Recently, 3D backdoor attacks have posed a substantial threat to 3D Deep Neural Networks (3D DNNs) designed for 3D point clouds, which are extensively deployed in various security-critical applications. Although the existing 3D backdoor attacks achieved high attack performance, they remain vulnerable to preprocessing-based defenses (e.g., outlier removal and rotation augmentation) and are prone to detection by human inspection. In pursuit of a more challenging-to-defend and stealthy 3D backdoor attack, this paper introduces the Stealthy and Robust Backdoor Attack (SRBA), which ensures robustness and stealthiness through intentional design considerations. The key insight of our attack involves applying a uniform shift to the additional point features of point clouds (e.g., reflection intensity) widely utilized as part of inputs for 3D DNNs as the trigger. Without altering the geometric information of the point clouds, our attack ensures visual consistency between poisoned and benign samples, and demonstrate robustness against preprocessing-based defenses. In addition, to automate our attack, we employ Bayesian Optimization (BO) to identify the suitable trigger. Extensive experiments suggest that SRBA achieves an attack success rate (ASR) exceeding 94% in all cases, and significantly outperforms previous SOTA methods when multiple preprocessing operations are applied during training.

翻译：近年来，三维后门攻击对面向三维点云设计的深度神经网络构成了重大威胁，此类网络已广泛应用于各类安全关键领域。尽管现有三维后门攻击已实现较高的攻击成功率，但其仍易受基于预处理的防御机制（如离群点去除与旋转增强）影响，且容易被人工检测发现。为构建更具防御挑战性与隐蔽性的三维后门攻击，本文提出隐蔽鲁棒后门攻击方法，通过精心设计的考量确保攻击的鲁棒性与隐蔽性。本攻击的核心思路在于：将广泛用作三维深度神经网络输入组成部分的点云附加特征（如反射强度）进行均匀偏移作为触发器。在不改变点云几何信息的前提下，该方法能保证中毒样本与良性样本的视觉一致性，并展现出对基于预处理的防御机制的鲁棒性。此外，为实现攻击自动化，我们采用贝叶斯优化算法来识别合适的触发器。大量实验表明，SRBA在所有案例中均实现超过94%的攻击成功率，且在训练阶段应用多重预处理操作时，其性能显著优于现有最优方法。