Official PyTorch implementation of our paper:
RemedyGS: Defend 3D Gaussian Splatting Against Computation Cost Attacks
Yanping Li · Zhening Liu · Zijian Li · Zehong Lin · Jun Zhang
3D Gaussian Splatting (3DGS) has become a mainstream technique for photorealistic 3D reconstruction and is widely deployed in real-world services. Recent work such as Poison-splat shows that attackers can poison input images to trigger excessive Gaussian densification, dramatically increasing GPU memory, training time, and rendering latency—potentially leading to denial-of-service (DoS) in 3DGS-as-a-service systems.
RemedyGS is the first effective black-box defense framework against such computation cost attacks. Our pipeline consists of two key components:
- Detector — identifies poisoned input images with abnormal high-frequency textures induced by the attack.
- Purifier — recovers benign images from poisoned counterparts via an encoder–decoder with skip connections.
We further incorporate adversarial training with a discriminator to align the distribution of purified images with natural clean images, improving perceptual quality and reconstruction fidelity. Extensive experiments on NeRF-Synthetic, Mip-NeRF 360, and Tanks-and-Temples demonstrate that RemedyGS achieves state-of-the-art performance in both safety (Gaussian count, GPU memory) and utility (PSNR, SSIM, LPIPS) against white-box, black-box, and adaptive attacks.
Pipeline: poisoned images → Detector (poisoned vs. clean) → Purifier (encoder–decoder + skip connections) → defended images → vanilla 3DGS training. Adversarial training with a Discriminator aligns purified outputs with the clean image distribution. (See Figure 1 in the paper.)
Compared with baselines (image smoothing and limiting Gaussian number), RemedyGS:
- Reduces poisoned Gaussian counts from ~7M → ~2.5M on Mip-NeRF 360 (avg.), close to clean (~3.2M).
- Cuts peak GPU memory on attacked scenes from ~24 GB → ~10 GB (MIP avg.).
- Improves PSNR by up to ~4 dB and SSIM by ~0.24 over naive defenses.
- Preserves utility on clean inputs: the detector bypasses purification for benign images, keeping reconstruction quality nearly identical to vanilla 3DGS.
For full quantitative results, please refer to our paper (Tables 1–5).
After cloning the repository, follow these steps to set up the environment and run defense inference plus victim evaluation.
git clone https://github.com/Polly-LYP/RemedyGS.git
cd RemedyGS
git submodule update --init --recursiveWe recommend Python 3.10+ on Linux with an NVIDIA GPU (CUDA).
conda create -n remedygs python=3.10 -y
conda activate remedygsInstall PyTorch with CUDA support (choose the command matching your CUDA version from pytorch.org):
# Example: CUDA 12.1
pip install torch torchvision --index-url https://download.pytorch.org/whl/cu121pip install -r requirements.txtThese packages are not on PyPI and must be compiled from the git submodules in this repo. See LOCAL_PACKAGES.md for details.
cd victim/gaussian-splatting
pip install -e submodules/diff-gaussian-rasterization
pip install -e submodules/simple-knn
cd ../..Note: If
setup.pyor.cufiles undersubmodules/are empty, rungit submodule update --init --recursiveagain to fetch the full upstream sources before building.
Defense checkpoint (included in repo):
ckpt/G_ckpt.pth.tar
Poisoned evaluation scenes (COLMAP format: images/ + sparse/0/):
example/MIP_Nerf_360_eps16/
bonsai/
images/
sparse/
counter/
images/
sparse/
kitchen/
images/
sparse/
...
Scene names used during inference are listed in example/dataset_list.txt. Poisoned Mip-NeRF 360 scenes can be generated with the official Poison-splat codebase (e.g., eps=16).
Purify poisoned images with the trained purifier and write defended scenes to disk:
bash scripts/inference.shThis runs inference/inference.py with:
| Argument | Default |
|---|---|
| Input scenes | ./example/MIP_Nerf_360_eps16 |
| Scene list | ./example/dataset_list.txt |
| Checkpoint | ./ckpt/G_ckpt.pth.tar |
| Output | ./example/output/defended_figs/<dataset>/<scene>/images/ (+ copied sparse/) |
You can also override arguments directly:
export PYTHONPATH="${PWD}/inference:${PYTHONPATH:-}"
python inference/inference.py \
--image_dataset_path ./example/MIP_Nerf_360_eps16 \
--dataset_list ./example/dataset_list.txt \
--output_path ./example/output \
--load_existing_model_path ./ckpt/G_ckpt.pth.tarTrain a victim 3DGS model on (poisoned or defended) scenes and report safety metrics (Gaussian count, GPU memory, training time) and utility metrics (PSNR, SSIM, LPIPS):
bash scripts/victim.shBy default, scripts/victim.sh runs bonsai and kitchen from ./example/MIP_Nerf_360_eps16/ in parallel. Edit the script to change scene names or GPU ids (--gpu).
To evaluate on defended images after running inference:
# Example: single scene on GPU 0
python ./victim/gaussian-splatting/benchmark.py --gpu 0 \
-s ./example/output/defended_figs/MIP_Nerf_360_eps16/kitchen/ \
-m ./output/victim/kitchen_defended/To compare renders against clean ground-truth images (for PSNR/LPIPS/SSIM with raw metrics):
CLEAN_DATASET_ROOT=/path/to/clean/MIP_Nerf_360 \
python ./victim/gaussian-splatting/benchmark.py --gpu 0 \
-s ./example/output/defended_figs/MIP_Nerf_360_eps16/kitchen/ \
-m ./output/victim/kitchen_defended/Note: Each benchmark run performs 3 independent training runs (
--exp_runs 3) with 30,000 iterations by default. Expect several hours of GPU time per scene.
RemedyGS/
├── ckpt/ # Defense checkpoint (G_ckpt.pth.tar)
├── inference/ # Detector & purifier inference code
├── victim/gaussian-splatting/ # 3DGS victim training (benchmark)
├── scripts/
│ ├── inference.sh # Defense inference
│ └── victim.sh # Victim benchmark (parallel scenes)
├── example/
│ ├── MIP_Nerf_360_eps16/ # Poisoned scenes (user-provided / local)
│ ├── dataset_list.txt # Scene names for inference
│ └── output/ # Defended images (generated)
├── requirements.txt # Pip-installable dependencies
└── LOCAL_PACKAGES.md # CUDA extensions install guide
We thank the authors of the following open-source projects:
If you find RemedyGS useful, please cite our paper:
@article{li2025remedygs,
title={RemedyGS: Defend 3D Gaussian Splatting Against Computation Cost Attacks},
author={Li, Yanping and Liu, Zhening and Li, Zijian and Lin, Zehong and Zhang, Jun},
journal={arXiv preprint arXiv:2511.22147},
year={2025}
}