Pith. sign in

REVIEW 2 major objections 1 minor 30 references

Reviewed by Pith at T0; open to challenge.

T0 means a machine referee read the full paper against a public rubric. The mark states how deep the mechanical check went, never who wrote it. the ladder, T0–T4 →

T0 review · grok-4.3

LiDAR 3D detectors concentrate evidence in few spatial regions that can be targeted for efficient attacks.

2026-07-02 20:40 UTC pith:KZJK4PHN

load-bearing objection The paper claims efficiency gains from saliency-guided frustum attacks on LiDAR detectors but the abstract leaves the key aggregation assumption and experimental details unexamined. the 2 major comments →

arxiv 2606.29963 v2 pith:KZJK4PHN submitted 2026-06-29 cs.CV cs.CR

Explainability-Aware Frustum Attack: Exposing Structural Vulnerabilities in LiDAR-Based 3D Object Detectors

classification cs.CV cs.CR
keywords adversarial attacksLiDAR3D object detectionexplainabilitysaliency mapsfrustum attackautonomous driving
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines how LiDAR-based 3D object detectors depend on spatial evidence within complex driving scenes. It develops the Saliency-LiDAR method to aggregate Integrated Gradient attributions into universal saliency maps that mark the most influential regions. These maps guide the Explainability-aware Frustum Attack, which perturbs only selected high-impact frustums instead of broad object areas. On KITTI and nuScenes with detectors such as PointPillars and SECOND, the attack lowers recall by more than 15 percentage points while using 25-50% fewer perturbations than non-saliency baselines. The work shows that detectors rely on a narrow set of regions, creating a structural vulnerability in current perception pipelines.

Core claim

Aggregating Integrated Gradient attributions across scenes yields universal saliency maps that identify the most influential frustums; perturbing only these frustums via the Explainability-aware Frustum Attack reduces detection recall by more than 15 percentage points on KITTI and nuScenes while requiring 25-50% fewer perturbed frustums than the state-of-the-art non-saliency-aware baseline across detectors including PointPillars and SECOND.

What carries the argument

The Saliency-LiDAR (SALL) method, which builds universal saliency maps from aggregated Integrated Gradient attributions to guide selective frustum perturbation in the Explainability-aware Frustum Attack (EFA).

Load-bearing premise

Aggregating Integrated Gradient attributions across scenes produces universal saliency maps that reliably identify the most influential frustums whose perturbation causes detector failure.

What would settle it

A controlled test in which perturbing only low-saliency frustums produces recall drops equal to or larger than those from perturbing the identified high-saliency frustums.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • LiDAR detectors concentrate discriminative evidence in a small subset of spatial regions.
  • Attacks on 3D detectors become more efficient by focusing perturbations on salient frustums rather than entire objects.
  • Current LiDAR perception systems contain structural robustness vulnerabilities tied to their reliance patterns.
  • Defense strategies may need to encourage detectors to draw evidence from more distributed regions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same saliency aggregation approach could be tested on camera-based detectors to check for parallel structural weaknesses.
  • If saliency maps prove stable across different training runs or datasets, they might reflect an inherent property of point-cloud feature extraction.
  • Real-world physical spoofing experiments limited to the identified salient regions would test whether the reported efficiency gains hold outside simulation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 1 minor

Summary. The paper proposes the Saliency-LiDAR (SALL) method, which aggregates Integrated Gradients attributions across scenes to generate universal saliency maps for LiDAR point clouds in 3D object detection. These maps are used to design the Explainability-aware Frustum Attack (EFA) that selectively perturbs only the most influential frustums. Experiments on KITTI and nuScenes datasets with detectors including PointPillars and SECOND show EFA reduces detection recall by more than 15 percentage points while requiring 25-50% fewer perturbed frustums than a non-saliency-aware baseline. The work claims this exposes structural vulnerabilities in current LiDAR-based detectors, and the authors release code at https://github.com/SecMindLab/Saliency_LiDAR.

Significance. If the results hold under rigorous validation, the paper offers a concrete demonstration that explainability tools can improve the efficiency of adversarial analysis for 3D detectors, highlighting that discriminative evidence is concentrated in limited spatial regions. The public code release is a clear strength that enables direct reproduction and extension. The findings could guide targeted robustness improvements in autonomous driving perception, though broader impact depends on whether the saliency-guided efficiency generalizes beyond the reported setups.

major comments (2)
  1. [§4 (Experiments)] §4 (Experiments): The central efficiency claim (>15pp recall reduction with 25-50% fewer frustums) is presented without reported statistical significance tests, exact baseline implementations, data splits, or variance across runs. This is load-bearing because the quantitative advantage of EFA over the non-saliency-aware baseline rests entirely on these unreported experimental details.
  2. [§3.2 (SALL aggregation)] §3.2 (SALL aggregation): The universal saliency maps are formed by cross-scene aggregation of Integrated Gradients, yet no ablation or stability metric (e.g., Jaccard overlap of top-k frustums across random scene subsets) is provided. If influential regions vary substantially by scene geometry, the reported frustum savings could be an artifact of the particular attack implementation rather than reliable explainability guidance.
minor comments (1)
  1. [Abstract and §3] The abstract and methodology would benefit from a brief statement of the number of scenes used for aggregation and the precise perturbation operator applied inside each frustum.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment below and will update the manuscript to incorporate the requested details and analyses.

read point-by-point responses
  1. Referee: [§4 (Experiments)] The central efficiency claim (>15pp recall reduction with 25-50% fewer frustums) is presented without reported statistical significance tests, exact baseline implementations, data splits, or variance across runs. This is load-bearing because the quantitative advantage of EFA over the non-saliency-aware baseline rests entirely on these unreported experimental details.

    Authors: We agree that the efficiency claims would be more robust with explicit reporting of statistical tests, variance, and implementation details. In the revised manuscript we will add paired t-test p-values across runs, standard deviations over five random seeds, the precise KITTI and nuScenes validation splits used, and expanded descriptions (with pseudocode) of the non-saliency baseline. The public code repository already contains the full experimental scripts, which will be referenced in the text. revision: yes

  2. Referee: [§3.2 (SALL aggregation)] The universal saliency maps are formed by cross-scene aggregation of Integrated Gradients, yet no ablation or stability metric (e.g., Jaccard overlap of top-k frustums across random scene subsets) is provided. If influential regions vary substantially by scene geometry, the reported frustum savings could be an artifact of the particular attack implementation rather than reliable explainability guidance.

    Authors: We concur that a stability analysis of the aggregated maps would directly address concerns about scene-dependent variability. The revision will include a new ablation in §3.2 that computes Jaccard overlap of the top-k salient frustums when SALL is aggregated over random subsets (50 %, 75 %, and 100 %) of the training scenes, plus consistency metrics across detectors. These results will confirm that the influential regions are stable and support the reported efficiency gains. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper defines SALL as aggregation of Integrated Gradients across scenes to form saliency maps and EFA as selective frustum perturbation guided by those maps, then reports empirical recall drops and efficiency gains on KITTI/nuScenes. No equations, fitted parameters, or self-citations are shown that reduce the reported performance numbers to the method definition by construction; the attack outcomes remain independent experimental measurements rather than tautological restatements of the saliency aggregation procedure.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Review is abstract-only so ledger is minimal; no explicit free parameters, axioms, or invented physical entities are described beyond standard ML assumptions such as model differentiability for gradient attribution.

axioms (1)
  • domain assumption Integrated Gradients attributions can be aggregated across scenes to form stable universal saliency maps
    Invoked to justify the SALL method for guiding the attack.
invented entities (1)
  • Saliency-LiDAR (SALL) method no independent evidence
    purpose: Produce universal saliency maps for LiDAR detectors
    New method introduced to enable the EFA attack; no independent evidence outside this work.

pith-pipeline@v0.9.1-grok · 5805 in / 1290 out tokens · 25395 ms · 2026-07-02T20:40:56.482414+00:00 · methodology

0 comments
read the original abstract

The structural vulnerabilities of point cloud-based 3D object detectors remain poorly understood. Prior work has studied adversarial robustness primarily on isolated 3D object models, while recent LiDAR spoofing attacks target richer and more realistic driving scenes but focus mainly on physical realizability rather than understanding detector behavior or attack efficiency. In this work, we investigate how LiDAR-based detectors rely on spatial evidence in complex scenes and whether these reliance patterns can be exploited to induce failures more efficiently. To this end, we propose an explainability-guided adversarial analysis methodology. We introduce the Saliency-LiDAR (SALL) method, which aggregates Integrated Gradient attributions across scenes to produce universal saliency maps for LiDAR-based 3D object detectors. Guided by these maps, we design the Explainability-aware Frustum Attack (EFA), which selectively perturbs only the most influential frustums rather than uniformly attacking entire object regions. Experiments on KITTI and nuScenes, across detectors such as PointPillars and SECOND, show that EFA reduces detection recall by more than 15 percentage points while requiring 25-50% fewer perturbed frustums than the state-of-the-art non-saliency-aware baseline. These findings reveal that modern 3D detectors concentrate discriminative evidence in a small subset of spatial regions, exposing a structural robustness vulnerability in current LiDAR perception systems. Our code is released at https://github.com/SecMindLab/Saliency_LiDAR.

Figures

Figures reproduced from arXiv: 2606.29963 by Binbin Xu, Chengzeng You, Soteris Demetriou.

Figure 1
Figure 1. Figure 1: Saliency-guided hiding visualization. Red rays denote perturbed frustums while green rays denote unperturbed frustums. prior approaches remove all frustums associated with the object, whereas our method perturbs only a few critical frustums. Tan et al. [22] showed that, for isolated 3D object classifiers operating on normalized CAD models [24], a sparse set of critical points can strongly influence predict… view at source ↗
Figure 2
Figure 2. Figure 2: Overview of universal saliency map generation for LiDAR objects with SALL. In Filter operation, only gradients of the best predictions are saved by referring to the perturbation region. In Adaptive Indexing, point-level saliency maps are downsampled to 2D matrices. Σ denotes the summation of 2D matrices. We assume these operations can be applied to multiple rays and maintained over time as the platform mov… view at source ↗
Figure 3
Figure 3. Figure 3: Saliency map visualization of Cars in different datasets and detectors. Red pixels denote positive contribution values while blue pixels denote negative contributions. objects where most points appear on the surfaces. Specifically, PointPillars-based saliency maps tend to highlight the left corner as the most critical area while SECOND-based saliency maps prefer to indicate a L Shape area that aligns with … view at source ↗
Figure 4
Figure 4. Figure 4: Instantiation of prior frustum-level LiDAR attacks. Our simulations of attacking a 30° frustum area can achieve the same digital attack effects as [3, 16, 17]. 4 EFA Evaluation 4.1 Experimental Setup Datasets. We use the KITTI [5] trainval dataset (7481 scenes) and the nuScenes [2] trainval dataset (34 149 samples) for saliency map generation and evaluation. Target Objects. We focus on Car objects within 5… view at source ↗
Figure 5
Figure 5. Figure 5: Adversarial robustness of 3D object detection under the EFA attack. as it simplifies the adversary’s task to one of simply identifying and perturbing the most salient regions. Robustness at Different Distances. We tested the adversarial robustness of Car objects detection from 5 m to 26 m using different frustum budgets as shown in Fig. 5b. It is noticeable that further objects are generally easier to atta… view at source ↗
Figure 6
Figure 6. Figure 6: Saliency-guided attack performance on different datasets and object types. With the guidance of saliency maps, our attack consistently outperforms the baselines. final attack outcome. For both PointPillars and SECOND we report the median across attacked objects, with interquartile ranges shown as shaded regions in Fig. 5d. Our evaluations show that increasing the frustum budget consistently drops both conf… view at source ↗
Figure 7
Figure 7. Figure 7: Universal saliency map of pedestrians. Attacking Small Objects. We evaluate our attack on small, difficult-to-detect objects, using P edestrian objects in KITTI as a test case. We generated a universal SALL map for pedestri￾ans ( [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: EFA attack visualization. Orange points are perturbed, and gray points are unperturbed. Green box shows the target benign object, while red box marks the same region after attack, where the object is hidden. brute-force attacks [16,17] are vastly inefficient, especially on small objects where only a few degrees of attack are necessary to hide the object. Attack Visualization [PITH_FULL_IMAGE:figures/full_… view at source ↗
Figure 9
Figure 9. Figure 9: Robustness of EFA under realistic physical-world constraints. example, at 50 km h −1 , SALL-guided A-HFR achieves 92.70 % success compared to 67.38 % for the original method, an improvement of 25 %. These results indicate that selecting structurally critical regions becomes increasingly important as perturbation budgets shrink, highlighting the efficiency of universal saliency priors under constrained cond… view at source ↗
Figure 10
Figure 10. Figure 10: Point-level attack performance on different datasets and object types. 8 Runtime Overhead Offline cost. Saliency map generation is offline and at one-time cost. Once learned, the saliency maps can be easily combined with other saliency maps learned from other sources with no further runtime cost. The overall runtime depends on how many scenes the observer wants SALL to learn. We pick 10 scenes and report … view at source ↗
Figure 10
Figure 10. Figure 10: Effectiveness of contributions. Positive contributions are more effective than Negative contributions [PITH_FULL_IMAGE:figures/full_fig_p019_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Effectiveness of contributions. Positive contributions are more effective than Negative contributions [PITH_FULL_IMAGE:figures/full_fig_p021_11.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages · 1 internal anchor

  1. [1]

    Advances in neural information processing systems31 (2018)

    Adebayo, J., Gilmer, J., Muelly, M., Goodfellow, I., Hardt, M., Kim, B.: Sanity checks for saliency maps. Advances in neural information processing systems31 (2018)

  2. [2]

    In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition

    Caesar, H., Bankiti, V., Lang, A.H., Vora, S., Liong, V.E., Xu, Q., Krishnan, A., Pan, Y., Baldan, G., Beijbom, O.: nuscenes: A multimodal dataset for autonomous driving. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. pp. 11621–11631 (2020)

  3. [3]

    In: 32nd USENIX Security Symposium (USENIX Security 23)

    Cao, Y., Bhupathiraju, S.H., Naghavi, P., Sugawara, T., Mao, Z.M., Rampazzi, S.: You can’t see me: Physical removal attacks on{LiDAR-based} autonomous vehicles driving frameworks. In: 32nd USENIX Security Symposium (USENIX Security 23). pp. 2993–3010 (2023)

  4. [4]

    In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

    Cao, Y., Xiao, C., Cyr, B., Zhou, Y., Park, W., Rampazzi, S., Chen, Q.A., Fu, K., Mao, Z.M.: Adversarial sensor attack on lidar-based perception in autonomous driving. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. pp. 2267–2281 (2019)

  5. [5]

    The International Journal of Robotics Research32(11), 1231–1237 (2013)

    Geiger, A., Lenz, P., Stiller, C., Urtasun, R.: Vision meets robotics: The kitti dataset. The International Journal of Robotics Research32(11), 1231–1237 (2013)

  6. [6]

    In: 31st USENIX Security Symposium (USENIX Security 22)

    Hallyburton, R.S., Liu, Y., Cao, Y., Mao, Z.M., Pajic, M.: Security analysis of camera-lidar fusion against black-box attacks on autonomous vehicles. In: 31st USENIX Security Symposium (USENIX Security 22). pp. 1903–1920 (2022)

  7. [7]

    In: 2022 IEEE Security and Privacy Workshops (SPW)

    Hau, Z., Demetriou, S., Lupu, E.C.: Using 3d shadows to detect object hiding attacks on autonomous vehicle perception. In: 2022 IEEE Security and Privacy Workshops (SPW). pp. 229–235. IEEE (2022)

  8. [8]

    In: Computer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4–8, 2021, Proceedings, Part I 26

    Hau, Z., Demetriou, S., Muñoz-González, L., Lupu, E.C.: Shadow-catcher: Looking into shadows to detect ghost objects in autonomous vehicle 3d sensing. In: Computer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4–8, 2021, Proceedings, Part I 26. pp. 691–711. Springer (2021)

  9. [9]

    In: Workshop on Automotive and Autonomous Vehicle Security (AutoSec)

    Hau, Z., Kenneth, T., Demetriou, S., Lupu, E.C.: Object removal attacks on lidar- based 3d object detectors. In: Workshop on Automotive and Autonomous Vehicle Security (AutoSec). vol. 2021, p. 25 (2021)

  10. [10]

    In: 2023 IEEE Symposium on Security and Privacy (SP)

    Jin, Z., Ji, X., Cheng, Y., Yang, B., Yan, C., Xu, W.: Pla-lidar: Physical laser attacks against lidar-based 3d object detection in autonomous vehicle. In: 2023 IEEE Symposium on Security and Privacy (SP). pp. 1822–1839. IEEE (2023)

  11. [11]

    In: Proceedings of the IEEE/CVF International Conference on Computer Vision

    Kim, J., Hua, B.S., Nguyen, T., Yeung, S.K.: Minimal adversarial examples for deep learning on 3d point clouds. In: Proceedings of the IEEE/CVF International Conference on Computer Vision. pp. 7797–7806 (2021)

  12. [12]

    In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition

    Lang, A.H., Vora, S., Caesar, H., Zhou, L., Yang, J., Beijbom, O.: Pointpillars: Fast encoders for object detection from point clouds. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. pp. 12697–12705 (2019)

  13. [13]

    IEEE Signal Processing Magazine37(4), 14–23 (2020)

    Modas, A., Sanchez-Matilla, R., Frossard, P., Cavallaro, A.: Toward robust sens- ing for autonomous vehicles: An adversarial perspective. IEEE Signal Processing Magazine37(4), 14–23 (2020)

  14. [14]

    Black Hat Europe11, 2015 (2015)

    Petit, J., Stottelaar, B., Feiri, M., Kargl, F.: Remote attacks on automated vehicles sensors: Experiments on camera and lidar. Black Hat Europe11, 2015 (2015)

  15. [15]

    In: Proceedings of the IEEE conference on computer vision and pattern recognition

    Qi, C.R., Su, H., Mo, K., Guibas, L.J.: Pointnet: Deep learning on point sets for 3d classification and segmentation. In: Proceedings of the IEEE conference on computer vision and pattern recognition. pp. 652–660 (2017) Saliency-LiDAR 17

  16. [16]

    In: Network and Distributed System Security Symposium (NDSS) (2024)

    Sato, T., Hayakawa, Y., Suzuki, R., Shiiki, Y., Yoshioka, K., Chen, Q.A.: LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies. In: Network and Distributed System Security Symposium (NDSS) (2024)

  17. [17]

    In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2025)

    Sato, T., Suzuki, R., Hayakawa, Y., Ikeda, K., Sako, O., Nagata, R., Yoshida, R., Chen, Q.A., Yoshioka, K.: On the realism of lidar spoofing attacks against autonomous driving vehicle at high speed and long distance. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2025)

  18. [18]

    In: International Conference on Cryptographic Hardware and Embedded Systems

    Shin, H., Kim, D., Kwon, Y., Kim, Y.: Illusion and dazzle: Adversarial optical chan- nel exploits against lidars for automotive applications. In: International Conference on Cryptographic Hardware and Embedded Systems. pp. 445–467. Springer (2017)

  19. [19]

    In: 29th USENIX Security Symposium (USENIX Security 20)

    Sun, J., Cao, Y., Chen, Q.A., Mao, Z.M.: Towards robust{LiDAR-based} per- ception in autonomous driving: General black-box adversarial sensor attack and countermeasures. In: 29th USENIX Security Symposium (USENIX Security 20). pp. 877–894 (2020)

  20. [20]

    Gradients of Counterfactuals

    Sundararajan, M., Taly, A., Yan, Q.: Gradients of counterfactuals. arXiv preprint arXiv:1611.02639 (2016)

  21. [21]

    In: International conference on machine learning

    Sundararajan, M., Taly, A., Yan, Q.: Axiomatic attribution for deep networks. In: International conference on machine learning. pp. 3319–3328. PMLR (2017)

  22. [22]

    In: Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision

    Tan, H., Kotthaus, H.: Explainability-aware one point attack for point cloud neural networks. In: Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. pp. 4581–4590 (2023)

  23. [23]

    In: Proceed- ings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition

    Tu, J., Ren, M., Manivasagam, S., Liang, M., Yang, B., Du, R., Cheng, F., Urtasun, R.: Physically realizable adversarial examples for lidar object detection. In: Proceed- ings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. pp. 13716–13725 (2020)

  24. [24]

    In: Proceedings of the IEEE conference on computer vision and pattern recognition

    Wu, Z., Song, S., Khosla, A., Yu, F., Zhang, L., Tang, X., Xiao, J.: 3d shapenets: A deep representation for volumetric shapes. In: Proceedings of the IEEE conference on computer vision and pattern recognition. pp. 1912–1920 (2015)

  25. [25]

    Sensors18(10), 3337 (2018)

    Yan, Y., Mao, Y., Li, B.: Second: Sparsely embedded convolutional detection. Sensors18(10), 3337 (2018)

  26. [26]

    Adversarial Attack and Defense on Point Sets

    Yang, J., Zhang, Q., Fang, R., Ni, B., Liu, J., Tian, Q.: Adversarial attack and defense on point sets. arXiv preprint arXiv:1902.10899 (2019)

  27. [27]

    In: Proceedings of the 1st Workshop on Security and Privacy for Mobile AI

    You, C., Hau, Z., Demetriou, S.: Temporal consistency checks to detect lidar spoofing attacks on autonomous vehicle perception. In: Proceedings of the 1st Workshop on Security and Privacy for Mobile AI. pp. 13–18 (2021)

  28. [28]

    In: 2024 IEEE Security and Privacy Workshops (SPW)

    You, C., Hau, Z., Xu, B., Demetriou, S.: Adversarial 3d virtual patches using integrated gradients. In: 2024 IEEE Security and Privacy Workshops (SPW). pp. 289–295. IEEE (2024)

  29. [29]

    In: Proceedings of the IEEE/CVF International Conference on Computer Vision

    Zheng, T., Chen, C., Yuan, J., Li, B., Ren, K.: Pointcloud saliency maps. In: Proceedings of the IEEE/CVF International Conference on Computer Vision. pp. 1598–1606 (2019)

  30. [30]

    Zhu, Y., Miao, C., Zheng, T., Hajiaghajani, F., Su, L., Qiao, C.: Can we use arbitrary objects to attack lidar perception in autonomous driving? In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. pp. 1945–1960 (2021) 18 C. You et al. 7 Ablation Study In realistic sensor spoofing scenarios, the SOTA LiDAR spoofer req...