Evaluating the Adversarial Robustness of Semantic Segmentation: Trying Harder Pays Off

TL;DR

This paper critically evaluates the adversarial robustness of semantic segmentation models, revealing that most are more vulnerable than previously thought, especially small objects, and emphasizes the need for diverse attack strategies.

Contribution

The study introduces new attack methods, combines them with existing ones, and provides an extensive empirical analysis of model sensitivities, highlighting gaps in current evaluation practices.

Findings

Most state-of-the-art models are more vulnerable to adversarial attacks than previously reported.

Small objects are more susceptible to attacks, revealing a size-bias not captured by current metrics.

Different models require different attack strategies due to varying vulnerabilities.

Abstract

Machine learning models are vulnerable to tiny adversarial input perturbations optimized to cause a very large output error. To measure this vulnerability, we need reliable methods that can find such adversarial perturbations. For image classification models, evaluation methodologies have emerged that have stood the test of time. However, we argue that in the area of semantic segmentation, a good approximation of the sensitivity to adversarial perturbations requires significantly more effort than what is currently considered satisfactory. To support this claim, we re-evaluate a number of well-known robust segmentation models in an extensive empirical study. We propose new attacks and combine them with the strongest attacks available in the literature. We also analyze the sensitivity of the models in fine detail. The results indicate that most of the state-of-the-art models have a dramatically larger sensitivity to adversarial perturbations than previously reported. We also demonstrate a size-bias: small objects are often more easily attacked, even if the large objects are robust, a phenomenon not revealed by current evaluation metrics. Our results also demonstrate that a diverse set of strong attacks is necessary, because different models are often vulnerable to different attacks.