梯度自适应调整驱动的三维目标识别对抗攻击方法

刘伟权; 沈晓影; 刘敦强; 孙宴文; 蔡国榕; 臧彧; 沈思淇; 王程

doi:10.11999/JEIT251264

梯度自适应调整驱动的三维目标识别对抗攻击方法

doi: 10.11999/JEIT251264 cstr: 32379.14.JEIT251264

1.
集美大学计算机工程学院厦门 361021
2.
厦门大学信息学院厦门 361005

基金项目: 国家自然科学基金(62401225, 62471415)，福建省自然科学基金(2025J0141, 2024J01115, 2023J01004，2023J01804)，厦门市自然科学基金(3502Z202472018)

详细信息

作者简介:
刘伟权：男，博士，副教授，研究方向为三维视觉、三维对抗学习、激光雷达数据智能处理

沈晓影：女，本科生，研究方向为三维对抗学习、激光雷达数据智能处理

刘敦强：男，博士生，研究方向为三维视觉、激光雷达数据智能处理、激光雷达视觉定位

孙宴文：男，硕士生，研究方向为三维视觉、三维对抗学习、激光雷达数据智能处理

蔡国榕：男，博士，教授，研究方向为计算视觉、遥感影像智能处理

臧彧：男，博士，教授，研究方向为三维视觉、激光雷达数据智能处理

沈思淇：男，博士，教授，研究方向为三维视觉、激光雷达数据智能处理

王程：男，博士，教授，研究方向为三维视觉、激光雷达数据智能处理、空间大数据分析

通讯作者:
王程　cwang@xmu.edu.cn

中图分类号: TP311
计量
- 文章访问数: 33
- HTML全文浏览量: 18
- PDF下载量: 2
- 被引次数: 0
出版历程
- 收稿日期: 2025-11-13
- 修回日期: 2026-01-04
- 录用日期: 2026-01-04
- 网络出版日期: 2026-01-15

Adversarial Attacks on 3D Target Recognition Driven by Gradient Adaptive Adjustment

1.
College of Computer Engineering, Jimei University, Xiamen 361021, China
2.
School of Informatics, Xiamen University, Xiamen 361005, China

Funds: The National Natural Science Foundation of China (62401225, 62471415), The Fujian Provincial Natural Science Foundation of China (2025J0141, 2024J01115, 2023J01004), The Xiamen Natural Science Foundation of China (3502Z202472018)

摘要

摘要: 近年来，人工智能技术与光电感知系统深度融合，有力推动了智能驾驶技术的发展。激光雷达作为核心光电感知手段，能够获取高精度、高分辨的三维点云数据，已成为智能驾驶环境感知系统中不可或缺的新型信息来源。然而，基于深度学习的三维点云识别模型在面对对抗点云时表现出显著的脆弱性，极易受到精心设计的扰动攻击，导致识别性能急剧下降，对智能驾驶光电感知系统的安全构成了严峻挑战。因此，研究三维点云对抗攻击方法，不仅对提升光电信息处理模型的鲁棒性具有重要意义，更是保障智能驾驶系统安全可靠运行的关键一环。现有攻击方法虽在攻击有效性上有所提升，但生成扰动不够隐蔽，易产生离群点且不可感知性较差，限制了其在真实光电感知场景中的应用。为此，该文提出一种基于梯度自适应调整驱动的点云对抗攻击方法(GAA)。该方法首先分析三维点云分类网络的决策脆弱性，筛选对模型输出影响显著的关键点集；进而结合各点的局部曲率信息自适应调整梯度权重，并在主曲率方向的几何约束下优化扰动生成，从而在保证较高攻击成功率的同时，有效维持对抗点云的几何一致性与视觉自然性。在多个公开数据集上的实验结果表明，该方法在实现高攻击成功率的同时，显著降低了扰动强度，以ModelNet40数据集为例，在PointNet模型上平均仅扰动28个点便可达到97.69%的攻击成功率，显著优于现有对比方法，为评估和提升智能驾驶光电感知系统的安全性提供了有效工具。
- 三维点云 /
- 目标识别 /
- 对抗攻击
Abstract: In recent years, the deep integration of artificial intelligence and optoelectronic perception systems has significantly propelled the advancement of intelligent driving technologies, with LiDAR serving as a core sensing modality that acquires high-precision, high-resolution three-dimensional point cloud data, thereby establishing itself as an indispensable information source for environmental perception in intelligent driving systems. However, deep learning-based 3D point cloud recognition models exhibit marked vulnerability to meticulously crafted adversarial perturbations, leading to a sharp degradation in recognition performance and posing a serious security challenge to these optoelectronic perception systems. Research on adversarial attack methods for 3D point clouds is therefore crucial not only for enhancing model robustness but also for ensuring the safe and reliable operation of intelligent driving systems. While existing attack methods have improved in effectiveness, their generated perturbations often lack concealment, produce outliers, and demonstrate poor imperceptibility, limiting their practical application in real-world scenarios. To address these issues, this paper proposes a Gradient Adaptive Adjustment (GAA) driven point cloud adversarial attack method. This approach begins by analyzing the decision-level vulnerabilities of 3D point cloud classifiers to identify key points significantly influencing the model’s output. It then adaptively adjusts gradient weights by incorporating local curvature information and optimizes perturbation generation under geometric constraints aligned with principal curvature directions, thereby ensuring a high attack success rate while maintaining the geometric consistency and visual naturalness of the adversarial point cloud. Experimental results on multiple public datasets demonstrate that the proposed method achieves a high attack success rate while significantly reducing perturbation intensity; for instance, on the ModelNet40 dataset against the PointNet model, it attains a 97.69% attack success rate by perturbing only 28 points on average, substantially outperforming existing comparative methods and providing an effective tool for evaluating and enhancing the security of intelligent driving optoelectronic perception systems.
- 3D point cloud /
- target recognition /
- adversarial attack

HTML全文

图 1 对抗点云在智能驾驶系统中识别错误

下载: 全尺寸图片幻灯片

图 2 算法总体框架图

下载: 全尺寸图片幻灯片

图 3 三维点云目标显著性图

下载: 全尺寸图片幻灯片

图 4 ModelNet40^[19]中的对抗点云可视化

下载: 全尺寸图片幻灯片

图 5 在ModelNet40^[19]数据集上，攻击模型为PointNet^[22]时，不同的显著区域数量K对本文方法的影响

下载: 全尺寸图片幻灯片

表 1 当攻击模型为PointNet^[22]时，不同的对抗攻击方法在ModelNet40^[19]上的性能对比

对抗攻击方法	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
Jaeyeon Kim^[10]	89.38%	1.55×10^–4	1.88×10^–2	36
Xiang et al. ^[8]	85.9%	1.77×10^–4	2.38×10^–2	967
Adversarial sink^[25]	88.30%	7.65×10^–3	1.92×10^–1	1024
Adversarial stick^[25]	83.70%	4.93×10^–3	1.49×10^–1	210
Random selection^[26]	55.56%	7.47×10^–4	2.49×10^–3	413
Critical selectio^[26]	18.99%	1.15×10^–4	9.39×10^–3	50
Saliency map/critical frequency^[11]	63.18%	5.72×10^–4	2.50×10^–3	303
Saliency map/low-score^[11]	55.97%	6.47×10^–4	2.50×10^–2	358
Saliency map/high-score^[11]	58.39%	7.52×10^–4	2.48×10^–3	424
AL-Adv^[27]	92.92%	2.36×10^–4	4.66×10^–2	40
GAA(本文方法)	97.69%	1.22×10^–4	4.42×10^–2	28

下载: 导出CSV

表 2 ModelNet40^[19]数据集上攻击不同的三维网络模型

攻击的模型	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
PointNet^[22]	97.69%	1.22×10^–4	4.42×10^–2	28
DGCNN^[23]	99.78%	5.64×10^–4	5.09×10^–2	153
PointConv^[24]	96.91%	3.14×10^–4	4.83×10^–2	174

下载: 导出CSV

表 3 在ShapeNetPart^[20]数据集上攻击不同的三维网络模型

攻击的模型	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
PointNet^[22]	99.00%	2.60×10^–4	1.10×10^–1	33
DGCNN^[23]	100.00%	1.21×10^–3	1.76×10^–1	225
PointConv^[24]	97.69%	1.05×10^–3	1.37×10^–1	258

下载: 导出CSV

表 4 在ModelNet40^[19]数据集上，攻击模型为PointNet^[22]时，不同显著性区域数量K对本文方法的影响

K	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
1	87.03%	1.84×10^–4	1.28×10^–1	6
2	93.63%	1.49×10^–4	7.77×10^–2	11
3	95.60%	1.36×10^–4	6.06×10^–2	17
4	96.70%	1.23×10^–4	4.81×10^–2	22
5	97.69%	1.22×10^–4	4.42×10^–2	28
6	98.02%	1.21×10^–4	3.76×10^–2	34

下载: 导出CSV

表 5 在Kitti^[21]数据集上攻击不同的三维网络模型

	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
PointNet^[22]	99.33%	6.77×10^–4	2.20×10^–1	38
DGCNN^[23]	99.66%	5.83×10^–4	8.86×10^–2	136
PointConv^[24]	97.15%	1.21×10^–4	1.51×10^–1	138

下载: 导出CSV

表 6 在Kitti^[21]数据集上，攻击模型为PointNet^[22]时，不同显著性区域数量K对本文方法的影响

K	攻击成功率	Chamfer距离	Hausdorff距离	扰动点数
1	90.00%	1.41×10^–3	9.45×10^–1	8
2	97.33%	8.56×10^–4	4.04×10^–1	16
3	98.67%	8.52×10^–4	3.94×10^–1	24
4	99.33%	6.58×10^–4	2.50×10^–1	32
5	99.33%	6.77×10^–4	2.20×10^–1	38
6	100.00%	5.18×10^–4	1.69×10^–1	47

下载: 导出CSV

参考文献(28)

[1]	LIU Weiquan, XIE Min, HUANG Xingwang, et al. Generating transferable traffic object adversarial 3D point clouds via momentum-based decompose perturbation[J]. ISPRS Annals of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 2025, X-1/W2-2025: 83–89. doi: 10.5194/isprs-annals-X-1-W2-2025-83-2025.
[2]	CAO Yulong, XIAO Chaowei, CYR B, et al. Adversarial sensor attack on LiDAR-based perception in autonomous driving[C]. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, New York, USA, 2019: 2267–2281. doi: 10.1145/3319535.3339815.
[3]	ZHENG Shijun, LIU Weiquan, GUO Yu, et al. A new adversarial perspective for LiDAR-based 3D object detection[C]. Proceedings of the 39th AAAI Conference on Artificial Intelligence), Philadelphia, USA, 2025: 10608–10616. doi: 10.1609/aaai.v39i10.33152.
[4]	吴涛, 纪琼辉, 先兴平, 等. 信息熵驱动的图神经网络黑盒迁移对抗攻击方法[J]. 电子与信息学报, 2025, 47(10): 3814–3825. doi: 10.11999/JEIT250303. WU Tao, JI Qionghui, XIAN Xingping, et al. Information entropy-driven black-box transferable adversarial attack method for graph neural networks[J]. Journal of Electronics & Information Technology, 2025, 47(10): 3814–3825. doi: 10.11999/JEIT250303.
[5]	刘伟权, 郑世均, 郭宇, 等. 三维点云目标识别对抗攻击研究综述[J]. 电子与信息学报, 2024, 46(5): 1645–1657. doi: 10.11999/JEIT231188. LIU Weiquan, ZHENG Shijun, GUO Yu, et al. A survey of adversarial attacks on 3D point cloud object recognition[J]. Journal of Electronics & Information Technology, 2024, 46(5): 1645–1657. doi: 10.11999/JEIT231188.
[6]	LIU D, YU R, and SU Hao. Extending adversarial attacks and defenses to deep 3D point cloud classifiers[C]. 2019 IEEE International Conference on Image Processing (ICIP), Taipei, China, 2019: 2279–2283. doi: 10.1109/ICIP.2019.8803770.
[7]	DONG Xiaoyi, CHEN Dongdong, ZHOU Hang, et al. Self-robust 3D point recognition via gather-vector guidance[C]. 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, USA, 2020: 11513–11521. doi: 10.1109/CVPR42600.2020.01153.
[8]	XIANG Chong, QI C R, and LI Bo. Generating 3D adversarial point clouds[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, USA, 2019: 9128–9136. doi: 10.1109/CVPR.2019.00935. (查阅网上资料,不确定标黄作者拼写是否正确,请确认).
[9]	GUO Yu, LIU Weiquan, XU Qingshan, et al. Boosting adversarial transferability through augmentation in hypothesis space[C]. 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Nashville, USA, 2025: 19175–19185. doi: 10.1109/CVPR52734.2025.01786.
[10]	KIM J, HUA B S, NGUYEN D T, et al. Minimal adversarial examples for deep learning on 3D point clouds[C]. 2021 IEEE/CVF International Conference on Computer Vision (ICCV), Montreal, Canada, 2021: 7777–7786. doi: 10.1109/ICCV48922.2021.00770.
[11]	ZHENG Tianhang, CHEN Changyou, YUAN Junsong, et al. PointCloud saliency maps[C]. 2019 IEEE/CVF International Conference on Computer Vision (ICCV), Seoul, Korea (South), 2019: 1598–1606. doi: 10.1109/ICCV.2019.00168.
[12]	ZHENG Shijun, LIU Weiquan, GUO Yu, et al. SR-Adv: Salient region adversarial attacks on 3D point clouds for autonomous driving[J]. IEEE Transactions on Intelligent Transportation Systems, 2024, 25(10): 14019–14030. doi: 10.1109/TITS.2024.3406153.
[13]	ZHANG Jianping, GU Wenwei, HUANG Yizhan, et al. Curvature-invariant adversarial attacks for 3D point clouds[C]. Proceedings of the 38th AAAI Conference on Artificial Intelligence, Vancouver, Canada, 2024: 7142–7150. doi: 10.1609/aaai.v38i7.28542.
[14]	ZHANG Zihao, SANG Nan, WANG Xupeng, et al. SC-Net: Salient point and curvature based adversarial point cloud generation network[C]. ICASSP 2023 – IEEE International Conference on Acoustics, Speech and Signal Processing, Rhodes Island, Greece, 2023: 1–5. doi: 10.1109/ICASSP49357.2023.10094878.
[15]	钱亚冠, 孔亚鑫, 陈科成, 等. 利用频谱衰减增强深度神经网络对抗迁移攻击[J]. 电子与信息学报, 2025, 47(10): 3847–3857. doi: 10.11999/JEIT250157. QIAN Yaguan, KONG Yaxin, CHEN Kecheng, et al. Adversarial transferability attack on deep neural networks through spectral coefficient decay[J]. Journal of Electronics & Information Technology, 2025, 47(10): 3847–3857. doi: 10.11999/JEIT250157.
[16]	KUHN H W. Classics in Game Theory[M]. Princeton: Princeton University Press, 1997. doi: 10.2307/j.ctv173f1fh. (查阅网上资料,未找到本条文献页码信息,请补充).
[17]	LIU Weiquan, LIU Minghao, ZHENG Shijun, et al. Interpreting hidden semantics in the intermediate layers of 3D point cloud classification neural network[J]. IEEE Transactions on Multimedia, 2025, 27: 965–977. doi: 10.1109/TMM.2023.3345147.
[18]	CARLINI N and WAGNER D. Towards evaluating the robustness of neural networks[C]. 2017 IEEE Symposium on Security and Privacy, San Jose, USA, 2017: 39–57. doi: 10.1109/SP.2017.49.
[19]	WU Zhirong, SONG Shuran, KHOSLA A, et al. 3D ShapeNets: A deep representation for volumetric shapes[C]. 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, USA, 2015: 1912–1920. doi: 10.1109/CVPR.2015.7298801.
[20]	CHANG A X, FUNKHOUSER T, GUIBAS L, et al. ShapeNet: An information-rich 3D model repository[J]. arXiv preprint arXiv: 1512.03012, 2015. doi: 10.48550/arXiv.1512.03012. (查阅网上资料,不确定本条文献类型及格式是否正确,请确认).
[21]	GEIGER A, LENZ P, and URTASUN R. Are we ready for autonomous driving? The KITTI vision benchmark suite[C]. 2012 IEEE Conference on Computer Vision and Pattern Recognition, Providence, USA, 2012: 3354–3361. doi: 10.1109/CVPR.2012.6248074.
[22]	QI C R, SU Hao, KAICHUN M, et al. PointNet: Deep learning on point sets for 3D classification and segmentation[C]. 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, USA, 2017: 77–85. doi: 10.1109/CVPR.2017.16. (查阅网上资料,不确定标黄作者拼写是否正确,请确认).
[23]	WANG Yue, SUN Yongbin, LIU Ziwei, et al. Dynamic graph CNN for learning on point clouds[J]. ACM Transactions on Graphics (TOG), 2019, 38(5): 146. doi: 10.1145/3326362.
[24]	WU Wenxuan, QI Zhongang, and LI Fuxin. PointConv: Deep convolutional networks on 3D point clouds[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 9613–9622. doi: 10.1109/CVPR.2019.00985. (查阅网上资料,不确定标黄作者拼写是否正确,请确认).
[25]	LIU D, YU R, and SU Hao. Adversarial shape perturbations on 3D point clouds[C]. European Conference on Computer Vision, Glasgow, UK, 2020: 88–104. doi: 10.1007/978-3-030-66415-2_6.
[26]	WICKER M and KWIATKOWSKA M. Robustness of 3D deep learning in an adversarial setting[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, USA, 2019: 11759–11767. doi: 10.1109/CVPR.2019.01204.
[27]	ZHENG Shijun, LIU Weiquan, SHEN Siqi, et al. Adaptive local adversarial attacks on 3D point clouds[J]. Pattern Recognition, 2023, 144: 109825. doi: 10.1016/j.patcog.2023.109825.
[28]	陈卓, 江辉, 周杨. 一种面向联邦学习对抗攻击的选择性防御策略[J]. 电子与信息学报, 2024, 46(3): 1119–1127. doi: 10.11999/JEIT230137. CHEN Zhuo, JIANG Hui, and ZHOU Yang. A selective defense strategy for federated learning against attacks[J]. Journal of Electronics & Information Technology, 2024, 46(3): 1119–1127. doi: 10.11999/JEIT230137.