随着神经网络的命题点云，深入学习已经开始在3D对象识别领域发光，而研究人员则对普遍攻击进行了增长的兴趣来调查点云网络的可靠性。然而，大多数现有研究旨在欺骗人类或防御算法，而少数几个地解决了模型本身的操作原理就在关键点选择方面保持缺陷。在这项工作中，我们提出了两个对抗方法：一个点攻击（OPA）和临界遍历攻击（CTA），它包含可解释的技术，并旨在探讨点云网络的内在工作原理及其对关键点扰动的敏感性。我们的结果表明，流行点云网络可以通过从输入实例转换一个点来欺骗近100美元的成功率。此外，我们展示了不同点归因分布对点云网络的对抗鲁棒性的有趣影响。最后，我们讨论了我们的方法如何促进点云网络的解释性研究。据我们所知，这是一个关于解释性的第一个基于云的对抗方法。我们的代码可在https://github.com/explain3d/exp-one-point-atk-pc上获得。

Explainability has been widely stated as a cornerstone of the responsible and trustworthy use of machine learning models. With the ubiquitous use of Deep Neural Network (DNN) models expanding to risk-sensitive and safety-critical domains, many methods have been proposed to explain the decisions of these models. Recent years have also seen concerted efforts that have shown how such explanations can be distorted (attacked) by minor input perturbations. While there have been many surveys that review explainability methods themselves, there has been no effort hitherto to assimilate the different methods and metrics proposed to study the robustness of explanations of DNN models. In this work, we present a comprehensive survey of methods that study, understand, attack, and defend explanations of DNN models. We also present a detailed review of different metrics used to evaluate explanation methods, as well as describe attributional attack and defense methods. We conclude with lessons and take-aways for the community towards ensuring robust explanations of DNN model predictions.

虽然近年来，在2D图像领域的攻击和防御中，许多努力已经探讨了3D模型的脆弱性。现有的3D攻击者通常在点云上执行点明智的扰动，从而导致变形的结构或异常值，这很容易被人类察觉。此外，它们的对抗示例是在白盒设置下产生的，当转移到攻击远程黑匣子型号时经常遭受低成功率。在本文中，我们通过提出一种新的难以察觉的转移攻击（ITA）：1）难以察觉的3D点云攻击来自两个新的和具有挑战性的观点：1）难以察觉：沿着邻域表面的正常向量限制每个点的扰动方向，导致产生具有类似几何特性的示例，从而增强了难以察觉。 2）可转移性：我们开发了一个对抗性转变模型，以产生最有害的扭曲，并强制实施对抗性示例来抵抗它，从而提高其对未知黑匣子型号的可转移性。此外，我们建议通过学习更辨别的点云表示来培训更强大的黑盒3D模型来防御此类ITA攻击。广泛的评估表明，我们的ITA攻击比最先进的人更令人无法察觉和可转让，并验证我们的国防战略的优势。

Point cloud completion, as the upstream procedure of 3D recognition and segmentation, has become an essential part of many tasks such as navigation and scene understanding. While various point cloud completion models have demonstrated their powerful capabilities, their robustness against adversarial attacks, which have been proven to be fatally malicious towards deep neural networks, remains unknown. In addition, existing attack approaches towards point cloud classifiers cannot be applied to the completion models due to different output forms and attack purposes. In order to evaluate the robustness of the completion models, we propose PointCA, the first adversarial attack against 3D point cloud completion models. PointCA can generate adversarial point clouds that maintain high similarity with the original ones, while being completed as another object with totally different semantic information. Specifically, we minimize the representation discrepancy between the adversarial example and the target point set to jointly explore the adversarial point clouds in the geometry space and the feature space. Furthermore, to launch a stealthier attack, we innovatively employ the neighbourhood density information to tailor the perturbation constraint, leading to geometry-aware and distribution-adaptive modifications for each point. Extensive experiments against different premier point cloud completion networks show that PointCA can cause a performance degradation from 77.9% to 16.7%, with the structure chamfer distance kept below 0.01. We conclude that existing completion models are severely vulnerable to adversarial examples, and state-of-the-art defenses for point cloud classification will be partially invalid when applied to incomplete and uneven point cloud data.

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

利用3D点云数据已经成为在面部识别和自动驾驶等许多领域部署人工智能的迫切需要。然而，3D点云的深度学习仍然容易受到对抗的攻击，例如迭代攻击，点转换攻击和生成攻击。这些攻击需要在严格的界限内限制对抗性示例的扰动，导致不切实际的逆势3D点云。在本文中，我们提出了对普遍的图形 - 卷积生成的对抗网络（ADVGCGAN）从头开始产生视觉上现实的对抗3D点云。具体地，我们使用图形卷积发电机和带有辅助分类器的鉴别器来生成现实点云，从真实3D数据学习潜在分布。不受限制的对抗性攻击损失纳入GaN的特殊逆势训练中，使得发电机能够产生对抗实例来欺骗目标网络。与现有的最先进的攻击方法相比，实验结果表明了我们不受限制的对抗性攻击方法的有效性，具有更高的攻击成功率和视觉质量。此外，拟议的Advgcan可以实现更好的防御模型和比具有强烈伪装的现有攻击方法更好的转移性能。

3D动态点云提供了现实世界中的对象或运动场景的离散表示，这些对象已被广泛应用于沉浸式触发，自主驾驶，监视，\ textit {etc}。但是，从传感器中获得的点云通常受到噪声的扰动，这会影响下游任务，例如表面重建和分析。尽管为静态点云降级而做出了许多努力，但很少有作品解决动态点云降级。在本文中，我们提出了一种新型的基于梯度的动态点云降解方法，利用了梯度场估计的时间对应关系，这也是动态点云处理和分析中的基本问题。梯度场是嘈杂点云的对数概况函数的梯度，我们基于我们执行梯度上升，以使每个点收敛到下面的清洁表面。我们通过利用时间对应关系来估计每个表面斑块的梯度，在该时间对应关系中，在经典力学中搜索了在刚性运动的情况下搜索的时间对应贴片。特别是，我们将每个贴片视为一个刚性对象，它通过力在相邻框架的梯度场中移动，直到达到平衡状态，即当贴片上的梯度总和到达0时。由于梯度在该点更接近下面的表面，平衡贴片将适合下层表面，从而导致时间对应关系。最后，沿贴片中每个点的位置沿相邻帧中相应的贴片平均的梯度方向更新。实验结果表明，所提出的模型优于最先进的方法。

随着各种3D安全关键应用的关注，点云学习模型已被证明容易受到对抗性攻击的影响。尽管现有的3D攻击方法达到了很高的成功率，但它们会以明显的扰动来深入研究数据空间，这可能会忽略几何特征。取而代之的是，我们从新的角度提出了点云攻击 - 图谱域攻击，旨在在光谱域中扰动图形转换系数，该系数对应于改变某些几何结构。具体而言，利用图形信号处理，我们首先通过图形傅立叶变换（GFT）自适应地将点的坐标转换为光谱域，以进行紧凑的表示。然后，我们基于我们建议通过可学习的图形光谱滤波器扰动GFT系数的几何结构的影响。考虑到低频组件主要有助于3D对象的粗糙形状，我们进一步引入了低频约束，以限制不察觉到的高频组件中的扰动。最后，通过将扰动的光谱表示形式转换回数据域，从而生成对抗点云。实验结果证明了拟议攻击的有效性，这些攻击既有易经性和攻击成功率。

最近，3D深度学习模型已被证明易于对其2D对应物的对抗性攻击影响。大多数最先进的（SOTA）3D对抗性攻击对3D点云进行扰动。为了在物理场景中再现这些攻击，需要重建生成的对抗3D点云以网状，这导致其对抗效果显着下降。在本文中，我们提出了一个名为Mesh攻击的强烈的3D对抗性攻击，通过直接对3D对象的网格进行扰动来解决这个问题。为了利用最有效的基于梯度的攻击，介绍了一种可差异化的样本模块，其反向传播点云梯度以网格传播。为了进一步确保没有异常值和3D可打印的对抗性网状示例，采用了三种网格损耗。广泛的实验表明，所提出的方案优于SOTA 3D攻击，通过显着的保证金。我们还在各种防御下实现了SOTA表现。我们的代码可用于：https：//github.com/cuge1995/mesh-attack。

Deep learning methods have gained increased attention in various applications due to their outstanding performance. For exploring how this high performance relates to the proper use of data artifacts and the accurate problem formulation of a given task, interpretation models have become a crucial component in developing deep learning-based systems. Interpretation models enable the understanding of the inner workings of deep learning models and offer a sense of security in detecting the misuse of artifacts in the input data. Similar to prediction models, interpretation models are also susceptible to adversarial inputs. This work introduces two attacks, AdvEdge and AdvEdge$^{+}$, that deceive both the target deep learning model and the coupled interpretation model. We assess the effectiveness of proposed attacks against two deep learning model architectures coupled with four interpretation models that represent different categories of interpretation models. Our experiments include the attack implementation using various attack frameworks. We also explore the potential countermeasures against such attacks. Our analysis shows the effectiveness of our attacks in terms of deceiving the deep learning models and their interpreters, and highlights insights to improve and circumvent the attacks.

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

基于深度神经网络（DNN）的智能信息（IOT）系统已被广泛部署在现实世界中。然而，发现DNNS易受对抗性示例的影响，这提高了人们对智能物联网系统的可靠性和安全性的担忧。测试和评估IOT系统的稳健性成为必要和必要。最近已经提出了各种攻击和策略，但效率问题仍未纠正。现有方法是计算地广泛或耗时，这在实践中不适用。在本文中，我们提出了一种称为攻击启发GaN（AI-GaN）的新框架，在有条件地产生对抗性实例。曾经接受过培训，可以有效地给予对抗扰动的输入图像和目标类。我们在白盒设置的不同数据集中应用AI-GaN，黑匣子设置和由最先进的防御保护的目标模型。通过广泛的实验，AI-GaN实现了高攻击成功率，优于现有方法，并显着降低了生成时间。此外，首次，AI-GaN成功地缩放到复杂的数据集。 Cifar-100和Imagenet，所有课程中的成功率约为90美元。

Recent research has revealed that the output of Deep Neural Networks (DNN) can be easily altered by adding relatively small perturbations to the input vector. In this paper, we analyze an attack in an extremely limited scenario where only one pixel can be modified. For that we propose a novel method for generating one-pixel adversarial perturbations based on differential evolution (DE). It requires less adversarial information (a blackbox attack) and can fool more types of networks due to the inherent features of DE. The results show that 67.97% of the natural images in Kaggle CIFAR-10 test dataset and 16.04% of the ImageNet (ILSVRC 2012) test images can be perturbed to at least one target class by modifying just one pixel with 74.03% and 22.91% confidence on average. We also show the same vulnerability on the original CIFAR-10 dataset. Thus, the proposed attack explores a different take on adversarial machine learning in an extreme limited scenario, showing that current DNNs are also vulnerable to such low dimension attacks. Besides, we also illustrate an important application of DE (or broadly speaking, evolutionary computation) in the domain of adversarial machine learning: creating tools that can effectively generate lowcost adversarial attacks against neural networks for evaluating robustness.

基于深度学习的图像识别系统已广泛部署在当今世界的移动设备上。然而，在最近的研究中，深入学习模型被证明易受对抗的例子。一种逆势例的一个变种，称为对抗性补丁，由于其强烈的攻击能力而引起了研究人员的注意。虽然对抗性补丁实现了高攻击成功率，但由于补丁和原始图像之间的视觉不一致，它们很容易被检测到。此外，它通常需要对文献中的对抗斑块产生的大量数据，这是计算昂贵且耗时的。为了解决这些挑战，我们提出一种方法来产生具有一个单一图像的不起眼的对抗性斑块。在我们的方法中，我们首先通过利用多尺度发生器和鉴别器来决定基于受害者模型的感知敏感性的补丁位置，然后以粗糙的方式产生对抗性斑块。鼓励修补程序与具有对抗性训练的背景图像一致，同时保留强烈的攻击能力。我们的方法显示了白盒设置中的强烈攻击能力以及通过对具有不同架构和培训方法的各种型号的广泛实验，通过广泛的实验进行黑盒设置的优异转移性。与其他对抗贴片相比，我们的对抗斑块具有最大忽略的风险，并且可以避免人类观察，这是由显着性图和用户评估结果的插图支持的人类观察。最后，我们表明我们的对抗性补丁可以应用于物理世界。

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

Video classification systems are vulnerable to adversarial attacks, which can create severe security problems in video verification. Current black-box attacks need a large number of queries to succeed, resulting in high computational overhead in the process of attack. On the other hand, attacks with restricted perturbations are ineffective against defenses such as denoising or adversarial training. In this paper, we focus on unrestricted perturbations and propose StyleFool, a black-box video adversarial attack via style transfer to fool the video classification system. StyleFool first utilizes color theme proximity to select the best style image, which helps avoid unnatural details in the stylized videos. Meanwhile, the target class confidence is additionally considered in targeted attacks to influence the output distribution of the classifier by moving the stylized video closer to or even across the decision boundary. A gradient-free method is then employed to further optimize the adversarial perturbations. We carry out extensive experiments to evaluate StyleFool on two standard datasets, UCF-101 and HMDB-51. The experimental results demonstrate that StyleFool outperforms the state-of-the-art adversarial attacks in terms of both the number of queries and the robustness against existing defenses. Moreover, 50% of the stylized videos in untargeted attacks do not need any query since they can already fool the video classification model. Furthermore, we evaluate the indistinguishability through a user study to show that the adversarial samples of StyleFool look imperceptible to human eyes, despite unrestricted perturbations.

Deep learning-based 3D object detectors have made significant progress in recent years and have been deployed in a wide range of applications. It is crucial to understand the robustness of detectors against adversarial attacks when employing detectors in security-critical applications. In this paper, we make the first attempt to conduct a thorough evaluation and analysis of the robustness of 3D detectors under adversarial attacks. Specifically, we first extend three kinds of adversarial attacks to the 3D object detection task to benchmark the robustness of state-of-the-art 3D object detectors against attacks on KITTI and Waymo datasets, subsequently followed by the analysis of the relationship between robustness and properties of detectors. Then, we explore the transferability of cross-model, cross-task, and cross-data attacks. We finally conduct comprehensive experiments of defense for 3D detectors, demonstrating that simple transformations like flipping are of little help in improving robustness when the strategy of transformation imposed on input point cloud data is exposed to attackers. Our findings will facilitate investigations in understanding and defending the adversarial attacks against 3D object detectors to advance this field.

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs.Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to * Pin-Yu Chen and Huan Zhang contribute equally to this work.