-
AdvIRL: Reinforcement Learning-Based Adversarial Attacks on 3D NeRF Models
Authors:
Tommy Nguyen,
Mehmet Ergezer,
Christian Green
Abstract:
The increasing deployment of AI models in critical applications has exposed them to significant risks from adversarial attacks. While adversarial vulnerabilities in 2D vision models have been extensively studied, the threat landscape for 3D generative models, such as Neural Radiance Fields (NeRF), remains underexplored. This work introduces \textit{AdvIRL}, a novel framework for crafting adversari…
▽ More
The increasing deployment of AI models in critical applications has exposed them to significant risks from adversarial attacks. While adversarial vulnerabilities in 2D vision models have been extensively studied, the threat landscape for 3D generative models, such as Neural Radiance Fields (NeRF), remains underexplored. This work introduces \textit{AdvIRL}, a novel framework for crafting adversarial NeRF models using Instant Neural Graphics Primitives (Instant-NGP) and Reinforcement Learning. Unlike prior methods, \textit{AdvIRL} generates adversarial noise that remains robust under diverse 3D transformations, including rotations and scaling, enabling effective black-box attacks in real-world scenarios. Our approach is validated across a wide range of scenes, from small objects (e.g., bananas) to large environments (e.g., lighthouses). Notably, targeted attacks achieved high-confidence misclassifications, such as labeling a banana as a slug and a truck as a cannon, demonstrating the practical risks posed by adversarial NeRFs. Beyond attacking, \textit{AdvIRL}-generated adversarial models can serve as adversarial training data to enhance the robustness of vision systems. The implementation of \textit{AdvIRL} is publicly available at \url{https://github.com/Tommy-Nguyen-cpu/AdvIRL/tree/MultiView-Clean}, ensuring reproducibility and facilitating future research.
△ Less
Submitted 17 December, 2024;
originally announced December 2024.
-
Targeted View-Invariant Adversarial Perturbations for 3D Object Recognition
Authors:
Christian Green,
Mehmet Ergezer,
Abdurrahman Zeybey
Abstract:
Adversarial attacks pose significant challenges in 3D object recognition, especially in scenarios involving multi-view analysis where objects can be observed from varying angles. This paper introduces View-Invariant Adversarial Perturbations (VIAP), a novel method for crafting robust adversarial examples that remain effective across multiple viewpoints. Unlike traditional methods, VIAP enables tar…
▽ More
Adversarial attacks pose significant challenges in 3D object recognition, especially in scenarios involving multi-view analysis where objects can be observed from varying angles. This paper introduces View-Invariant Adversarial Perturbations (VIAP), a novel method for crafting robust adversarial examples that remain effective across multiple viewpoints. Unlike traditional methods, VIAP enables targeted attacks capable of manipulating recognition systems to classify objects as specific, pre-determined labels, all while using a single universal perturbation. Leveraging a dataset of 1,210 images across 121 diverse rendered 3D objects, we demonstrate the effectiveness of VIAP in both targeted and untargeted settings. Our untargeted perturbations successfully generate a singular adversarial noise robust to 3D transformations, while targeted attacks achieve exceptional results, with top-1 accuracies exceeding 95% across various epsilon values. These findings highlight VIAPs potential for real-world applications, such as testing the robustness of 3D recognition systems. The proposed method sets a new benchmark for view-invariant adversarial robustness, advancing the field of adversarial machine learning for 3D object recognition.
△ Less
Submitted 17 December, 2024;
originally announced December 2024.
-
Gaussian Splatting Under Attack: Investigating Adversarial Noise in 3D Objects
Authors:
Abdurrahman Zeybey,
Mehmet Ergezer,
Tommy Nguyen
Abstract:
3D Gaussian Splatting has advanced radiance field reconstruction, enabling high-quality view synthesis and fast rendering in 3D modeling. While adversarial attacks on object detection models are well-studied for 2D images, their impact on 3D models remains underexplored. This work introduces the Masked Iterative Fast Gradient Sign Method (M-IFGSM), designed to generate adversarial noise targeting…
▽ More
3D Gaussian Splatting has advanced radiance field reconstruction, enabling high-quality view synthesis and fast rendering in 3D modeling. While adversarial attacks on object detection models are well-studied for 2D images, their impact on 3D models remains underexplored. This work introduces the Masked Iterative Fast Gradient Sign Method (M-IFGSM), designed to generate adversarial noise targeting the CLIP vision-language model. M-IFGSM specifically alters the object of interest by focusing perturbations on masked regions, degrading the performance of CLIP's zero-shot object detection capability when applied to 3D models. Using eight objects from the Common Objects 3D (CO3D) dataset, we demonstrate that our method effectively reduces the accuracy and confidence of the model, with adversarial noise being nearly imperceptible to human observers. The top-1 accuracy in original model renders drops from 95.4\% to 12.5\% for train images and from 91.2\% to 35.4\% for test images, with confidence levels reflecting this shift from true classification to misclassification, underscoring the risks of adversarial attacks on 3D models in applications such as autonomous driving, robotics, and surveillance. The significance of this research lies in its potential to expose vulnerabilities in modern 3D vision models, including radiance fields, prompting the development of more robust defenses and security measures in critical real-world applications.
△ Less
Submitted 3 December, 2024;
originally announced December 2024.
-
One Noise to Rule Them All: Multi-View Adversarial Attacks with Universal Perturbation
Authors:
Mehmet Ergezer,
Phat Duong,
Christian Green,
Tommy Nguyen,
Abdurrahman Zeybey
Abstract:
This paper presents a novel universal perturbation method for generating robust multi-view adversarial examples in 3D object recognition. Unlike conventional attacks limited to single views, our approach operates on multiple 2D images, offering a practical and scalable solution for enhancing model scalability and robustness. This generalizable method bridges the gap between 2D perturbations and 3D…
▽ More
This paper presents a novel universal perturbation method for generating robust multi-view adversarial examples in 3D object recognition. Unlike conventional attacks limited to single views, our approach operates on multiple 2D images, offering a practical and scalable solution for enhancing model scalability and robustness. This generalizable method bridges the gap between 2D perturbations and 3D-like attack capabilities, making it suitable for real-world applications.
Existing adversarial attacks may become ineffective when images undergo transformations like changes in lighting, camera position, or natural deformations. We address this challenge by crafting a single universal noise perturbation applicable to various object views. Experiments on diverse rendered 3D objects demonstrate the effectiveness of our approach. The universal perturbation successfully identified a single adversarial noise for each given set of 3D object renders from multiple poses and viewpoints. Compared to single-view attacks, our universal attacks lower classification confidence across multiple viewing angles, especially at low noise levels. A sample implementation is made available at https://github.com/memoatwit/UniversalPerturbation.
△ Less
Submitted 2 April, 2024;
originally announced April 2024.
-
An Undergraduate Consortium for Addressing the Leaky Pipeline to Computing Research
Authors:
James Boerkoel,
Mehmet Ergezer
Abstract:
Despite an increasing number of successful interventions designed to broaden participation in computing research, there is still significant attrition among historically marginalized groups in the computing research pipeline. This experience report describes a first-of-its-kind Undergraduate Consortium (UC) that addresses this challenge by empowering students with a culmination of their undergradu…
▽ More
Despite an increasing number of successful interventions designed to broaden participation in computing research, there is still significant attrition among historically marginalized groups in the computing research pipeline. This experience report describes a first-of-its-kind Undergraduate Consortium (UC) that addresses this challenge by empowering students with a culmination of their undergraduate research in a conference setting. The UC, conducted at the AAAI Conference on Artificial Intelligence (AAAI), aims to broaden participation in the AI research community by recruiting students, particularly those from historically marginalized groups, supporting them with mentorship, advising, and networking as an accelerator toward graduate school, AI research, and their scientific identity. This paper presents our program design, inspired by a rich set of evidence-based practices, and a preliminary evaluation of the first years that points to the UC achieving many of its desired outcomes. We conclude by discussing insights to improve our program and expand to other computing communities.
△ Less
Submitted 25 March, 2024;
originally announced March 2024.
