A Comprehensive Understanding of the Impact of Data Augmentation on the Transferability of 3D Adversarial Examples

3D point cloud classifiers exhibit vulnerability to imperceptible perturbations, which poses a serious threat to the security and reliability of deep learning models in practical applications, making the robustness evaluation of deep 3D point cloud models increasingly important. Due to the difficulty in obtaining model parameters, black-box attacks have become a mainstream means of assessing the adversarial robustness of 3D classification models. The core of improving the transferability of adversarial examples generated by black-box attacks is to generate better generalized adversarial examples, where data augmentation has become one of the popular approaches. In this article, we employ five mainstream attack methods and combine six data augmentation strategies, namely point dropping, flipping, rotating, scaling, shearing, and translating, in order to comprehensively explore the impact of these strategies on the transferability of adversarial examples. Our research reveals that data augmentation methods generally improve the transferability of the adversarial examples, and the effect is better when the methods are stacked. The interaction between data augmentation methods, model characteristics, attack, and defense strategies collectively determines the transferability of adversarial examples. In order to comprehensively understand and improve the effectiveness of adversarial examples, it is necessary to comprehensively consider these complex interrelationships.