Not only Spatial, but Also Spectral: Unnoticeable Backdoor Attack on 3D Point Clouds
摘要
3D point cloud-oriented deep learning models faces significant security threats from backdoor attacks, where malicious triggers are embedded into training data to manipulate the model’s behavior when the trigger is present in the input, leading to incorrect and potentially malicious predictions. While existing attacks have achieved spatial imperceptibility, this paper reveals a critical vulnerability: their triggers are noticeable in the spectral domain. Our analysis demonstrates that poisoned samples from current methods exhibit distinct spectral distributions compared to benign ones, stemming from trigger design and injection techniques that create easily identifiable local abnormal features. To address this, we propose the Feature-Space Blended Trigger (FSBT), a novel backdoor attack designed for stealth in both spatial and spectral domains. Unlike traditional methods manipulating raw point cloud data, FSBT operates in the frequency-domain feature space, implicitly embedding triggers into the spectral representations of clean samples through a learnable generation module. This process yields poisoned spectral features, which are subsequently decoded to form poisoned point clouds. We further introduce a dual-phase poisoning scheme, utilizing diverse, stealth-controllable poisoned samples during training to learn robust trigger features and high-intensity triggers during inference for evaluation. Experiments on three real-world datasets and four 3D point cloud models show FSBT achieves an attack success rate as high as 99.51% and maintains its efficacy (with a maximum performance drop of only 3.05%) even when subjected to spectral domain-based defense mechanisms.