Feeding examples generated by an attack back into the network is a very classical defense mechanism. This works ok, but it is not attack-agnostic, and removing adversarial points works better in 3D. There are also works (mostly in 2D) on detecting adversarial examples with neural networks.
I am not sure about statistical identification, but we show that it is difficult to identify and remove adversarial points by looking for statistical outliers points.
I am not sure about truly robust 3D-specific defenses---if anyone has some idea, I am open to collaboration. I would imagine some sort of provably robust method built specifically to handle the varying density and distribution of points.
I am not sure about statistical identification, but we show that it is difficult to identify and remove adversarial points by looking for statistical outliers points.
I am not sure about truly robust 3D-specific defenses---if anyone has some idea, I am open to collaboration. I would imagine some sort of provably robust method built specifically to handle the varying density and distribution of points.