Evaluating the Adversarial Robustness of Semantic Segmentation: Trying Harder Pays Off
This work addresses the need for more rigorous evaluation of adversarial robustness in semantic segmentation, which is crucial for safety-critical applications like autonomous driving.
The paper tackles the problem of evaluating adversarial robustness in semantic segmentation models, finding that most state-of-the-art models are significantly more vulnerable than previously reported, with small objects being particularly susceptible.
Machine learning models are vulnerable to tiny adversarial input perturbations optimized to cause a very large output error. To measure this vulnerability, we need reliable methods that can find such adversarial perturbations. For image classification models, evaluation methodologies have emerged that have stood the test of time. However, we argue that in the area of semantic segmentation, a good approximation of the sensitivity to adversarial perturbations requires significantly more effort than what is currently considered satisfactory. To support this claim, we re-evaluate a number of well-known robust segmentation models in an extensive empirical study. We propose new attacks and combine them with the strongest attacks available in the literature. We also analyze the sensitivity of the models in fine detail. The results indicate that most of the state-of-the-art models have a dramatically larger sensitivity to adversarial perturbations than previously reported. We also demonstrate a size-bias: small objects are often more easily attacked, even if the large objects are robust, a phenomenon not revealed by current evaluation metrics. Our results also demonstrate that a diverse set of strong attacks is necessary, because different models are often vulnerable to different attacks.