TranSegPGD: Improving Transferability of Adversarial Examples on Semantic Segmentation
This addresses a security vulnerability in semantic segmentation systems, which is critical for applications like autonomous driving, but it is incremental as it builds on existing adversarial attack methods.
The paper tackles the overlooked problem of adversarial example transferability in semantic segmentation by proposing TranSegPGD, a two-stage attack strategy that improves transferability across models, achieving state-of-the-art performance on datasets like PASCAL VOC 2012 and Cityscapes.
Transferability of adversarial examples on image classification has been systematically explored, which generates adversarial examples in black-box mode. However, the transferability of adversarial examples on semantic segmentation has been largely overlooked. In this paper, we propose an effective two-stage adversarial attack strategy to improve the transferability of adversarial examples on semantic segmentation, dubbed TranSegPGD. Specifically, at the first stage, every pixel in an input image is divided into different branches based on its adversarial property. Different branches are assigned different weights for optimization to improve the adversarial performance of all pixels.We assign high weights to the loss of the hard-to-attack pixels to misclassify all pixels. At the second stage, the pixels are divided into different branches based on their transferable property which is dependent on Kullback-Leibler divergence. Different branches are assigned different weights for optimization to improve the transferability of the adversarial examples. We assign high weights to the loss of the high-transferability pixels to improve the transferability of adversarial examples. Extensive experiments with various segmentation models are conducted on PASCAL VOC 2012 and Cityscapes datasets to demonstrate the effectiveness of the proposed method. The proposed adversarial attack method can achieve state-of-the-art performance.