ANF: Crafting Transferable Adversarial Point Clouds via Adversarial Noise Factorization

Transfer-based adversarial attacks involve generating adversarial point clouds in surrogate models and transferring them to other models to assess 3D model robustness. However, current methods rely too much on surrogate model parameters, limiting transferability. In this work, we use Shapley value to identify positive and negative features, guiding optimization of adversarial noise in feature space. To effectively mislead the 3D classifier, we factorize the adversarial noise into positive and negative noise, with the former keeping the features of the adversarial point cloud close to the negative features, and the latter and the adversarial noise moving it away from the positive features. Finally, a novel adversarial point cloud attack method with Adversarial Noise Factorization is proposed, which is abbreviated as ANF. ANF simultaneously optimizes the adversarial noise and its positive and negative noise in the feature space, only relying on partial network parameters, which significantly reduces the reliance on the surrogate model and improves the transferability of the adversarial point cloud. Experiments on well-recognized benchmark datasets show that the transferability of adversarial point clouds generated by ANF could be improved by more than 26.7% on average over state-of-the-art transfer-based adversarial attack methods.