PatchPoison: Poisoning Multi-View Datasets to Degrade 3D Reconstruction

3D Gaussian Splatting (3DGS) has recently enabled highly photorealistic 3D reconstruction from casually captured multi-view images. However, this accessibility raises a privacy concern: publicly available images or videos can be exploited to reconstruct detailed 3D models of scenes or objects without the owner's consent. We present PatchPoison, a lightweight dataset-poisoning method that prevents unauthorized 3D reconstruction. Unlike global perturbations, PatchPoison injects a small high-frequency adversarial patch, a structured checkerboard, into the periphery of each image in a multi-view dataset. The patch is designed to corrupt the feature-matching stage of Structure-from-Motion (SfM) pipelines such as COLMAP by introducing spurious correspondences that systematically misalign estimated camera poses. Consequently, downstream 3DGS optimization diverges from the correct scene geometry. On the NeRF-Synthetic benchmark, inserting a 12 X 12 pixel patch increases reconstruction error by 6.8x in LPIPS, while the poisoned images remain unobtrusive to human viewers. PatchPoison requires no pipeline modifications, offering a practical, "drop-in" preprocessing step for content creators to protect their multi-view data.

Key Contributions

Lightweight adversarial patch method that poisons multi-view datasets by corrupting Structure-from-Motion feature matching
Demonstrates 6.8x increase in reconstruction error (LPIPS) using only 12x12 pixel patches while remaining imperceptible to humans
Practical drop-in preprocessing defense for content creators to protect multi-view data from unauthorized 3D reconstruction

🛡️ Threat Analysis

Data Poisoning Attack

Injects adversarial patches into training/input data (multi-view image datasets) to systematically corrupt the reconstruction pipeline by introducing spurious feature correspondences that misalign camera poses - this is data poisoning to degrade model performance.