Point clouds and meshes are widely used 3D data structures for many computer vision applications. While the meshes represent the surfaces of an object, point cloud represents sampled points from the surface which is also the output of modern sensors such as LiDAR and RGB-D cameras. Due to the wide application area of point clouds and the recent advancements in deep neural networks, studies focusing on robust classification of the 3D point cloud data emerged. To evaluate the robustness of deep classifier networks, a common method is to use adversarial attacks where the gradient direction is followed to change the input slightly. The previous studies on adversarial attacks are generally evaluated on point clouds of daily objects. However, considering 3D faces, these adversarial attacks tend to affect the person's facial structure more than the desired amount and cause malformation. Specifically for facial expressions, even a small adversarial attack can have a significant effect on the face structure. In this paper, we suggest an adversarial attack called $\epsilon$-Mesh Attack, which operates on point cloud data via limiting perturbations to be on the mesh surface. We also parameterize our attack by $\epsilon$ to scale the perturbation mesh. Our surface-based attack has tighter perturbation bounds compared to $L_2$ and $L_\infty$ norm bounded attacks that operate on unit-ball. Even though our method has additional constraints, our experiments on CoMA, Bosphorus and FaceWarehouse datasets show that $\epsilon$-Mesh Attack (Perpendicular) successfully confuses trained DGCNN and PointNet models $99.72\%$ and $97.06\%$ of the time, with indistinguishable facial deformations. The code is available at https://github.com/batuceng/e-mesh-attack.

翻译：点云和网格是许多计算机视觉应用中广泛使用的三维数据结构。网格表示物体的表面，而点云则代表从表面采样的点，也是现代传感器（如LiDAR和RGB-D相机）的输出。由于点云的广泛应用领域以及深度神经网络的最新进展，针对三维点云数据鲁棒分类的研究应运而生。为评估深度分类器网络的鲁棒性，常用方法是对抗攻击，即沿梯度方向对输入进行微小扰动。以往的对抗攻击研究通常以日常物体的点云为评估对象。然而，对于三维人脸而言，这些对抗攻击对人脸结构的影响往往超过预期，并导致畸形。特别是对于面部表情，即使微小的对抗攻击也可能对面部结构产生显著影响。本文提出一种名为ε-Mesh攻击的对抗攻击方法，该方法通过将扰动限制在网格表面上来处理点云数据。我们还通过参数ε对攻击进行参数化，以缩放扰动网格。与在单位球面上操作的L₂和L∞范数约束攻击相比，我们的基于表面的攻击具有更严格的扰动界限。尽管我们的方法具有额外的约束条件，但在CoMA、Bosphorus和FaceWarehouse数据集上的实验表明，ε-Mesh攻击（垂直方向）在99.72%和97.06%的情况下成功混淆了经过训练的DGCNN和PointNet模型，且面部变形难以察觉。代码可在https://github.com/batuceng/e-mesh-attack获取。