ML Security PapersTowards a 3D Transfer-based Black-box Attack via Critical Feature Guidance
Shuchao Pang 1, Zhenghan Chen 2, Shen Zhang 1, Liming Lu 1, Siyuan Liang 3, Anan Du 4, Yongbin Zhou 1
Published on arXiv
2508.15650
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
CFG improves transfer-based attack success rate by 16.8% over state-of-the-art methods on ModelNet40 and ScanObjectNN benchmarks.
CFG (Critical Feature Guidance)
Novel technique introduced
Deep neural networks for 3D point clouds have been demonstrated to be vulnerable to adversarial examples. Previous 3D adversarial attack methods often exploit certain information about the target models, such as model parameters or outputs, to generate adversarial point clouds. However, in realistic scenarios, it is challenging to obtain any information about the target models under conditions of absolute security. Therefore, we focus on transfer-based attacks, where generating adversarial point clouds does not require any information about the target models. Based on our observation that the critical features used for point cloud classification are consistent across different DNN architectures, we propose CFG, a novel transfer-based black-box attack method that improves the transferability of adversarial point clouds via the proposed Critical Feature Guidance. Specifically, our method regularizes the search of adversarial point clouds by computing the importance of the extracted features, prioritizing the corruption of critical features that are likely to be adopted by diverse architectures. Further, we explicitly constrain the maximum deviation extent of the generated adversarial point clouds in the loss function to ensure their imperceptibility. Extensive experiments conducted on the ModelNet40 and ScanObjectNN benchmark datasets demonstrate that the proposed CFG outperforms the state-of-the-art attack methods by a large margin.
Key Contributions
- Observes that critical features used for 3D point cloud classification are architecturally consistent across diverse DNNs, motivating a cross-model attack direction.
- Proposes CFG (Critical Feature Guidance), which uses gradient-based feature importance scoring to prioritize corruption of shared critical features and reduce overfitting to the source model.
- Introduces an explicit maximum-deviation constraint in the loss function to maintain imperceptibility of adversarial point clouds.
🛡️ Threat Analysis
Proposes gradient-guided adversarial perturbations to 3D point cloud inputs that cause misclassification at inference time; the core contribution is improving transferability of adversarial examples across black-box target models — a classic input manipulation attack.