SegPGD: An Effective and Efficient Adversarial Attack for Evaluating and Boosting Segmentation Robustness

TL;DR

This paper introduces SegPGD, a novel adversarial attack method for segmentation models that is more effective and efficient, and demonstrates its use in improving model robustness through adversarial training.

Contribution

We propose SegPGD, a new segmentation attack method with proven convergence, and show its effectiveness in enhancing segmentation model robustness via adversarial training.

Findings

SegPGD creates more effective adversarial examples than PGD.

Adversarial training with SegPGD improves segmentation robustness.

Experiments validate the effectiveness across various models and datasets.

Abstract

Deep neural network-based image classifications are vulnerable to adversarial perturbations. The image classifications can be easily fooled by adding artificial small and imperceptible perturbations to input images. As one of the most effective defense strategies, adversarial training was proposed to address the vulnerability of classification models, where the adversarial examples are created and injected into training data during training. The attack and defense of classification models have been intensively studied in past years. Semantic segmentation, as an extension of classifications, has also received great attention recently. Recent work shows a large number of attack iterations are required to create effective adversarial examples to fool segmentation models. The observation makes both robustness evaluation and adversarial training on segmentation models challenging. In this work, we propose an effective and efficient segmentation attack method, dubbed SegPGD. Besides, we provide a convergence analysis to show the proposed SegPGD can create more effective adversarial examples than PGD under the same number of attack iterations. Furthermore, we propose to apply our SegPGD as the underlying attack method for segmentation adversarial training. Since SegPGD can create more effective adversarial examples, the adversarial training with our SegPGD can boost the robustness of segmentation models. Our proposals are also verified with experiments on popular Segmentation model architectures and standard segmentation datasets.