APC: Transferable and Efficient Adversarial Point Counterattack for Robust 3D Point Cloud Recognition¶

Conference: CVPR 2026
arXiv: 2604.15708
Code: https://github.com/gyjung975/APC
Area: 3D Vision
Keywords: Adversarial Defense, 3D Point Cloud, Counter-Perturbation, Cross-Model Transfer, Input-Level Purification

TL;DR¶

APC proposes a lightweight input-level purification module that neutralizes adversarial attacks by generating point-wise counter-perturbations, trained under dual geometric and semantic consistency constraints to achieve strong robustness across diverse attacks and models.

Background & Motivation¶

Background: Adversarial defense methods for 3D point cloud recognition fall into two categories — input-level defenses (directly manipulating input data, e.g., SOR, IF-Defense) and model-level defenses (e.g., adversarial training, hybrid training).

Limitations of Prior Work: Input-level defenses are naturally transferable across models due to their operation in data space, but offer weaker protection; model-level defenses are effective but lack transferability, requiring full retraining for each target model. Both categories exhibit a clear trade-off between robustness and transferability.

Key Challenge: Existing input-level defenses only indirectly recover clean samples through data manipulation (e.g., outlier removal, surface reconstruction), without leveraging explicit defense objectives to learn how to precisely reverse attack perturbations.

Goal: Design a defense method that simultaneously achieves strong robustness and high transferability.

Key Insight: Reframe adversarial defense as a "counter-attack" — rather than passively denoising or reconstructing, actively generate a counter-perturbation to neutralize the attack perturbation.

Core Idea: Train a lightweight encoder-decoder module that takes an adversarial sample as input and generates point-wise counter-perturbations, purifying the adversarial point cloud into a form close to the clean sample via point-wise addition.

Method¶

Overall Architecture¶

APC adopts a lightweight encoder-decoder architecture. The encoder consists of three modules (local, global, and fusion) to extract point features; the decoder generates point-wise counter-perturbations \(C \in \mathbb{R}^{N \times 3}\). The purification process is formulated as \(\tilde{x}' = x' + C\), i.e., adding the counter-perturbation to the adversarial point cloud yields the purified point cloud. Training uses clean-adversarial sample pairs and jointly optimizes geometric and semantic consistency losses.

Key Designs¶

Distribution-aware Counter-Perturbation Generation:
- Function: Generate targeted counter-perturbations for each point.
- Mechanism: The encoder first aggregates local geometric features via KNN: \(L = g^{local}([repeat_k(x'); P])\); then extracts global shape features via the global module: \(G = g^{global}(L)\); finally, the fusion module combines local and global features: \(E = g^{fusion}([L; repeat_N(G)])\). A decoder (3-layer MLP + GeLU) maps the fused features to 3D counter-perturbations.
- Design Motivation: KNN aggregation exploits local geometric information to suppress local noise, while global features provide holistic shape context for stability. Their fusion enables each point's counter-perturbation to account for both local neighborhood structure and global shape.
Dual Consistency Loss:
- Function: Ensure that purified samples are geometrically and semantically close to clean samples.
- Mechanism: Geometric consistency uses Chamfer Distance to constrain the coordinate-level distance between the purified and clean point clouds \(\mathcal{L}_{geo}\); semantic consistency uses MSE to constrain the similarity of global features between purified and clean samples in the victim model's feature space \(\mathcal{L}_{sem}\). The total loss is \(\mathcal{L} = \mathcal{L}_{ce} + \alpha \cdot \mathcal{L}_{geo} + \beta \cdot \mathcal{L}_{sem}\).
- Design Motivation: Geometric recovery alone may fail to fully restore high-level semantic information. Dual-space constraints ensure the purification process simultaneously repairs local coordinate perturbations and high-level semantic shifts.
Hybrid Training Strategy:
- Function: Enable a single APC model to defend against both seen and unseen attack types.
- Mechanism: APC is trained on adversarial samples mixed from multiple attack types (Add, Cluster, Perturb, KNN, PGD, HiT, etc.). Experiments show that training on a single attack yields strong defense against that attack but poor generalization to others.
- Design Motivation: Different attacks produce distinct perturbation patterns; hybrid training enables APC to learn a more general purification capability, improving cross-attack generalization.

Loss & Training¶

The final loss is a weighted combination of cross-entropy, geometric consistency, and semantic consistency. Hybrid training samples adversarial examples from multiple attack types. Once trained, APC parameters are frozen; at inference, a single forward pass suffices to purify the input.

Key Experimental Results¶

Main Results¶

Defense Method	Type	PointNet Avg	PointNet++ Avg	DGCNN Avg
No Defense	-	6.0	41.4	26.2
SOR	Input-level	65.8	75.1	69.3
IF-Defense	Input-level	80.6	-	-
HT	Model-level	80.1	-	-
APC	Input-level	84.7	85.6	85.3

Ablation Study¶

Configuration	ModelNet40 Avg
APC (full)	84.7
w/o Semantic Consistency	82.3
w/o Geometric Consistency	80.1
Single-attack Training (PGD only)	76.5 (significant drop across attacks)

Key Findings¶

As an input-level method, APC surpasses not only all input-level defenses but also model-level defenses (AT, HT), while maintaining cross-model transferability.
In cross-model experiments, APC substantially outperforms existing input-level methods on unseen models, validating strong transferability.
Both components of the dual consistency loss are indispensable: geometric loss is critical for restoring coordinate accuracy, and semantic loss is critical for maintaining recognition correctness.
Inference requires only a single APC forward pass, with minimal parameter count and computational overhead.

Highlights & Insights¶

Elegant "counter-attack" paradigm: Rather than denoising or reconstructing, APC actively generates counter-perturbations. This inverse thinking allows an input-level method to surpass model-level defenses in robustness for the first time.
Plug-and-play practicality: Once trained, APC transfers directly to arbitrary models without retraining, substantially reducing deployment cost.
Potential transferability to 2D: Although this work focuses on 3D point clouds, the counter-perturbation paradigm is directly applicable to 2D image adversarial defense.

Limitations & Future Work¶

Training requires adversarial samples from multiple attack types prepared in advance; the coverage of attack types in training data affects generalization.
The semantic consistency loss depends on the victim model's feature extractor, introducing a mild dependency on the victim model.
Robustness against adaptive attacks (i.e., attackers aware of APC's existence) has not yet been evaluated.

vs. IF-Defense: IF-Defense iteratively optimizes point coordinates at inference to recover surfaces, incurring high computational cost; APC achieves purification in a single forward pass — faster and more effective.
vs. Hybrid Training (HT): HT is a model-level method requiring retraining of the victim model; APC achieves superior performance as an input-level method while remaining transferable.
vs. DUP-Net: DUP-Net recovers missing details via upsampling and reconstruction; APC directly generates point-wise corrections, offering greater precision.

Rating¶

Novelty: ⭐⭐⭐⭐ The counter-perturbation paradigm is novel in 3D point cloud defense, simultaneously addressing robustness and transferability.
Experimental Thoroughness: ⭐⭐⭐⭐⭐ 11 attack types, 3 models, two datasets, and comprehensive cross-model experiments.
Writing Quality: ⭐⭐⭐⭐ Clear structure with rigorous experimental design logic.
Value: ⭐⭐⭐⭐ First input-level defense to comprehensively surpass model-level defenses; high practical value.