correctly. As shown in Table 1, LPF2 has higher accuracy than state-of-the-art defense ([25]), for about 4% in both Drop-100 and Drop-200 attacks.

In Table 1, in which the victim model is PointNet, the proposed LPF2 method outperforms all defense approaches in all studies attacks except for the Shift-KNN attack for which the IF-Defense approach achieves a higher performance in about 0.9%. Table 2 shows the same leading performance of the LPF2 method in the PointNet++ model. However, in this case the proposed method performs better in the Shift-KNN attack, but has around 1% lower accuracy in Shift-L2 attack compared to the state-of-the-art approach (i.e., IF-Defense.). It is valuable to note that the LPF2 approach has higher accuracy in about 3%, 1%, 1%, 2%, and 2% in Add-CD, Add-HD, Shift-KNN, Drop100, and Drop200 attacks than the state-of-the-art approach respectively. Similarly, the results for the DGCNN model are also reported in Table 3. The proposed method outperforms the state-of-the-art approach in Shift-KNN, Drop100, and Drop200 by 3%, 5%, and 9%, respectively. The proposed method has an acceptable performance on Shift-L2, Add-CD, and Add-HD compared to other defense methods except for the IF-Defense approach. Note that the results of the first proposed method (LPF1) are also reported in all tables, and they exceed most defense approaches. The best performance is achieved with the proposed LPF2 defense, as described above.

Table 2. Comparison of classification accuracy of proposed defenses with other defense strategies, under various attacks on PointNet++ and ModelNet40 datasets.

Defenses	Attacks
	Clean	Shift-L2 [6]	Add-CD [6]	Add-HD [6]	Shift-KNN [10]	Drop-100 [17]	Drop-200 [17]
No-defense	89.58%	0.00%	7.29%	6.32%	0.00%	80.28%	68.89%
SRS [14]	83.71%	74.01%	65.28%	43.12%	49.89%	64.53%	40.05%
SOR [24]	87.02%	77.64%	72.93%	72.4%	61.42%	74.09%	-69.28%
DUP-Net [24]	85.72%	81.01%	75.78%	72.46%	74.81%	76.41%	72.10%
If-Defense [25]	88.97%	86.97%	80.21%	76.15%	85.59%	84.61%	78.99%
Adv Training (Shift-L2) [7]	89.14%	20.45%	13.01%	10.12%	9.05%	80.51%	66.98%
LPF1-Proposed	76.17%	83.31%	80.35%	74.03%	83.59%	72.16%	66.53%
LPF2-Proposed	90.92%	85.90%	83.43%	77.23%	86.55%	86.87%	81.12%

Table 3. Comparison of classification accuracy of proposed defenses with other defense strategies, under various attacks on DGCNN and ModelNet40 datasets.

Defenses	Attacks
	Clean	Shift-L2 [6]	Add-CD [6]	Add-HD [6]	Shift-KNN [10]	Drop-100 [17]	Drop-200 [17]
No-defense	91.22%	0.00%	1.65%	1.57%	19.23%	74.54%	56.53%
SRS [14]	81.53%	51.06%	63.79%	43.39%	41.20%	50.06%	23.79%
SOR [24]	88.67%	76.61%	72.49%	63.81%	55.93%	64.59%	58.99%
DUP-Net [24]	54.05%	41.98%	44.75%	33.45%	35.41%	44.19%	36.21%
If-Defense [25]	89.17%	85.49%	84.15%	72.88%	82.28%	83.41%	73.31%
Adv Training (Shift-L2) [7]	90.18%	13.21%	6.45%	6.41%	15.75%	75.42%	54.97%
LPF1-Proposed	91.38%	78.97%	72.16%	68.52%	84.04%	86.99%	80.19%
LPF2-Proposed	93.29%	78.69%	73.63%	68.68%	85.53%	88.65%	82.41%

Other defense methods in the tables have only been studied on the ModelNet40 dataset. We have added the results on two other datasets (ScanObjectNN and ShapeNet) in addition to the famous ModelNet40 dataset to complete the experiments. The proposed method outperformed the existing defense methods in these two additional datasets as well, as shown in Tables 4 and 5 (in which the victim model is PointNet).

Table 4. Comparison of classification accuracy of proposed defenses with other defense strategies, under various attacks on PointNet and ScanObjectNN datasets.

Defenses	Attacks
	Clean	Shift-L2 [6]	Add-CD [6]	Add-HD [6]	Shift-KNN [10]	Drop-100 [17]	Drop-200 [17]
No-defense	79.17%	0.00%	0.00%	0.00%	20.14%	64.37%	54.56%
SRS [14]	79.35%	67.30%	65.06%	50%	71.77%	65.23%	56.11%
SOR [24]	78.49%	75.73%	77.45%	74.01%	75.22%	67.47%	57.49%
DUP-Net [24]	73.67%	74.70%	77.28%	71.43%	74.18%	67.99%	58%
If-Defense [25]	76.41%	76.00%	76.24%	75.73%	74.52%	67.46%	60.92%
LPF1-Proposed	75.56%	76.08%	76.94%	74.70%	75.56%	74.01%	66.78%
LPF2-Proposed	79.00%	77.28%	77.97%	71.94%	76.93%	71.94%	68.50%

As a preprocessing step for the add and shift point attacks, SOR is first applied to remove the outliers. Then, the low-frequency information of data is retained. The results show that combining two utterly different denoising mechanisms (SOR and D_LP) helps to boost the model robustness. In Fig 6, the Add-CH attack has been applied to the original point cloud. Then, three different methods for removing outliers are tested. Firstly, D_LP with S = 20 removes most of the outliers, except for one point at the bottom and one point in the rightmost side of the object. Secondly, SOR method that is the best in dropping outliers, removes the outliers. As seen in this Fig, except for the few points at the bottom of the object that are so close to the object, SOR removes the outliers, effectively. Finally, the combination of D_LP and SOR takes the advantage of both methods and therefore the resulting object has the least number of outliers.

Fig 6. Visualization of different preprocessed on an adversarial point cloud sample.

(a) Illustrate original point cloud and others illustrate adversarial point clouds when (b) generated with Add-CH attack, (c) Preprocessed with S = 20, (d) preprocessed with SOR, and (e) Preprocessed with both SOR and S = 20. Point cloud in (e) has the least outlier, as desired.

Even rows in Fig 7 illustrate the same preprocess as panel (e) in Fig 6 on various adversarial attacks for point cloud examples. Odd rows in this Fig shows the non preprocessed point clouds.

Fig 7. Effect of proposed low pass preprocessing on point cloud samples of three datasets Modelnet40, ShapeNet, and ScanobjectNN for different attacks.

[Odd rows: Point clouds before preprocessing. Even rows: Point clouds after low pass filtering with S = 20. Preprocessing in (b), (c), and (d) is performed with a combination of low pass filtering and SOR.].

Ablation study

Fig 8 shows the impact of different low pass frequencies on the performance of LPF2 by setting standard deviations S to 0, 4, 8, 12, 20, 50, and 100. Setting S to different values is equivalent to generating low-frequency versions of D_LP and training and testing the model with them. In this experiment, six adversarial attacks are used to investigate the model accuracy. As shown in Fig 8, the accuracy starts to increase from S = 0 and peaks at S = 20 and then decreases. However, there are exceptions. For example, in the drop-200 attack, the accuracy peaks at S = 8 but again increases at S = 20. The amount of S that the model is trained on can significantly affect the model’s performance on adversarial attacks. If the amount of S is too small (such as 0 or 4), the object’s appearance gets closer to the sphere (as seen in Fig 1). Also, most of the high frequencies’ information is not present. In such cases, objects from different classes are not different, even in appearance. For S = 20, both the object appearance and the amount of high frequencies’ information are acceptable on average. The more S increases, the object’s appearance gets closer to the original point cloud. However, higher frequencies’ information in the objects undermines the model’s robustness to the adversarial examples.

Fig 8. Effect of different S. LPF2 results of PointNet model on ModelNet40 dataset.

Results are tested on six adversarial attacks. Numbers on horizontal axis indicate the degree of low pass versions with different S.

Robustness

Although the focus of this paper is on the adversarial robustness of the models, model training with D_LP can also improve the robustness of the models. It should be noted that adversarial robustness refers to improving model robustness on adversarial examples. But, the term robustness refers to improving the model’s performance on the original inputs. Fig 9 shows the standard accuracy in three different ways. In Method 1, the model is trained with D (the original ModelNet40 dataset). In Method 2, the model is trained with D_LP (the low pass version of the ModelNet40 dataset). In Method 3, the model is trained by a combination of D_LP and D. Also, in Methods 2 and 3, the parameter S in D_LP is set to 0, 4, 8, 12, 20, 50, and 100. The accuracy of these three methods on original test data is shown in Fig 9. Note that all the three methods are evaluated on the original ModelNet40 test dataset. The only difference is in the training data. It is seen in this Fig 9 that the accuracy of Method 3 with all S values and the accuracy of Method 2 with S values of 50 and 100 are higher than the standard accuracy, an evidence on the claim explained above.

Fig 9. Comparison of standard accuracy with three different training data on PointNet model.

Three approaches are tested on ModelNet40 test data. Numbers on horizontal axis indicate the degree of low pass versions with different S.

In Method 2, the accuracy increases with increasing the parameter S. At first (in the lower S values), the appearance of the objects (as initially shown in Fig 1) is far from the original data and model training is done only with these objects. In these cases (S = 8, 12, 20) and it makes sense for the model to predict lower accuracy than the standard accuracy (Method 1). As S increases (S = 50, 100), it is observed that the accuracy grows higher than Method 1. The appearance (refer to Fig 1) is more similar to the original one. Also, unlike Method 1, the training data still does not contain all high-frequency information, resulting in a better performance. In Method 3, adding D_LP to D increases the accuracy in all different S values. It seems that injecting low-frequency data (D_LP) alongside D can robust the model even against the original data. More interestingly, this accuracy peaks at S = 20. However, by increasing S, the accuracy remains higher than Method 1. In fact, this analysis shows that removing tiny perturbations from training data in specific directions (high frequency) can lead to boost the model robustness.

Conclusion

In this paper, a novel perspective was used to analyze adversarial perturbations. As most of the perturbations occur in high-frequency components, to select the appropriate range of high-frequency components, two experiments were conducted. According to the first experiment, Gaussian filters are more suitable than box filters for achieving cut-off frequencies. In the second experiment, by varying the Gaussian filter standard deviation on different values of S, it was concluded that S = 20 is an admissible approximation for the cut-off frequency. These results led to the development of new defense methods. Consequently, the LPF-Defense is proposed to improve the performance of models by suppressing high-frequency information in the training phase. Results showed that the LPF-Defenses increased model accuracy compared to state-of-the-art defense methods in six different adversarial attacks. It also demonstrated a positive impact on the models’ robustness against original point clouds, in addition to enhancing robustness against adversarial point clouds. It should be noted that due to the multilayer nonlinear structure of DNNs, obtaining an accurate description of them is close to impracticable. This complex structure makes model decisions dependent on numerous features. But in this paper, features are studied only from a frequency perspective, which may overlook other aspects of the model that are also important.

Supporting information

S1 Table. Comparison of various defense methods with proposed methods in terms of type, methodology, and strength of their defense.

S1 Table compares the various defense methods. The column entitled “Type” specifies the general technique that is used in each defense method. In the column entitled “Method”, a brief description of the defense method is introduced to give a better perspective. Finally, the column “strength” indicates each method’s level of success on three main attack mechanisms. Note that the information in this column is general, and the reader might refer to Tables 1–5 for a detailed comparison. Note that the defense methods of type modified input mainly focus on outlier removing and generating a uniform distribution of the points in the point cloud. On the other hand, the defense methods of type modified training train the model with the original data as well as the attack data (which contains outliers). Finally, the proposed methods take advantage of both types by training with the original data while removing the high frequency information. This covers the disadvantage of the modified training idea due to removal of outliers considered as the high frequency components.

(PDF)

S2 Table. Comparison of classification’s f1-score, precision, and recall measures of the proposed defenses with other defense strategies, under various attacks on the PointNet and ShapeNet datasets.

[F1-scores, precision, and recall results for each defense are shown in the first, second, and third row, as a percentage, respectively]. In order to analyze the performance, a confusion matrix is calculated, and then the accuracy, f1-score, precision, and recall criteria are derived from it. S2 Table displays that the proposed method performs well with all three different metrics in the ShapeNet dataset on the PointNet model.

(PDF)

S3 Table. Computational cost of preprocessing.

Time column lists the average inference time required to compute one point cloud. S3 Table compares the computational cost for the preprocessing step in different defense methods. It shows the average inference time of one adversarial point cloud (shift-l2) for several defense methods. While the low pass filtering method proposed in this paper is computationally heavier than SOR, SRS, and DUP-Net defense methods, it beats the state-of-the-art IF-Defense. The experiment is conducted on a Google Colab environment with a NVIDIA Tesla T4 GPU.

(PDF)

Data Availability

To facilitate research in this area, an open-source implementation of the method (codes) and data is available at https://github.com/kimianoorbakhsh/LPF-Defense.

Funding Statement

The author(s) received no specific funding for this work.