Adv3D: Generating 3D Adversarial Examples for 3D Object Detection in Driving Scenarios with NeRF

(1) The paper lacks detailed implementation details, making it difficult to reproduce the study. The authors should provide more information on the specific architectures, hyperparameters, and optimization methods used in training the adversarial NeRFs.

(2) The evaluation of MESH ATTACK should discuss some existing papers[1,2].

(3) The paper could benefit from a clearer and more structured presentation of the proposed methodology and experimental results. Some parts of the paper are difficult to follow, and additional clarity would improve the reader's understanding.

(4) The detailed implementation details of adv training should be provided.

[1] Isometric 3d adversarial examples in the physical world, NIPS 2022

[2] 3d adversarial attacks beyond point cloud, Information Sciences 2023

My major concern is that whether the formulation of NeRF is necessarily, from the motivation perspective. The optimization is essentially finding the color, density of the volume. However, I believe most vehicle objectives are not translucent; the optimized 3D object is very hard to realize. This is evident as authors need to improve the physical realizability.

So we are missing a baseline here: optimizing the surface texture as a 3D mesh, using existing differentiable mesh renderers (such as Neural Mesh Renderer). The latter is easier to optimize (2D texture space), and more physically realizable (because it is a texture map rather than a volume). The authors said it "enables patch attacks in a 3D-aware manner by lifting the 2D patch to a 3D box", so we really need a baseline to showcase such lifting is necessary.

The practicality of this attack is also questionable because in the supplementary material, the mini-nature attack does not seem to be very successful.

In general, my decision largely depends on the first point: the NeRF representation may not be necessary under the current settings. Optimizing the texture image should just work; such volume formulation will make it harder to physically realize and does not bring much benefit other than differentiable rendering.

• The advantage of the proposed method over existing attacks is not clear. The authors claim that implementing existing attacks is challenging because their adversary must have direct contact with the attacked object. However, it is not clear why having direct contact with the attacked object is challenging. I do not think placing an object on top of a vehicle is a challenging task. In addition, many existing methods can be used to attack multi-sensor fusion, which has been widely adopted by today’s autonomous vehicles. What’s the advantage of the proposed attack compared to those existing attacks?

• The authors do not describe the threat model. The information about the detection model and the victim vehicle that the attacker can access remain unclear. How can the attacker obtain such information in practice?

• The practicability of the proposed attack is questionable. To achieve the attack goal, the car with the patch must assume a particular pose and appear in an unusual location on the road (as shown in Figure 3(b)). The car itself may cause traffic accident in practice.

• The authors do not evaluate the proposed attack in real-world driving environments. The influence of view angle, lighting conditions, and vehicle speed on the effectiveness of the attack remains unclear.

1. Missing literature: Several important related threads of work are not present, which doesn't place this work in the right context of existing literature. These include:

• NeRF + Adv: There already exist some works which have explored this intersection. It would be helpful to include these, and to talk a bit about how this work differs from these. https://proceedings.neurips.cc/paper_files/paper/2022/hash/eee7ae5cf0c4356c2aeca400771791aa-Abstract-Conference.html, https://openaccess.thecvf.com/content/ICCV2023W/AROW/html/Horvath_Targeted_Adversarial_Attacks_on_Generalizable_Neural_Radiance_Fields_ICCVW_2023_paper.html among others.

• Differentiable Rendering: Beyond NeRF and neural network based image generation, there have been recent advances in differentiable physically-based rendering which is accurate, and highly photorealistic. Would be good to add these citations. https://dl.acm.org/doi/pdf/10.1145/3414685.3417833, https://people.csail.mit.edu/tzumao/diffrt/, https://research.nvidia.com/labs/rtr/publication/bangaru2023slangd/bangaru2023slangd.pdf, https://inria.hal.science/hal-02497191/document.

• Other papers on 3D adversarial attacks and viewpoint generalization: https://arxiv.org/abs/2106.16198, https://arxiv.org/abs/1808.02651, https://www.nature.com/articles/s42256-021-00437-5.

2. Writing/Presentation of Methods unclear: There are several details in the Methods section that are very hard to follow and ambiguous. Correcting these would be imperative to make sure the paper is understandable:

• "Pose of an adversarial example": An adversarial example in this case refers to an image with the composited NeRF object (+texture), and the original 3D objects from the nuScenes dataset. Which object's pose are you referring to? It might help referring to these objects separately---the existing ones, and the NeRF object added using Lift3D. And then specify what object the sampled pose refers to.
• Figure 1 shows a loop which is optimized over iterations. It seems that the thing being optimized is the adversarial texture patch composited onto the image. However, both the patches shown in Figure 1 (top and bottom row) are the same which makes it unclear what got optimized in the iteration? Following from above: was the pose sampled fro the red car, or the grey car?
• "EOT by average loss over whole batch": It is not specified what is contained in a batch. The idea behind the original EOT concept was to ensure transferability of attack across different transformations. In this case, are we averaging over different poses of the added red car, or the original grey car? How is this ensured that the batch actually samples the correct distribution w.r.t. which the expectation needs to be calculated?
• What are primitives of adversarial examples? It isn't clearly defined what the paper refers to as primitives.

3. Experiments very weak:

• No statistics reported: The closest comparison to NeRF attacks are Mesh ones. Firstly, only one baseline is provided, and there are no error bars or tests for statistical significance reported. This is also true for all experiments.

• No real baselines: The experiments are very thin, with hardly many numbers reported.

(a) Is Clean referring to no attack? What if no adversarial patch is added, but the output of Lift3D is optimized? If the attack is good enough, it would reduce the utility of the adversarial patch.

(b) The patch is added by compositing the image. Was it investigated how much of this adversarial attack was due to NeRF and how much due to just the Image compositing? An easy baseline would be taking the size of the patch, and optimizing pixels in the original 2D image directly without Lift3D to see if a similar sized patch can be found which can break the detection networks.

(c) How do results vary with optimizing the shape latent codes of the NeRF as opposed to texture? (2) (3) How does semantic part normalized by surface area impact?

(d) The results in Fig 4 on viewpoint perfectly correlates with surface area of object if sampling was uniform---is this an outcome of the viewpoint, or just of the number of pixels replaced by compositing?

(e) How do results in Fig4(b) compare with the distribution of viewpoints shown during training? Is there correlation? If so, it is only an artifact of what was shown during training. Same is true for location.

(f) How does this compare to other general purpose NeRF + adversarial attack approaches?

(g) Why are results reported with only nuScenes? There exist several outdoor driving datasets.