Pith sign in

REVIEW 3 major objections 8 minor 39 references

Reviewed by Pith at T0; open to challenge.

T0 review · glm-5.2

GAN Data Augmentation Amplifies Poisoning in 3D Point Clouds

2026-07-08 04:09 UTC pith:OH2AOEZU

load-bearing objection GAN augmentation amplifies poisoning in 3D point clouds, but the sole attack method is too crude to support the security framing the 3 major comments →

arxiv 2607.06484 v1 pith:OH2AOEZU submitted 2026-07-07 cs.CR cs.CVcs.LG

Assessing the Operational Impact of Poisoning Attacks over Augmented 3D Point Cloud Public Datasets for Connected and Autonomous Vehicles

classification cs.CR cs.CVcs.LG
keywords poisoning attacks3D point cloudsdata augmentationGANconnected autonomous vehiclesoperational impactadversarial machine learningLiDAR
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper claims that GAN-based data augmentation, widely assumed to sanitize training datasets by emphasizing common benign features, instead amplifies the damage of poisoning attacks on 3D point cloud data used by autonomous vehicles. The authors poison a ModelNet-based training set at rates from 0% to 40%, then compare classifier performance between a baseline (non-augmented) scenario and a GAN-augmented scenario. At 40% poisoning, the attack success rate triples from 5.8% (baseline) to 17.6% (augmented). The authors argue that the augmentation process reinforces distributional modes that the attacker exploits rather than diluting adversarial artifacts. They then feed these attack success rates into a dependency-graph model of CAV operations, showing that the probability of impaired Decision Making rises from 4% (baseline) to 13% (augmented) at the same poisoning level. The central object is the interaction between a clean-label poisoning attack and a GAN-based augmentation pipeline on 3D point cloud data, and the paper's core claim is that this interaction is adversarial: augmentation helps the attacker, not the defender.

Core claim

The paper's central empirical finding is that GAN-based augmentation of poisoned 3D point cloud datasets triples the attack success rate compared to non-augmented poisoned data at the same poisoning level. The mechanism proposed is that augmentation reinforces distributional modes present in both clean and poisoned samples, enlarging the adversary's effective feature space rather than washing out adversarial perturbations. When propagated through a CAV operational dependency graph, this amplification yields a threefold increase in the assessed probability of impaired Decision Making (from 4% to 13% at 40% poisoning).

What carries the argument

The central objects are: (1) a clean-label poisoning attack on 3D point cloud training data (randomly removing 50% of points from a subset of primary-class samples), (2) a 3D-GAN augmentation pipeline that generates synthetic point clouds from the poisoned training set, and (3) an operational impact propagation model using resource and mission dependency graphs where the Attack Success Rate serves as a probabilistic seed that cascades through interconnected CAV system components.

Load-bearing premise

The operational impact numbers (4% vs 13%) depend on edge probabilities in the CAV dependency graph that were manually assigned based on domain expertise rather than validated against real vehicle failure data. If those hand-assigned interdependency weights do not match actual CAV system behavior, the operational impact conclusions do not hold, even if the raw attack success rate amplification is real.

What would settle it

Train the same poisoning-plus-augmentation pipeline on a different 3D point cloud dataset and/or with a different GAN architecture; if augmentation does not amplify ASR relative to baseline, the claim is specific to the ModelNet/3D-GAN combination rather than a general property of augmented 3D point clouds.

If this is right

  • Practitioners using GAN-based augmentation on public 3D point cloud datasets should not assume a sanitizing effect; the opposite may occur.
  • Dataset curation and poisoning detection should be performed before augmentation, not after, since augmentation can multiply poisoned samples.
  • Operational risk assessments for CAV systems that ignore the augmentation pipeline may underestimate the downstream impact of dataset poisoning by a factor of three or more.
  • The amplification mechanism may extend beyond GANs to other generative augmentation techniques that learn and reinforce distributional modes from contaminated training data.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 8 minor

Summary. This paper investigates whether GAN-based data augmentation amplifies or mitigates the impact of poisoning attacks on 3D point cloud datasets used in CAV perception. Two experimental scenarios are compared: a baseline where a classifier is trained on the original (potentially poisoned) dataset, and an augmented scenario where a 3D-GAN generates synthetic samples from the (potentially poisoned) training data before classifier training. Poisoning is implemented as random removal of 50% of points from primary-class samples at rates of 0–40%. The key finding is that augmentation amplifies poisoning impact: at 40% poisoning, ASR rises from 5.8% (baseline) to 17.6% (augmented), and the operational impact on a Decision Making process rises from 4% to 13%. The operational impact is computed using a dependency-graph propagation model from the authors' prior work [31], with ASR values fed as initial probabilities. Code and datasets are publicly released.

Significance. The paper tackles a timely question at the intersection of adversarial ML and autonomous vehicle safety. Its main strengths are: (1) a clear, reproducible experimental design with publicly released code, datasets, and Docker deployment; (2) the coupling of poisoning-attack evaluation with an operational impact model that maps classifier degradation to CAV decision-making processes, which is a novel combination not found in prior work surveyed in Table 1; and (3) the use of both F1 and MCC metrics, which provides a balanced assessment of classifier performance. The finding that GAN-based augmentation can amplify rather than sanitize poisoning in 3D point clouds is a useful empirical contribution. However, the significance of this finding is tempered by the use of a single, crude poisoning method and the reliance on manually assigned edge weights in the impact model.

major comments (3)
  1. §4.1: The sole poisoning method used is random removal of 50% of points from each sample. The authors acknowledge saliency-based alternatives [35,36] but chose not to use them. This is load-bearing for the central claim that augmentation 'amplifies the impact of poisoned samples' and 'reinforces distributional modes that the attacker exploits.' Random 50% point removal is gross geometric degradation, not a subtle adversarial perturbation. A GAN trained on such degraded samples will naturally reproduce degraded shapes, and a classifier trained on those shapes will perform worse. This demonstrates that a GAN learns whatever distribution it is trained on, but it does not demonstrate that augmentation fails to sanitize adversarial artifacts—the sanitizing effect cited in prior work [12–17] concerns subtle perturbations or backdoor triggers that augmentation might filter out. The paper should
  2. §4.3.2, Figure 6 and Table 2: The operational impact numbers (4% vs. 13% for Decision Making) are the paper's distinguishing contribution over prior poisoning studies. However, these values are entirely determined by edge weights in the dependency graph that were 'manually assigned based on domain expertise' (§4.3.2). No sensitivity analysis is provided to show how the operational impact conclusions change under reasonable variations of these weights. Without such analysis, the reader cannot assess whether the threefold increase claim is robust or an artifact of specific weight choices. A sensitivity analysis over plausible edge-weight ranges, or at minimum a justification for the specific values chosen, is needed to support the operational impact claims.
  3. §4.2: The paper states that all experiments were repeated five times and that 'standard deviations were consistently small,' yet standard deviations are omitted from all figures and tables. Since the ASR gap (17.6% vs. 5.8%) is the central quantitative finding, the reader needs to verify that this gap is statistically meaningful. The standard deviations should be reported, at minimum for the ASR metric.
minor comments (8)
  1. §1.2: The phrase 'Therefore, This divergence' contains a capitalization error ('This' should be 'this').
  2. §3.1, Eq. (2): The perturbation ρ is described as 'small,' but the actual poisoning method removes 50% of points. The relationship between the abstract threat model and the concrete implementation should be clarified.
  3. Figure 5: The x-axis labels show metric values and the y-axis shows poisoning rate, which is unconventional. Consider swapping axes or adding a clearer caption explaining the layout.
  4. Figure 6: The node labels are truncated (e.g., 'Vehicle & Pedes-' for 'Vehicle & Pedestrian Detection'). Consider using abbreviations or a larger figure to improve readability.
  5. §4.1: The choice of two ModelNet classes for binary classification is mentioned but the specific classes selected are not named. This should be specified for reproducibility.
  6. §4.1: The paper uses an InceptionNet architecture adapted for binary classification. More details on the adaptation (e.g., input representation, output layer changes) would aid reproducibility.
  7. Table 1: The 'Poisoning' column header is ambiguous—it lists the attack type, not whether poisoning is considered. Consider renaming to 'Attack Type' or clarifying.
  8. §5: The conclusion states 'augmenting as well the effects of augmenting poisoned 3D point cloud datasets,' which is awkwardly phrased.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for a thorough and constructive report. The referee correctly identifies our key contributions (reproducible experimental design, novel coupling of poisoning evaluation with operational impact modeling, balanced metric usage) and raises three major concerns: (1) the use of a single crude poisoning method limits the generality of the central claim about augmentation amplifying poisoning; (2) the manually assigned edge weights in the dependency graph lack sensitivity analysis, making the threefold operational impact increase potentially fragile; (3) standard deviations are omitted despite being central to assessing the significance of the ASR gap (17.6% vs. 5.8%). We address each below and commit to revisions on points 2 and 3. On point 1, we provide a substantive defense of our methodological choice while acknowledging the referee's concern about generalizability and committing to a scoped framing revision.

read point-by-point responses
  1. Referee: §4.1: The sole poisoning method used is random removal of 50% of points from each sample. The authors acknowledge saliency-based alternatives [35,36] but chose not to use them. This is load-bearing for the central claim that augmentation 'amplifies the impact of poisoned samples' and 'reinforces distributional modes that the attacker exploits.' Random 50% point removal is gross geometric degradation, not a subtle adversarial perturbation. A GAN trained on such degraded samples will naturally reproduce degraded shapes, and a classifier trained on those shapes will perform worse. This demonstrates that a GAN learns whatever distribution it is trained on, but it does not demonstrate that augmentation fails to sanitize adversarial artifacts—the sanitizing effect cited in prior work [12–17] concerns subtle perturbations or backdoor triggers that augmentation might filter out.

    Authors: We partially agree with the referee's concern and will revise the manuscript's framing, but we respectfully disagree that the finding is as limited as the referee suggests. First, regarding the threat model: our adversary is explicitly constrained to have no knowledge of the victim model architecture, loss function, or training process (§3.1). Saliency-based methods [35,36] require either access to a surrogate model or iterative querying of the victim model to compute point importance rankings. Our threat model deliberately excludes such access, making random point removal a realistic attack for an adversary who can only inject samples into a public dataset. This is a legitimate and commonly studied adversary capability in the poisoning literature. Second, regarding the sanitization claim: the prior work we cite on augmentation's sanitizing effects [12–17] does not exclusively concern subtle perturbations. For instance, Karra et al. [15] study Trojan triggers (which can involve visible modifications), and the medical imaging work [13] concerns distributional characteristics of GAN-generated data more broadly. Our contribution is specifically about whether GAN-based augmentation of 3D point clouds sanitizes or amplifies corrupted training data—a question that, to our knowledge, has not been studied in the 3D point cloud domain. The referee's observation that 'a GAN learns whatever distribution it is trained on' is precisely our point: the literature has claimed that augmentation tends to reflect 'the most common features of the original dataset features, which are, by definition benign' (§1.1, citing [12–14]). Our results challenge this assumption by showing that when poisoning is present at meaningful rates, the GAN does not filter toward benign modes but rather reprodu revision: no

  2. Referee: §4.3.2, Figure 6 and Table 2: The operational impact numbers (4% vs. 13% for Decision Making) are the paper's distinguishing contribution over prior poisoning studies. However, these values are entirely determined by edge weights in the dependency graph that were 'manually assigned based on domain expertise' (§4.3.2). No sensitivity analysis is provided to show how the operational impact conclusions change under reasonable variations of these weights. Without such analysis, the reader cannot assess whether the threefold increase claim is robust or an artifact of specific weight choices. A sensitivity analysis over plausible edge-weight ranges, or at minimum a justification for the specific values chosen, is needed to support the operational impact claims.

    Authors: We agree that a sensitivity analysis is needed and will add it to the revised manuscript. Specifically, we will conduct a sensitivity analysis varying the manually assigned edge weights (those between operational functions and processes) by ±20% around their nominal values and recompute the operational impact on Decision Making for both baseline and augmented scenarios at 40% poisoning. We will present the results as a range (e.g., operational impact varies from X% to Y% under baseline and from A% to B% under augmentation) and confirm whether the threefold increase pattern holds across the plausible weight range. We note that the inter-asset edge weights derived from nuScenes [32] are data-driven and not subject to the same manual assignment concern. We will also add explicit justification for the specific domain-expertise values chosen, citing the CAV operational context from which they were derived. We believe the relative comparison (baseline vs. augmented) is likely robust because the same graph structure and weights are applied to both scenarios—the ASR values are the only differing inputs—so the threefold ratio should be largely insensitive to weight choices. But we will verify this empirically and report the results honestly. revision: yes

  3. Referee: §4.2: The paper states that all experiments were repeated five times and that 'standard deviations were consistently small,' yet standard deviations are omitted from all figures and tables. Since the ASR gap (17.6% vs. 5.8%) is the central quantitative finding, the reader needs to verify that this gap is statistically meaningful. The standard deviations should be reported, at minimum for the ASR metric.

    Authors: We agree and will add standard deviations to the revised manuscript. We will report standard deviations for the ASR metric in Table 2 (or an expanded version thereof) and as error bars in Figure 5(c). We will also add a brief statistical significance test (e.g., a two-sample t-test or Wilcoxon rank-sum test) comparing the baseline and augmented ASR values at each poisoning rate to confirm that the gap is statistically meaningful. We will retain the current figures for visual clarity but ensure the standard deviations are reported in the tables and discussed in the text. revision: yes

Circularity Check

0 steps flagged

No significant circularity; the ASR values are independently measured and the impact model is an external tool, not a re-derived result.

full rationale

The paper's central claim—that GAN-based augmentation amplifies poisoning effects—is supported by independently measured ASR values (5.8% baseline vs. 17.6% augmented at 40% poisoning), computed from classifier false-negative rates on a held-out test set (Section 4.2). These measurements are not fitted to or defined in terms of the conclusion. The operational impact model (Section 3.2) is imported from prior work [31] by overlapping authors (Lazrag, Garcia-Alfaro), but it functions as an external tool: the ASR is fed as input to a propagation function with manually assigned edge weights, and the impact numbers (4%, 13%) are outputs of that function, not re-derivations of the ASR. The self-citation to [31] provides the modeling framework (graphs, propagation functions) rather than a result being re-derived. The edge weights are manually assigned based on domain expertise—a modeling assumption that is a correctness risk, not a circularity issue, since the weights are not defined in terms of the target operational impact values. No step in the derivation chain reduces to its own inputs by construction.

Axiom & Free-Parameter Ledger

4 free parameters · 4 axioms · 1 invented entities

The axiom ledger reveals that the paper's conclusions rest on several manually chosen parameters (poisoning method, rates, edge weights, dataset scope) and domain assumptions (GAN sanitizing premise, impact model validity, representativeness of random point removal, ModelNet-to-CAV generalization). The most consequential free parameters are the manually assigned impact model edge weights, which directly determine the headline operational impact numbers.

free parameters (4)
  • Poisoning method: 50% random point removal = 50%
    The fraction of points removed from each poisoned sample is chosen by the authors without optimization or justification beyond simplicity.
  • Poisoning rates: 0%, 10%, 20%, 40% = 0-40%
    The specific poisoning rates tested are selected by the authors; the maximum of 40% is not justified against any threat model boundary.
  • Impact model edge weights (operational functions to processes) = manually assigned
    Section 4.3.2 states edge values between operational functions and processes 'were manually assigned based on domain expertise.' These directly determine the final operational impact numbers.
  • Number of ModelNet classes selected = 2 (binary)
    The choice of binary classification rather than multi-class is a design decision that limits the scope of the evaluation.
axioms (4)
  • domain assumption GAN-based augmentation generates synthetic data reflecting the most common features of the original dataset, which are benign by definition.
    Section 1.1 invokes this as the premise that augmentation has a 'sanitizing effect,' which the paper then challenges. The assumption is attributed to cited literature [12-14].
  • domain assumption The operational impact model from [31] accurately represents CAV system dependencies.
    Section 3.2 adopts the impact propagation model from the authors' own prior work as the framework for quantifying downstream effects. The model's validity for CAV scenarios is assumed, not independently verified.
  • ad hoc to paper Random 50% point removal is a representative poisoning attack for 3D point clouds.
    Section 4.1 states the authors 'employed a simpler poisoning method, typically, we randomly removed 50% of the points from each poisoned file, without applying any ranking or importance criterion.' This is acknowledged as simpler than saliency-based methods, yet the generalization claims in the conclusion implicitly assume this attack is representative.
  • domain assumption Binary classification on two ModelNet classes generalizes to CAV perception scenarios.
    The paper uses ModelNet CAD objects, not actual LiDAR point clouds from driving scenarios. The nuScenes-inspired CAV model (Figure 1) is used for impact modeling, but the actual experiments use ModelNet. The gap between CAD models and real LiDAR data is not addressed.
invented entities (1)
  • None no independent evidence
    purpose: N/A
    The paper does not introduce new particles, forces, dimensions, or postulated entities. It uses existing frameworks (3D-GAN, InceptionNet, the impact model from [31]) and existing datasets (ModelNet, nuScenes for modeling).

pith-pipeline@v1.1.0-glm · 16820 in / 3192 out tokens · 520695 ms · 2026-07-08T04:09:58.869227+00:00 · methodology

0 comments
read the original abstract

Poisoning attacks against public datasets lead to major concerns, such as (i) misclassification of perceived objects when the poisoned data is used for training and (ii) embedding of backdoors that may eventually be triggered later on, when specific conditions in the system apply over the learned models. Its impact over data augmentation models is unclear. While data augmentation reduces the likelihood of poisoning attack success, some valid questions remain. Is data augmentation affecting the impact of poisoning attacks? can it increase the number of poisoned samples or injected backdoors? We explore in this paper some of these questions. We assess the effects of augmenting poisoned 3D point cloud datasets and validate that poisoning is able to evade the sanitizing nature of augmentation techniques when using the concrete case of Generative Adversarial Network (GAN) techniques to exemplify the case of data augmentation processing. We also validate that poisoning propagates over the augmented datasets and perturbs the decision made by general-purpose classifiers, in the end. All the experimental material (including tools, datasets, and classifiers) is publicly available, to facilitate reproducibility and to foster further research in the topic.

Figures

Figures reproduced from arXiv: 2607.06484 by Badis Hammi, Joaquin Garcia-Alfaro, Lorena Gonzalez-Manzano, Marwan Lazrag.

Figure 1
Figure 1. Figure 1: CAV scenario inspired from the nuScenes data col [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Assessing the impact of a poisoning attack against [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Methodology to compute the Attack Success Rate ( [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: (a) Original object; (b) GAN output from clean data; [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Dependencies between metrics and poisoning rate: (a) Dependency between MCC and Poisoning rate; (b) Dependency [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Impact assessment model: (a) Nominal system state; (b) Baseline scenario with a 40% poisoning rate; (c) Augmented [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 39 canonical work pages · 6 internal anchors

  1. [1]

    Ad- vancing security in software-defined vehicles: A comprehensive survey and taxonomy,

    K. Sghaier, B. Hammi, G. Gharbi, P. Merdrignac, P. Parrend, and D. Verna, “Ad- vancing security in software-defined vehicles: A comprehensive survey and taxonomy, ”arXiv preprint arXiv:2510.09675, 2025

  2. [2]

    A review on autonomous vehicles: Progress, methods and challenges,

    D. Parekh, N. Poddar, A. Rajpurkar, M. Chahal, N. Kumar, G. P. Joshi, and W. Cho, “A review on autonomous vehicles: Progress, methods and challenges, ”Electronics, vol. 11, no. 14, p. 2162, 2022

  3. [3]

    A state- of-the-art review on attacks and defense mechanisms for lidar on autonomous vehicles,

    S. A. Salguero-Luna, K. A. Ramirez-Gutierrez, and A. Martinez-Cruz, “A state- of-the-art review on attacks and defense mechanisms for lidar on autonomous vehicles, ”IEEE Transactions on Intelligent Transportation Systems, 2024

  4. [4]

    Research advances and challenges of au- tonomous and connected ground vehicles,

    A. Eskandarian, C. Wu, and C. Sun, “Research advances and challenges of au- tonomous and connected ground vehicles, ”IEEE Transactions on Intelligent Trans- portation Systems, vol. 22, no. 2, pp. 683–711, 2019

  5. [5]

    Cooper: Cooperative perception for con- nected autonomous vehicles based on 3d point clouds,

    Q. Chen, S. Tang, Q. Yang, and S. Fu, “Cooper: Cooperative perception for con- nected autonomous vehicles based on 3d point clouds, ” in2019 IEEE 39th Interna- tional Conference on Distributed Computing Systems (ICDCS). IEEE, 2019, pp. 514–524

  6. [6]

    Platelet: Pioneering security and privacy compliant simulation for intelligent transportation systems and v2x,

    M. Kautz, B. Hammi, and J. Garcia-Alfaro, “Platelet: Pioneering security and privacy compliant simulation for intelligent transportation systems and v2x, ” in2024 22nd International Symposium on Network Computing and Applications (NCA). IEEE, 2024, pp. 61–67

  7. [7]

    Survey on autonomous vehicle simulation platforms,

    G. Yang, Y. Xue, L. Meng, P. Wang, Y. Shi, Q. Yang, and Q. Dong, “Survey on autonomous vehicle simulation platforms, ” in2021 8th International Conference on Dependable Systems and Their Applications (DSA). IEEE, 2021, pp. 692–699

  8. [8]

    A survey on simulators for testing self-driving cars,

    P. Kaur, S. Taghavi, Z. Tian, and W. Shi, “A survey on simulators for testing self-driving cars, ” in2021 Fourth International Conference on Connected and Au- tonomous Driving (MetroCAD). IEEE, 2021, pp. 62–70

  9. [9]

    Choose your simulator wisely: A review on open-source simulators for autonomous driving,

    Y. Li, W. Yuan, S. Zhang, W. Yan, Q. Shen, C. Wang, and M. Yang, “Choose your simulator wisely: A review on open-source simulators for autonomous driving, ” IEEE Transactions on Intelligent Vehicles, 2024

  10. [10]

    Rl-gan-net: A reinforcement learning agent controlled gan network for real-time point cloud shape completion,

    M. Sarmad, H. J. Lee, and Y. M. Kim, “Rl-gan-net: A reinforcement learning agent controlled gan network for real-time point cloud shape completion, ” in Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 5898–5907

  11. [11]

    Dense point cloud comple- tion based on generative adversarial network,

    M. Cheng, G. Li, Y. Chen, J. Chen, C. Wang, and J. Li, “Dense point cloud comple- tion based on generative adversarial network, ”IEEE Transactions on Geoscience and Remote Sensing, vol. 60, pp. 1–10, 2021

  12. [12]

    A survey on gan techniques for data augmenta- tion to address the imbalanced data issues in credit card fraud detection,

    E. Strelcenia and S. Prakoonwit, “A survey on gan techniques for data augmenta- tion to address the imbalanced data issues in credit card fraud detection, ”Machine Learning and Knowledge Extraction, vol. 5, no. 1, pp. 304–329, 2023

  13. [14]

    Data Augmentation Revisited: Rethinking the Distribution Gap between Clean and Augmented Data

    Z. He, L. Xie, X. Chen, Y. Zhang, Y. Wang, and Q. Tian, “Data augmentation revisited: Rethinking the distribution gap between clean and augmented data, ” arXiv preprint arXiv:1909.09148, 2019

  14. [15]

    Sanitais: Unsupervised data augmenta- tion to sanitize trojaned neural networks,

    K. Karra, C. Ashcraft, and C. Costello, “Sanitais: Unsupervised data augmenta- tion to sanitize trojaned neural networks, ” in2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Comput- ing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCo...

  15. [16]

    Learning the Unlearnable: Adversarial Augmentations Suppress Unlearnable Example Attacks

    T. Qin, X. Gao, J. Zhao, K. Ye, and C.-Z. Xu, “Learning the unlearnable: Ad- versarial augmentations suppress unlearnable example attacks, ”arXiv preprint arXiv:2303.15127, 2023

  16. [17]

    Data augmentation can improve robustness,

    S.-A. Rebuffi, S. Gowal, D. A. Calian, F. Stimberg, O. Wiles, and T. A. Mann, “Data augmentation can improve robustness, ”Advances in neural information processing Assessing the Operational Impact of Poisoning Attacks over Augmented 3D Point Cloud Public Datasets for Connected and Autonomous Vehicles SECRYPT 2026, 16–18 July, 2026, Porto, Portugal systems...

  17. [18]

    Data augmentation for discrimination prevention and bias disam- biguation,

    S. Sharma, Y. Zhang, J. M. Ríos Aliaga, D. Bouneffouf, V. Muthusamy, and K. R. Varshney, “Data augmentation for discrimination prevention and bias disam- biguation, ” inProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, 2020, pp. 358–364

  18. [19]

    Image Data Augmentation for Deep Learning: A Survey

    S. Yang, W. Xiao, M. Zhang, S. Guo, J. Zhao, and F. Shen, “Image data augmentation for deep learning: A survey, ”arXiv preprint arXiv:2204.08610, 2022

  19. [20]

    Text data augmentation for deep learning,

    C. Shorten, T. M. Khoshgoftaar, and B. Furht, “Text data augmentation for deep learning, ”Journal of big Data, vol. 8, no. 1, p. 101, 2021

  20. [21]

    Gan-based data augmentation and anonymiza- tion for skin-lesion analysis: A critical review,

    A. Bissoto, E. Valle, and S. Avila, “Gan-based data augmentation and anonymiza- tion for skin-lesion analysis: A critical review, ” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2021, pp. 1847–1856

  21. [22]

    Pu-gan: a point cloud upsampling adversarial network,

    R. Li, X. Li, C.-W. Fu, D. Cohen-Or, and P.-A. Heng, “Pu-gan: a point cloud upsampling adversarial network, ” inProceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 7203–7212

  22. [23]

    Simple and effective synthesis of indoor 3d scenes,

    J. Y. Koh, H. Agrawal, D. Batra, R. Tucker, A. Waters, H. Lee, Y. Yang, J. Baldridge, and P. Anderson, “Simple and effective synthesis of indoor 3d scenes, ” inPro- ceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 1, 2023, pp. 1169–1178

  23. [24]

    Generating 3D adversarial point clouds,

    C. Xiang, C. R. Qi, and B. Li, “Generating 3D adversarial point clouds, ” inPro- ceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 9136–9144

  24. [25]

    Advpc: Transferable adversarial perturbations on 3d point clouds,

    A. Hamdi, S. Rojas, A. Thabet, and B. Ghanem, “Advpc: Transferable adversarial perturbations on 3d point clouds, ” inComputer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XII 16. Springer, 2020, pp. 241–257

  25. [26]

    PointAPA: To- wards availability poisoning attacks in 3D point clouds,

    X. Wang, M. Li, P. Xu, W. Liu, L. Y. Zhang, S. Hu, and Y. Zhang, “PointAPA: To- wards availability poisoning attacks in 3D point clouds, ” inEuropean Symposium on Research in Computer Security. Springer, 2024, pp. 125–145

  26. [27]

    Data poisoning against federated learning: Comparative analysis under label-flipping attacks and gan-generated eeg data,

    M. Alsereidi, A. Awadallah, A. Alkaabi, S. Yoon, and C. Y. Yeun, “Data poisoning against federated learning: Comparative analysis under label-flipping attacks and gan-generated eeg data, ” in2024 2nd International Conference on Cyber Resilience (ICCR). IEEE, 2024, pp. 1–5

  27. [28]

    A comprehensive understanding of the impact of data augmentation on the transferability of 3d adversarial examples,

    F. Qian, Y. Zou, M. Xu, X. Zhang, C. Zhang, C. Xu, and H. Chen, “A comprehensive understanding of the impact of data augmentation on the transferability of 3d adversarial examples, ”ACM Transactions on Knowledge Discovery from Data, 2024

  28. [29]

    Securing Traffic Sign Recognition Systems in Autonomous Vehicles

    T. Hapuarachchi, L. Dang, and K. Xiong, “Securing traffic sign recognition systems in autonomous vehicles, ”arXiv preprint arXiv:2506.06563, 2025

  29. [30]

    Adversarial examples in the physical world,

    A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world, ” inArtificial intelligence safety and security. Chapman and Hall/CRC, 2018, pp. 99–112

  30. [31]

    Lazrag, C

    M. Lazrag, C. Kiennert, and J. Garcia-Alfaro,Quantifying the Impact Propagation of Cyber Attacks Using Business Logic Modeling. Cham: Springer Nature Switzerland, 2025, pp. 49–71

  31. [32]

    nuscenes: A multimodal dataset for autonomous driving,

    H. Caesar, V. Bankiti, A. H. Lang, S. Vora, V. E. Liong, Q. Xu, A. Krishnan, Y. Pan, G. Baldan, and O. Beijbom, “nuscenes: A multimodal dataset for autonomous driving, ” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp. 11 621–11 631

  32. [33]

    Learning a probabilistic latent space of object shapes via 3D generative-adversarial modeling,

    J. Wu, C. Zhang, T. Xue, B. Freeman, and J. Tenenbaum, “Learning a probabilistic latent space of object shapes via 3D generative-adversarial modeling, ”Advances in neural information processing systems, vol. 29, 2016

  33. [34]

    3D ShapeNets: A Deep Representation for Volumetric Shapes,

    Z. Wu, S. Song, A. Khosla, F. Yu, L. Zhang, X. Tang, and J. Xiao, “3D ShapeNets: A Deep Representation for Volumetric Shapes, ” inProceedings of the IEEE conference on computer vision and pattern recognition, 2015, pp. 1912–1920

  34. [35]

    Pointcloud saliency maps,

    T. Zheng, C. Chen, J. Yuan, B. Li, and K. Ren, “Pointcloud saliency maps, ” in Proceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 1598–1606

  35. [36]

    Adversarial Attack and Defense on Point Sets

    J. Yang, Q. Zhang, R. Fang, B. Ni, J. Liu, and Q. Tian, “Adversarial attack and defense on point sets, ”arXiv preprint arXiv:1902.10899, 2019

  36. [37]

    Adam: A Method for Stochastic Optimization

    D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization, ”arXiv preprint arXiv:1412.6980, 2014

  37. [38]

    Binary cross entropy with deep learning technique for image classification,

    U. Ruby, V. Yendapalliet al., “Binary cross entropy with deep learning technique for image classification, ”Int. J. Adv. Trends Comput. Sci. Eng, vol. 9, no. 10, 2020

  38. [39]

    Chollet and F

    F. Chollet and F. Chollet,Deep learning with Python. Simon and Schuster, 2021

  39. [40]

    Deep-learning-based vulnerability detection in binary executables,

    A. Schaad and D. Binder, “Deep-learning-based vulnerability detection in binary executables, ” inInternational Symposium on Foundations and Practice of Security. Springer, 2022, pp. 453–460