Universal Adversarial Perturbations Against Semantic Image Segmentation
This work addresses security vulnerabilities in semantic segmentation systems, which are critical for applications like autonomous driving, by showing that universal adversarial perturbations can effectively manipulate segmentation outputs, posing a significant threat to real-world deployments.
The authors tackled the problem of adversarial attacks on semantic image segmentation by generating universal perturbations that cause the network to output a desired target segmentation or remove specific classes, demonstrating that barely perceptible noise patterns can achieve nearly the same predicted segmentation across arbitrary inputs.
While deep learning is remarkably successful on perceptual tasks, it was also shown to be vulnerable to adversarial perturbations of the input. These perturbations denote noise added to the input that was generated specifically to fool the system while being quasi-imperceptible for humans. More severely, there even exist universal perturbations that are input-agnostic but fool the network on the majority of inputs. While recent work has focused on image classification, this work proposes attacks against semantic image segmentation: we present an approach for generating (universal) adversarial perturbations that make the network yield a desired target segmentation as output. We show empirically that there exist barely perceptible universal noise patterns which result in nearly the same predicted segmentation for arbitrary inputs. Furthermore, we also show the existence of universal noise which removes a target class (e.g., all pedestrians) from the segmentation while leaving the segmentation mostly unchanged otherwise.