PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness

Shengshan Hu; Wei Liu; Minghui Li; Yechao Zhang; Xiaogeng Liu; Xianlong Wang; Leo Yu Zhang; Junhui Hou

doi:10.1145/3581783.3612456

PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness

Shengshan Hu, Wei Liu, Minghui Li^*, Yechao Zhang, Xiaogeng Liu, Xianlong Wang, Leo Yu Zhang, Junhui Hou

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

11 Citations (Scopus)

Abstract

Backdoor attacks for point clouds have elicited mounting interest with the proliferation of deep learning. The point cloud classifiers can be vulnerable to malicious actors who seek to manipulate or fool the model with specific backdoor triggers. Detecting and rejecting backdoor samples during the inference stage can effectively alleviate backdoor attacks. Recently, some black-box test-time backdoor sample detection methods have been proposed in the 2D image domain, without any underlying assumptions about the backdoor triggers. However, upon examination, we have found that these detection techniques are not effective for 3D point clouds. As a result, there is a pressing need to bridge the gap for the development of a universal approach that is specifically designed for 3D point clouds.
In this paper, we propose the first test-time backdoor sample detection method in 3D point cloud without assumption to the backdoor triggers, called Point Clouds Corruption Robustness Test (PointCRT). Based on the fact that the corruption robustness of clean samples remains relatively stable across various backdoor models, we propose the corruption robustness score to map the features into high-dimensional space. The corruption robustness score is a vector evaluated by label consistency, whose element is the minimum severity level of corruption that changes the label prediction of the victim model. Then, the trigger is identified by detecting the abnormal corruption robustness score through a nonlinear classification. The comprehensive experiments demonstrate PointCRT deals with all cases with the average AUC over 0.934 and F1 score over 0.864, with the enhancement of 18%-28% on ModelNet40. Our codes are available at: https://github.com/CGCL-codes/PointCRT. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Original language	English
Title of host publication	MM '23
Subtitle of host publication	Proceedings of the 31st ACM International Conference on Multimedia
Place of Publication	New York, NY
Publisher	Association for Computing Machinery
Pages	666-675
ISBN (Print)	979-8-4007-0108-5
DOIs	https://doi.org/10.1145/3581783.3612456
Publication status	Published - 2023
Event	31st ACM International Conference on Multimedia (MM 2023) - Westin Ottawa, Ottawa, Canada Duration: 29 Oct 2023 → 3 Nov 2023 https://www.acmmm2023.org/accommodation/

Conference

Conference	31st ACM International Conference on Multimedia (MM 2023)
Abbreviated title	MM '23
Country/Territory	Canada
City	Ottawa
Period	29/10/23 → 3/11/23
Internet address	https://www.acmmm2023.org/accommodation/

Bibliographical note

Research Unit(s) information for this publication is provided by the author(s) concerned.

Research Keywords

Deep Learning
Backdoor Detection
3D Point Clouds

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access Output

10.1145/3581783.3612456

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{36902d54e78740be9a9553af21c3327a,

title = "PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness",

abstract = "Backdoor attacks for point clouds have elicited mounting interest with the proliferation of deep learning. The point cloud classifiers can be vulnerable to malicious actors who seek to manipulate or fool the model with specific backdoor triggers. Detecting and rejecting backdoor samples during the inference stage can effectively alleviate backdoor attacks. Recently, some black-box test-time backdoor sample detection methods have been proposed in the 2D image domain, without any underlying assumptions about the backdoor triggers. However, upon examination, we have found that these detection techniques are not effective for 3D point clouds. As a result, there is a pressing need to bridge the gap for the development of a universal approach that is specifically designed for 3D point clouds. In this paper, we propose the first test-time backdoor sample detection method in 3D point cloud without assumption to the backdoor triggers, called Point Clouds Corruption Robustness Test (PointCRT). Based on the fact that the corruption robustness of clean samples remains relatively stable across various backdoor models, we propose the corruption robustness score to map the features into high-dimensional space. The corruption robustness score is a vector evaluated by label consistency, whose element is the minimum severity level of corruption that changes the label prediction of the victim model. Then, the trigger is identified by detecting the abnormal corruption robustness score through a nonlinear classification. The comprehensive experiments demonstrate PointCRT deals with all cases with the average AUC over 0.934 and F1 score over 0.864, with the enhancement of 18%-28% on ModelNet40. Our codes are available at: https://github.com/CGCL-codes/PointCRT. {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.",

keywords = "Deep Learning, Backdoor Detection, 3D Point Clouds",

author = "Shengshan Hu and Wei Liu and Minghui Li and Yechao Zhang and Xiaogeng Liu and Xianlong Wang and Zhang, {Leo Yu} and Junhui Hou",

note = "Research Unit(s) information for this publication is provided by the author(s) concerned.; 31st ACM International Conference on Multimedia (MM 2023), MM '23 ; Conference date: 29-10-2023 Through 03-11-2023",

year = "2023",

doi = "10.1145/3581783.3612456",

language = "English",

isbn = "979-8-4007-0108-5",

pages = "666--675",

booktitle = "MM '23",

publisher = "Association for Computing Machinery",

address = "United States",

url = "https://www.acmmm2023.org/accommodation/",

}

Hu, S, Liu, W, Li, M, Zhang, Y, Liu, X, Wang, X, Zhang, LY & Hou, J 2023, PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness. in MM '23: Proceedings of the 31st ACM International Conference on Multimedia. Association for Computing Machinery, New York, NY, pp. 666-675, 31st ACM International Conference on Multimedia (MM 2023), Ottawa, Ontario, Canada, 29/10/23. https://doi.org/10.1145/3581783.3612456

PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness. / Hu, Shengshan; Liu, Wei; Li, Minghui et al.
MM '23: Proceedings of the 31st ACM International Conference on Multimedia. New York, NY: Association for Computing Machinery, 2023. p. 666-675.

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - PointCRT

T2 - 31st ACM International Conference on Multimedia (MM 2023)

AU - Hu, Shengshan

AU - Liu, Wei

AU - Li, Minghui

AU - Zhang, Yechao

AU - Liu, Xiaogeng

AU - Wang, Xianlong

AU - Zhang, Leo Yu

AU - Hou, Junhui

N1 - Research Unit(s) information for this publication is provided by the author(s) concerned.

PY - 2023

Y1 - 2023

N2 - Backdoor attacks for point clouds have elicited mounting interest with the proliferation of deep learning. The point cloud classifiers can be vulnerable to malicious actors who seek to manipulate or fool the model with specific backdoor triggers. Detecting and rejecting backdoor samples during the inference stage can effectively alleviate backdoor attacks. Recently, some black-box test-time backdoor sample detection methods have been proposed in the 2D image domain, without any underlying assumptions about the backdoor triggers. However, upon examination, we have found that these detection techniques are not effective for 3D point clouds. As a result, there is a pressing need to bridge the gap for the development of a universal approach that is specifically designed for 3D point clouds. In this paper, we propose the first test-time backdoor sample detection method in 3D point cloud without assumption to the backdoor triggers, called Point Clouds Corruption Robustness Test (PointCRT). Based on the fact that the corruption robustness of clean samples remains relatively stable across various backdoor models, we propose the corruption robustness score to map the features into high-dimensional space. The corruption robustness score is a vector evaluated by label consistency, whose element is the minimum severity level of corruption that changes the label prediction of the victim model. Then, the trigger is identified by detecting the abnormal corruption robustness score through a nonlinear classification. The comprehensive experiments demonstrate PointCRT deals with all cases with the average AUC over 0.934 and F1 score over 0.864, with the enhancement of 18%-28% on ModelNet40. Our codes are available at: https://github.com/CGCL-codes/PointCRT. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

AB - Backdoor attacks for point clouds have elicited mounting interest with the proliferation of deep learning. The point cloud classifiers can be vulnerable to malicious actors who seek to manipulate or fool the model with specific backdoor triggers. Detecting and rejecting backdoor samples during the inference stage can effectively alleviate backdoor attacks. Recently, some black-box test-time backdoor sample detection methods have been proposed in the 2D image domain, without any underlying assumptions about the backdoor triggers. However, upon examination, we have found that these detection techniques are not effective for 3D point clouds. As a result, there is a pressing need to bridge the gap for the development of a universal approach that is specifically designed for 3D point clouds. In this paper, we propose the first test-time backdoor sample detection method in 3D point cloud without assumption to the backdoor triggers, called Point Clouds Corruption Robustness Test (PointCRT). Based on the fact that the corruption robustness of clean samples remains relatively stable across various backdoor models, we propose the corruption robustness score to map the features into high-dimensional space. The corruption robustness score is a vector evaluated by label consistency, whose element is the minimum severity level of corruption that changes the label prediction of the victim model. Then, the trigger is identified by detecting the abnormal corruption robustness score through a nonlinear classification. The comprehensive experiments demonstrate PointCRT deals with all cases with the average AUC over 0.934 and F1 score over 0.864, with the enhancement of 18%-28% on ModelNet40. Our codes are available at: https://github.com/CGCL-codes/PointCRT. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

KW - Deep Learning

KW - Backdoor Detection

KW - 3D Point Clouds

U2 - 10.1145/3581783.3612456

DO - 10.1145/3581783.3612456

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-4007-0108-5

SP - 666

EP - 675

BT - MM '23

PB - Association for Computing Machinery

CY - New York, NY

Y2 - 29 October 2023 through 3 November 2023

ER -

PointCRT: Detecting Backdoor in 3D Point Cloud via Corruption Robustness

Abstract

Conference

Bibliographical note

Research Keywords

UN SDGs

Access Output

Other Access Options

Permanent Link

Fingerprint

Cite this