AdvSPADE: Realistic Unrestricted Attacks for Semantic Segmentation
This work addresses the challenge of evaluating and improving the robustness of semantic segmentation models, which is crucial for safety-critical applications like autonomous driving, but it is incremental as it builds on existing CGAN and SPADE techniques.
The paper tackles the problem of generating unrestricted adversarial examples for semantic segmentation models, which are inherently robust to traditional attacks, and demonstrates a method that improves attack success rates by up to 41.0% compared to state-of-the-art methods like PGD on Cityscapes and ADE20K datasets.
Due to the inherent robustness of segmentation models, traditional norm-bounded attack methods show limited effect on such type of models. In this paper, we focus on generating unrestricted adversarial examples for semantic segmentation models. We demonstrate a simple and effective method to generate unrestricted adversarial examples using conditional generative adversarial networks (CGAN) without any hand-crafted metric. The naïve implementation of CGAN, however, yields inferior image quality and low attack success rate. Instead, we leverage the SPADE (Spatially-adaptive denormalization) structure with an additional loss item to generate effective adversarial attacks in a single step. We validate our approach on the popular Cityscapes and ADE20K datasets, and demonstrate that our synthetic adversarial examples are not only realistic, but also improve the attack success rate by up to 41.0\% compared with the state of the art adversarial attack methods including PGD.