ML Security PapersDefenseSplat: Enhancing the Robustness of 3D Gaussian Splatting via Frequency-Aware Filtering
Yiran Qiao , Yiren Lu , Yunlai Zhou , Rui Yang , Linlin Hou , Yu Yin , Jing Ma
Published on arXiv
2602.19323
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Frequency-aware wavelet filtering substantially enhances 3DGS robustness against a wide range of adversarial attack intensities without clean supervision, while maintaining competitive clean-data rendering quality.
DefenseSplat
Novel technique introduced
3D Gaussian Splatting (3DGS) has emerged as a powerful paradigm for real-time and high-fidelity 3D reconstruction from posed images. However, recent studies reveal its vulnerability to adversarial corruptions in input views, where imperceptible yet consistent perturbations can drastically degrade rendering quality, increase training and rendering time, and inflate memory usage, even leading to server denial-of-service. In our work, to mitigate this issue, we begin by analyzing the distinct behaviors of adversarial perturbations in the low- and high-frequency components of input images using wavelet transforms. Based on this observation, we design a simple yet effective frequency-aware defense strategy that reconstructs training views by filtering high-frequency noise while preserving low-frequency content. This approach effectively suppresses adversarial artifacts while maintaining the authenticity of the original scene. Notably, it does not significantly impair training on clean data, achieving a desirable trade-off between robustness and performance on clean inputs. Through extensive experiments under a wide range of attack intensities on multiple benchmarks, we demonstrate that our method substantially enhances the robustness of 3DGS without access to clean ground-truth supervision. By highlighting and addressing the overlooked vulnerabilities of 3D Gaussian Splatting, our work paves the way for more robust and secure 3D reconstructions.
Key Contributions
- Frequency-domain analysis of adversarial perturbations in 3DGS input views using wavelet transforms, revealing their distinct low/high-frequency behavior
- DefenseSplat: a frequency-aware filtering defense that suppresses high-frequency adversarial noise while preserving low-frequency scene content, requiring no clean ground-truth supervision
- Extensive evaluation across multiple attack intensities and benchmarks demonstrating improved robustness with minimal clean-data performance degradation
🛡️ Threat Analysis
Paper defends against adversarial perturbations in input views (imperceptible corruptions that degrade reconstruction quality and cause DoS-like effects) using a frequency-aware input purification strategy — a classic ML01 defense (input filtering/preprocessing to suppress adversarial artifacts before the model sees the data).