TY - GEN
T1 - FAGA
T2 - 2025 International Conference on Virtual Reality and Visualization, ICVRV 2025
AU - Gao, Yuze
AU - Cao, Zhenxing
AU - Zhu, Peican
AU - Tang, Keke
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - While widely employed in 3D applications like virtual reality (VR) and autonomous driving, neural networks for point cloud processing have demonstrated an alarming vulnerability to adversarial attacks, particularly under blackbox settings. Among black-box attacks, transfer-based methods craft adversarial examples on a surrogate model with high transferability to multiple victim models, making them well-suited for realistic scenarios and essential for robustness assessment. However, current transfer-based 3D adversarial attack methods often over-rely on the surrogate model and become trapped in local optima, resulting in degraded transferability. To address this limitation, we propose a novel framework, the FeAturelevel Gradient momentum Attack (FAGA), which generates adversarial examples by directly perturbing the intermediate features of the surrogate model to produce more generalized cross-model attacks. We observe that gradients from individual optimization steps tend to overfit the surrogate model, resulting in sub-optimal transferability. Thus we employ a gradient momentum mechanism that accumulates historical gradients, producing smoother, more stable, and highly generalizable feature gradients. Additionally, we introduce a dynamic soft labeling strategy that regularizes the optimization process, guiding the adversarial examples to settle in broader and flatter regions of the loss landscape, thereby mitigating overfitting. Extensive experiments demonstrate that FAGA significantly outperforms existing state-of-the-art methods.
AB - While widely employed in 3D applications like virtual reality (VR) and autonomous driving, neural networks for point cloud processing have demonstrated an alarming vulnerability to adversarial attacks, particularly under blackbox settings. Among black-box attacks, transfer-based methods craft adversarial examples on a surrogate model with high transferability to multiple victim models, making them well-suited for realistic scenarios and essential for robustness assessment. However, current transfer-based 3D adversarial attack methods often over-rely on the surrogate model and become trapped in local optima, resulting in degraded transferability. To address this limitation, we propose a novel framework, the FeAturelevel Gradient momentum Attack (FAGA), which generates adversarial examples by directly perturbing the intermediate features of the surrogate model to produce more generalized cross-model attacks. We observe that gradients from individual optimization steps tend to overfit the surrogate model, resulting in sub-optimal transferability. Thus we employ a gradient momentum mechanism that accumulates historical gradients, producing smoother, more stable, and highly generalizable feature gradients. Additionally, we introduce a dynamic soft labeling strategy that regularizes the optimization process, guiding the adversarial examples to settle in broader and flatter regions of the loss landscape, thereby mitigating overfitting. Extensive experiments demonstrate that FAGA significantly outperforms existing state-of-the-art methods.
KW - 3D Model Robustness
KW - Adversarial attacks
KW - Deep neural networks
KW - Point clouds
KW - Transferability
UR - https://www.scopus.com/pages/publications/105035367552
U2 - 10.1109/ICVRV67992.2025.00111
DO - 10.1109/ICVRV67992.2025.00111
M3 - 会议稿件
AN - SCOPUS:105035367552
T3 - Proceedings - 2025 International Conference on Virtual Reality and Visualization, ICVRV 2025
SP - 618
EP - 623
BT - Proceedings - 2025 International Conference on Virtual Reality and Visualization, ICVRV 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 December 2025 through 21 December 2025
ER -