Assessing the Operational Impact of Poisoning Attacks over Augmented 3D Point Cloud Public Datasets for Connected and Autonomous Vehicles
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 reserved 2026-07-08 04:09 UTCglm-5.2pith:OH2AOEZUrecord.jsonopen to challenge →
The pith
GAN Data Augmentation Amplifies Poisoning in 3D Point Clouds
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper's central empirical finding is that GAN-based augmentation of poisoned 3D point cloud datasets triples the attack success rate compared to non-augmented poisoned data at the same poisoning level. The mechanism proposed is that augmentation reinforces distributional modes present in both clean and poisoned samples, enlarging the adversary's effective feature space rather than washing out adversarial perturbations. When propagated through a CAV operational dependency graph, this amplification yields a threefold increase in the assessed probability of impaired Decision Making (from 4% to 13% at 40% poisoning).
What carries the argument
The central objects are: (1) a clean-label poisoning attack on 3D point cloud training data (randomly removing 50% of points from a subset of primary-class samples), (2) a 3D-GAN augmentation pipeline that generates synthetic point clouds from the poisoned training set, and (3) an operational impact propagation model using resource and mission dependency graphs where the Attack Success Rate serves as a probabilistic seed that cascades through interconnected CAV system components.
If this is right
- Practitioners using GAN-based augmentation on public 3D point cloud datasets should not assume a sanitizing effect; the opposite may occur.
- Dataset curation and poisoning detection should be performed before augmentation, not after, since augmentation can multiply poisoned samples.
- Operational risk assessments for CAV systems that ignore the augmentation pipeline may underestimate the downstream impact of dataset poisoning by a factor of three or more.
- The amplification mechanism may extend beyond GANs to other generative augmentation techniques that learn and reinforce distributional modes from contaminated training data.
Load-bearing premise
The operational impact numbers (4% vs 13%) depend on edge probabilities in the CAV dependency graph that were manually assigned based on domain expertise rather than validated against real vehicle failure data. If those hand-assigned interdependency weights do not match actual CAV system behavior, the operational impact conclusions do not hold, even if the raw attack success rate amplification is real.
What would settle it
Train the same poisoning-plus-augmentation pipeline on a different 3D point cloud dataset and/or with a different GAN architecture; if augmentation does not amplify ASR relative to baseline, the claim is specific to the ModelNet/3D-GAN combination rather than a general property of augmented 3D point clouds.
Figures
read the original abstract
Poisoning attacks against public datasets lead to major concerns, such as (i) misclassification of perceived objects when the poisoned data is used for training and (ii) embedding of backdoors that may eventually be triggered later on, when specific conditions in the system apply over the learned models. Its impact over data augmentation models is unclear. While data augmentation reduces the likelihood of poisoning attack success, some valid questions remain. Is data augmentation affecting the impact of poisoning attacks? can it increase the number of poisoned samples or injected backdoors? We explore in this paper some of these questions. We assess the effects of augmenting poisoned 3D point cloud datasets and validate that poisoning is able to evade the sanitizing nature of augmentation techniques when using the concrete case of Generative Adversarial Network (GAN) techniques to exemplify the case of data augmentation processing. We also validate that poisoning propagates over the augmented datasets and perturbs the decision made by general-purpose classifiers, in the end. All the experimental material (including tools, datasets, and classifiers) is publicly available, to facilitate reproducibility and to foster further research in the topic.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. This paper investigates whether GAN-based data augmentation amplifies or mitigates the impact of poisoning attacks on 3D point cloud datasets used in CAV perception. Two experimental scenarios are compared: a baseline where a classifier is trained on the original (potentially poisoned) dataset, and an augmented scenario where a 3D-GAN generates synthetic samples from the (potentially poisoned) training data before classifier training. Poisoning is implemented as random removal of 50% of points from primary-class samples at rates of 0–40%. The key finding is that augmentation amplifies poisoning impact: at 40% poisoning, ASR rises from 5.8% (baseline) to 17.6% (augmented), and the operational impact on a Decision Making process rises from 4% to 13%. The operational impact is computed using a dependency-graph propagation model from the authors' prior work [31], with ASR values fed as initial probabilities. Code and datasets are publicly released.
Significance. The paper tackles a timely question at the intersection of adversarial ML and autonomous vehicle safety. Its main strengths are: (1) a clear, reproducible experimental design with publicly released code, datasets, and Docker deployment; (2) the coupling of poisoning-attack evaluation with an operational impact model that maps classifier degradation to CAV decision-making processes, which is a novel combination not found in prior work surveyed in Table 1; and (3) the use of both F1 and MCC metrics, which provides a balanced assessment of classifier performance. The finding that GAN-based augmentation can amplify rather than sanitize poisoning in 3D point clouds is a useful empirical contribution. However, the significance of this finding is tempered by the use of a single, crude poisoning method and the reliance on manually assigned edge weights in the impact model.
major comments (3)
- §4.1: The sole poisoning method used is random removal of 50% of points from each sample. The authors acknowledge saliency-based alternatives [35,36] but chose not to use them. This is load-bearing for the central claim that augmentation 'amplifies the impact of poisoned samples' and 'reinforces distributional modes that the attacker exploits.' Random 50% point removal is gross geometric degradation, not a subtle adversarial perturbation. A GAN trained on such degraded samples will naturally reproduce degraded shapes, and a classifier trained on those shapes will perform worse. This demonstrates that a GAN learns whatever distribution it is trained on, but it does not demonstrate that augmentation fails to sanitize adversarial artifacts—the sanitizing effect cited in prior work [12–17] concerns subtle perturbations or backdoor triggers that augmentation might filter out. The paper should
- §4.3.2, Figure 6 and Table 2: The operational impact numbers (4% vs. 13% for Decision Making) are the paper's distinguishing contribution over prior poisoning studies. However, these values are entirely determined by edge weights in the dependency graph that were 'manually assigned based on domain expertise' (§4.3.2). No sensitivity analysis is provided to show how the operational impact conclusions change under reasonable variations of these weights. Without such analysis, the reader cannot assess whether the threefold increase claim is robust or an artifact of specific weight choices. A sensitivity analysis over plausible edge-weight ranges, or at minimum a justification for the specific values chosen, is needed to support the operational impact claims.
- §4.2: The paper states that all experiments were repeated five times and that 'standard deviations were consistently small,' yet standard deviations are omitted from all figures and tables. Since the ASR gap (17.6% vs. 5.8%) is the central quantitative finding, the reader needs to verify that this gap is statistically meaningful. The standard deviations should be reported, at minimum for the ASR metric.
minor comments (8)
- §1.2: The phrase 'Therefore, This divergence' contains a capitalization error ('This' should be 'this').
- §3.1, Eq. (2): The perturbation ρ is described as 'small,' but the actual poisoning method removes 50% of points. The relationship between the abstract threat model and the concrete implementation should be clarified.
- Figure 5: The x-axis labels show metric values and the y-axis shows poisoning rate, which is unconventional. Consider swapping axes or adding a clearer caption explaining the layout.
- Figure 6: The node labels are truncated (e.g., 'Vehicle & Pedes-' for 'Vehicle & Pedestrian Detection'). Consider using abbreviations or a larger figure to improve readability.
- §4.1: The choice of two ModelNet classes for binary classification is mentioned but the specific classes selected are not named. This should be specified for reproducibility.
- §4.1: The paper uses an InceptionNet architecture adapted for binary classification. More details on the adaptation (e.g., input representation, output layer changes) would aid reproducibility.
- Table 1: The 'Poisoning' column header is ambiguous—it lists the attack type, not whether poisoning is considered. Consider renaming to 'Attack Type' or clarifying.
- §5: The conclusion states 'augmenting as well the effects of augmenting poisoned 3D point cloud datasets,' which is awkwardly phrased.
Simulated Author's Rebuttal
We thank the referee for a thorough and constructive report. The referee correctly identifies our key contributions (reproducible experimental design, novel coupling of poisoning evaluation with operational impact modeling, balanced metric usage) and raises three major concerns: (1) the use of a single crude poisoning method limits the generality of the central claim about augmentation amplifying poisoning; (2) the manually assigned edge weights in the dependency graph lack sensitivity analysis, making the threefold operational impact increase potentially fragile; (3) standard deviations are omitted despite being central to assessing the significance of the ASR gap (17.6% vs. 5.8%). We address each below and commit to revisions on points 2 and 3. On point 1, we provide a substantive defense of our methodological choice while acknowledging the referee's concern about generalizability and committing to a scoped framing revision.
read point-by-point responses
-
Referee: §4.1: The sole poisoning method used is random removal of 50% of points from each sample. The authors acknowledge saliency-based alternatives [35,36] but chose not to use them. This is load-bearing for the central claim that augmentation 'amplifies the impact of poisoned samples' and 'reinforces distributional modes that the attacker exploits.' Random 50% point removal is gross geometric degradation, not a subtle adversarial perturbation. A GAN trained on such degraded samples will naturally reproduce degraded shapes, and a classifier trained on those shapes will perform worse. This demonstrates that a GAN learns whatever distribution it is trained on, but it does not demonstrate that augmentation fails to sanitize adversarial artifacts—the sanitizing effect cited in prior work [12–17] concerns subtle perturbations or backdoor triggers that augmentation might filter out.
Authors: We partially agree with the referee's concern and will revise the manuscript's framing, but we respectfully disagree that the finding is as limited as the referee suggests. First, regarding the threat model: our adversary is explicitly constrained to have no knowledge of the victim model architecture, loss function, or training process (§3.1). Saliency-based methods [35,36] require either access to a surrogate model or iterative querying of the victim model to compute point importance rankings. Our threat model deliberately excludes such access, making random point removal a realistic attack for an adversary who can only inject samples into a public dataset. This is a legitimate and commonly studied adversary capability in the poisoning literature. Second, regarding the sanitization claim: the prior work we cite on augmentation's sanitizing effects [12–17] does not exclusively concern subtle perturbations. For instance, Karra et al. [15] study Trojan triggers (which can involve visible modifications), and the medical imaging work [13] concerns distributional characteristics of GAN-generated data more broadly. Our contribution is specifically about whether GAN-based augmentation of 3D point clouds sanitizes or amplifies corrupted training data—a question that, to our knowledge, has not been studied in the 3D point cloud domain. The referee's observation that 'a GAN learns whatever distribution it is trained on' is precisely our point: the literature has claimed that augmentation tends to reflect 'the most common features of the original dataset features, which are, by definition benign' (§1.1, citing [12–14]). Our results challenge this assumption by showing that when poisoning is present at meaningful rates, the GAN does not filter toward benign modes but rather reprodu revision: no
-
Referee: §4.3.2, Figure 6 and Table 2: The operational impact numbers (4% vs. 13% for Decision Making) are the paper's distinguishing contribution over prior poisoning studies. However, these values are entirely determined by edge weights in the dependency graph that were 'manually assigned based on domain expertise' (§4.3.2). No sensitivity analysis is provided to show how the operational impact conclusions change under reasonable variations of these weights. Without such analysis, the reader cannot assess whether the threefold increase claim is robust or an artifact of specific weight choices. A sensitivity analysis over plausible edge-weight ranges, or at minimum a justification for the specific values chosen, is needed to support the operational impact claims.
Authors: We agree that a sensitivity analysis is needed and will add it to the revised manuscript. Specifically, we will conduct a sensitivity analysis varying the manually assigned edge weights (those between operational functions and processes) by ±20% around their nominal values and recompute the operational impact on Decision Making for both baseline and augmented scenarios at 40% poisoning. We will present the results as a range (e.g., operational impact varies from X% to Y% under baseline and from A% to B% under augmentation) and confirm whether the threefold increase pattern holds across the plausible weight range. We note that the inter-asset edge weights derived from nuScenes [32] are data-driven and not subject to the same manual assignment concern. We will also add explicit justification for the specific domain-expertise values chosen, citing the CAV operational context from which they were derived. We believe the relative comparison (baseline vs. augmented) is likely robust because the same graph structure and weights are applied to both scenarios—the ASR values are the only differing inputs—so the threefold ratio should be largely insensitive to weight choices. But we will verify this empirically and report the results honestly. revision: yes
-
Referee: §4.2: The paper states that all experiments were repeated five times and that 'standard deviations were consistently small,' yet standard deviations are omitted from all figures and tables. Since the ASR gap (17.6% vs. 5.8%) is the central quantitative finding, the reader needs to verify that this gap is statistically meaningful. The standard deviations should be reported, at minimum for the ASR metric.
Authors: We agree and will add standard deviations to the revised manuscript. We will report standard deviations for the ASR metric in Table 2 (or an expanded version thereof) and as error bars in Figure 5(c). We will also add a brief statistical significance test (e.g., a two-sample t-test or Wilcoxon rank-sum test) comparing the baseline and augmented ASR values at each poisoning rate to confirm that the gap is statistically meaningful. We will retain the current figures for visual clarity but ensure the standard deviations are reported in the tables and discussed in the text. revision: yes
Circularity Check
No significant circularity; the ASR values are independently measured and the impact model is an external tool, not a re-derived result.
full rationale
The paper's central claim—that GAN-based augmentation amplifies poisoning effects—is supported by independently measured ASR values (5.8% baseline vs. 17.6% augmented at 40% poisoning), computed from classifier false-negative rates on a held-out test set (Section 4.2). These measurements are not fitted to or defined in terms of the conclusion. The operational impact model (Section 3.2) is imported from prior work [31] by overlapping authors (Lazrag, Garcia-Alfaro), but it functions as an external tool: the ASR is fed as input to a propagation function with manually assigned edge weights, and the impact numbers (4%, 13%) are outputs of that function, not re-derivations of the ASR. The self-citation to [31] provides the modeling framework (graphs, propagation functions) rather than a result being re-derived. The edge weights are manually assigned based on domain expertise—a modeling assumption that is a correctness risk, not a circularity issue, since the weights are not defined in terms of the target operational impact values. No step in the derivation chain reduces to its own inputs by construction.
Axiom & Free-Parameter Ledger
free parameters (4)
- Poisoning method: 50% random point removal =
50%
- Poisoning rates: 0%, 10%, 20%, 40% =
0-40%
- Impact model edge weights (operational functions to processes) =
manually assigned
- Number of ModelNet classes selected =
2 (binary)
axioms (4)
- domain assumption GAN-based augmentation generates synthetic data reflecting the most common features of the original dataset, which are benign by definition.
- domain assumption The operational impact model from [31] accurately represents CAV system dependencies.
- ad hoc to paper Random 50% point removal is a representative poisoning attack for 3D point clouds.
- domain assumption Binary classification on two ModelNet classes generalizes to CAV perception scenarios.
invented entities (1)
-
None
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Ad- vancing security in software-defined vehicles: A comprehensive survey and taxonomy,
K. Sghaier, B. Hammi, G. Gharbi, P. Merdrignac, P. Parrend, and D. Verna, “Ad- vancing security in software-defined vehicles: A comprehensive survey and taxonomy, ”arXiv preprint arXiv:2510.09675, 2025
-
[2]
A review on autonomous vehicles: Progress, methods and challenges,
D. Parekh, N. Poddar, A. Rajpurkar, M. Chahal, N. Kumar, G. P. Joshi, and W. Cho, “A review on autonomous vehicles: Progress, methods and challenges, ”Electronics, vol. 11, no. 14, p. 2162, 2022
work page 2022
-
[3]
A state- of-the-art review on attacks and defense mechanisms for lidar on autonomous vehicles,
S. A. Salguero-Luna, K. A. Ramirez-Gutierrez, and A. Martinez-Cruz, “A state- of-the-art review on attacks and defense mechanisms for lidar on autonomous vehicles, ”IEEE Transactions on Intelligent Transportation Systems, 2024
work page 2024
-
[4]
Research advances and challenges of au- tonomous and connected ground vehicles,
A. Eskandarian, C. Wu, and C. Sun, “Research advances and challenges of au- tonomous and connected ground vehicles, ”IEEE Transactions on Intelligent Trans- portation Systems, vol. 22, no. 2, pp. 683–711, 2019
work page 2019
-
[5]
Cooper: Cooperative perception for con- nected autonomous vehicles based on 3d point clouds,
Q. Chen, S. Tang, Q. Yang, and S. Fu, “Cooper: Cooperative perception for con- nected autonomous vehicles based on 3d point clouds, ” in2019 IEEE 39th Interna- tional Conference on Distributed Computing Systems (ICDCS). IEEE, 2019, pp. 514–524
work page 2019
-
[6]
M. Kautz, B. Hammi, and J. Garcia-Alfaro, “Platelet: Pioneering security and privacy compliant simulation for intelligent transportation systems and v2x, ” in2024 22nd International Symposium on Network Computing and Applications (NCA). IEEE, 2024, pp. 61–67
work page 2024
-
[7]
Survey on autonomous vehicle simulation platforms,
G. Yang, Y. Xue, L. Meng, P. Wang, Y. Shi, Q. Yang, and Q. Dong, “Survey on autonomous vehicle simulation platforms, ” in2021 8th International Conference on Dependable Systems and Their Applications (DSA). IEEE, 2021, pp. 692–699
work page 2021
-
[8]
A survey on simulators for testing self-driving cars,
P. Kaur, S. Taghavi, Z. Tian, and W. Shi, “A survey on simulators for testing self-driving cars, ” in2021 Fourth International Conference on Connected and Au- tonomous Driving (MetroCAD). IEEE, 2021, pp. 62–70
work page 2021
-
[9]
Choose your simulator wisely: A review on open-source simulators for autonomous driving,
Y. Li, W. Yuan, S. Zhang, W. Yan, Q. Shen, C. Wang, and M. Yang, “Choose your simulator wisely: A review on open-source simulators for autonomous driving, ” IEEE Transactions on Intelligent Vehicles, 2024
work page 2024
-
[10]
M. Sarmad, H. J. Lee, and Y. M. Kim, “Rl-gan-net: A reinforcement learning agent controlled gan network for real-time point cloud shape completion, ” in Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 5898–5907
work page 2019
-
[11]
Dense point cloud comple- tion based on generative adversarial network,
M. Cheng, G. Li, Y. Chen, J. Chen, C. Wang, and J. Li, “Dense point cloud comple- tion based on generative adversarial network, ”IEEE Transactions on Geoscience and Remote Sensing, vol. 60, pp. 1–10, 2021
work page 2021
-
[12]
E. Strelcenia and S. Prakoonwit, “A survey on gan techniques for data augmenta- tion to address the imbalanced data issues in credit card fraud detection, ”Machine Learning and Knowledge Extraction, vol. 5, no. 1, pp. 304–329, 2023
work page 2023
-
[14]
Data Augmentation Revisited: Rethinking the Distribution Gap between Clean and Augmented Data
Z. He, L. Xie, X. Chen, Y. Zhang, Y. Wang, and Q. Tian, “Data augmentation revisited: Rethinking the distribution gap between clean and augmented data, ” arXiv preprint arXiv:1909.09148, 2019
work page internal anchor Pith review Pith/arXiv arXiv 1909
-
[15]
Sanitais: Unsupervised data augmenta- tion to sanitize trojaned neural networks,
K. Karra, C. Ashcraft, and C. Costello, “Sanitais: Unsupervised data augmenta- tion to sanitize trojaned neural networks, ” in2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Comput- ing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCo...
work page 2022
-
[16]
Learning the Unlearnable: Adversarial Augmentations Suppress Unlearnable Example Attacks
T. Qin, X. Gao, J. Zhao, K. Ye, and C.-Z. Xu, “Learning the unlearnable: Ad- versarial augmentations suppress unlearnable example attacks, ”arXiv preprint arXiv:2303.15127, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[17]
Data augmentation can improve robustness,
S.-A. Rebuffi, S. Gowal, D. A. Calian, F. Stimberg, O. Wiles, and T. A. Mann, “Data augmentation can improve robustness, ”Advances in neural information processing Assessing the Operational Impact of Poisoning Attacks over Augmented 3D Point Cloud Public Datasets for Connected and Autonomous Vehicles SECRYPT 2026, 16–18 July, 2026, Porto, Portugal systems...
work page 2026
-
[18]
Data augmentation for discrimination prevention and bias disam- biguation,
S. Sharma, Y. Zhang, J. M. Ríos Aliaga, D. Bouneffouf, V. Muthusamy, and K. R. Varshney, “Data augmentation for discrimination prevention and bias disam- biguation, ” inProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, 2020, pp. 358–364
work page 2020
-
[19]
Image Data Augmentation for Deep Learning: A Survey
S. Yang, W. Xiao, M. Zhang, S. Guo, J. Zhao, and F. Shen, “Image data augmentation for deep learning: A survey, ”arXiv preprint arXiv:2204.08610, 2022
work page internal anchor Pith review Pith/arXiv arXiv 2022
-
[20]
Text data augmentation for deep learning,
C. Shorten, T. M. Khoshgoftaar, and B. Furht, “Text data augmentation for deep learning, ”Journal of big Data, vol. 8, no. 1, p. 101, 2021
work page 2021
-
[21]
Gan-based data augmentation and anonymiza- tion for skin-lesion analysis: A critical review,
A. Bissoto, E. Valle, and S. Avila, “Gan-based data augmentation and anonymiza- tion for skin-lesion analysis: A critical review, ” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2021, pp. 1847–1856
work page 2021
-
[22]
Pu-gan: a point cloud upsampling adversarial network,
R. Li, X. Li, C.-W. Fu, D. Cohen-Or, and P.-A. Heng, “Pu-gan: a point cloud upsampling adversarial network, ” inProceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 7203–7212
work page 2019
-
[23]
Simple and effective synthesis of indoor 3d scenes,
J. Y. Koh, H. Agrawal, D. Batra, R. Tucker, A. Waters, H. Lee, Y. Yang, J. Baldridge, and P. Anderson, “Simple and effective synthesis of indoor 3d scenes, ” inPro- ceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 1, 2023, pp. 1169–1178
work page 2023
-
[24]
Generating 3D adversarial point clouds,
C. Xiang, C. R. Qi, and B. Li, “Generating 3D adversarial point clouds, ” inPro- ceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 9136–9144
work page 2019
-
[25]
Advpc: Transferable adversarial perturbations on 3d point clouds,
A. Hamdi, S. Rojas, A. Thabet, and B. Ghanem, “Advpc: Transferable adversarial perturbations on 3d point clouds, ” inComputer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XII 16. Springer, 2020, pp. 241–257
work page 2020
-
[26]
PointAPA: To- wards availability poisoning attacks in 3D point clouds,
X. Wang, M. Li, P. Xu, W. Liu, L. Y. Zhang, S. Hu, and Y. Zhang, “PointAPA: To- wards availability poisoning attacks in 3D point clouds, ” inEuropean Symposium on Research in Computer Security. Springer, 2024, pp. 125–145
work page 2024
-
[27]
M. Alsereidi, A. Awadallah, A. Alkaabi, S. Yoon, and C. Y. Yeun, “Data poisoning against federated learning: Comparative analysis under label-flipping attacks and gan-generated eeg data, ” in2024 2nd International Conference on Cyber Resilience (ICCR). IEEE, 2024, pp. 1–5
work page 2024
-
[28]
F. Qian, Y. Zou, M. Xu, X. Zhang, C. Zhang, C. Xu, and H. Chen, “A comprehensive understanding of the impact of data augmentation on the transferability of 3d adversarial examples, ”ACM Transactions on Knowledge Discovery from Data, 2024
work page 2024
-
[29]
Securing Traffic Sign Recognition Systems in Autonomous Vehicles
T. Hapuarachchi, L. Dang, and K. Xiong, “Securing traffic sign recognition systems in autonomous vehicles, ”arXiv preprint arXiv:2506.06563, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[30]
Adversarial examples in the physical world,
A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world, ” inArtificial intelligence safety and security. Chapman and Hall/CRC, 2018, pp. 99–112
work page 2018
- [31]
-
[32]
nuscenes: A multimodal dataset for autonomous driving,
H. Caesar, V. Bankiti, A. H. Lang, S. Vora, V. E. Liong, Q. Xu, A. Krishnan, Y. Pan, G. Baldan, and O. Beijbom, “nuscenes: A multimodal dataset for autonomous driving, ” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp. 11 621–11 631
work page 2020
-
[33]
Learning a probabilistic latent space of object shapes via 3D generative-adversarial modeling,
J. Wu, C. Zhang, T. Xue, B. Freeman, and J. Tenenbaum, “Learning a probabilistic latent space of object shapes via 3D generative-adversarial modeling, ”Advances in neural information processing systems, vol. 29, 2016
work page 2016
-
[34]
3D ShapeNets: A Deep Representation for Volumetric Shapes,
Z. Wu, S. Song, A. Khosla, F. Yu, L. Zhang, X. Tang, and J. Xiao, “3D ShapeNets: A Deep Representation for Volumetric Shapes, ” inProceedings of the IEEE conference on computer vision and pattern recognition, 2015, pp. 1912–1920
work page 2015
-
[35]
T. Zheng, C. Chen, J. Yuan, B. Li, and K. Ren, “Pointcloud saliency maps, ” in Proceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 1598–1606
work page 2019
-
[36]
Adversarial Attack and Defense on Point Sets
J. Yang, Q. Zhang, R. Fang, B. Ni, J. Liu, and Q. Tian, “Adversarial attack and defense on point sets, ”arXiv preprint arXiv:1902.10899, 2019
work page internal anchor Pith review Pith/arXiv arXiv 1902
-
[37]
Adam: A Method for Stochastic Optimization
D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization, ”arXiv preprint arXiv:1412.6980, 2014
work page internal anchor Pith review Pith/arXiv arXiv 2014
-
[38]
Binary cross entropy with deep learning technique for image classification,
U. Ruby, V. Yendapalliet al., “Binary cross entropy with deep learning technique for image classification, ”Int. J. Adv. Trends Comput. Sci. Eng, vol. 9, no. 10, 2020
work page 2020
-
[39]
F. Chollet and F. Chollet,Deep learning with Python. Simon and Schuster, 2021
work page 2021
-
[40]
Deep-learning-based vulnerability detection in binary executables,
A. Schaad and D. Binder, “Deep-learning-based vulnerability detection in binary executables, ” inInternational Symposium on Foundations and Practice of Security. Springer, 2022, pp. 453–460
work page 2022
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.