ML Security PapersCertified L2-Norm Robustness of 3D Point Cloud Recognition in the Frequency Domain
Liang Zhou , Qiming Wang , Tianze Chen
Published on arXiv
2511.07029
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
FreqCert achieves higher certified and empirical accuracy under strong L2 perturbations on ModelNet40 and ScanObjectNN compared to existing certified point cloud defenses.
FreqCert
Novel technique introduced
3D point cloud classification is a fundamental task in safety-critical applications such as autonomous driving, robotics, and augmented reality. However, recent studies reveal that point cloud classifiers are vulnerable to structured adversarial perturbations and geometric corruptions, posing risks to their deployment in safety-critical scenarios. Existing certified defenses limit point-wise perturbations but overlook subtle geometric distortions that preserve individual points yet alter the overall structure, potentially leading to misclassification. In this work, we propose FreqCert, a novel certification framework that departs from conventional spatial domain defenses by shifting robustness analysis to the frequency domain, enabling structured certification against global L2-bounded perturbations. FreqCert first transforms the input point cloud via the graph Fourier transform (GFT), then applies structured frequency-aware subsampling to generate multiple sub-point clouds. Each sub-cloud is independently classified by a standard model, and the final prediction is obtained through majority voting, where sub-clouds are constructed based on spectral similarity rather than spatial proximity, making the partitioning more stable under L2 perturbations and better aligned with the object's intrinsic structure. We derive a closed-form lower bound on the certified L2 robustness radius and prove its tightness under minimal and interpretable assumptions, establishing a theoretical foundation for frequency domain certification. Extensive experiments on the ModelNet40 and ScanObjectNN datasets demonstrate that FreqCert consistently achieves higher certified accuracy and empirical accuracy under strong perturbations. Our results suggest that spectral representations provide an effective pathway toward certifiable robustness in 3D point cloud recognition.
Key Contributions
- FreqCert: first certification framework for 3D point clouds under continuous global L2-bounded perturbations, operating in the frequency domain via Graph Fourier Transform
- Dense-overlapping spectral window (d-OSW) sampling strategy that partitions point clouds into frequency-aware sub-clouds for majority-vote classification
- Closed-form certified L2 robustness radius with a tighter majority-voting-aware bound, proven tight under minimal interpretable assumptions
🛡️ Threat Analysis
Proposes a certified defense (FreqCert) against adversarial L2-bounded input perturbations on 3D point cloud classifiers at inference time; derives closed-form certified robustness radius bounds — squarely an adversarial example defense.