Detecting Adversarial Attacks in Semantic Segmentation via Uncertainty Estimation: A Deep Analysis

TL;DR

This paper analyzes the effectiveness of using uncertainty estimation, specifically entropy of output distributions, to detect adversarial attacks in semantic segmentation neural networks, emphasizing its robustness across attack types and models.

Contribution

It provides a comprehensive analysis of an uncertainty-based detection method for adversarial attacks in semantic segmentation, demonstrating its effectiveness without requiring model modifications.

Findings

Uncertainty-based detection effectively identifies adversarial attacks.

The method is lightweight and model-agnostic.

Detection performance is consistent across various attacks and networks.

Abstract

Deep neural networks have demonstrated remarkable effectiveness across a wide range of tasks such as semantic segmentation. Nevertheless, these networks are vulnerable to adversarial attacks that add imperceptible perturbations to the input image, leading to false predictions. This vulnerability is particularly dangerous in safety-critical applications like automated driving. While adversarial examples and defense strategies are well-researched in the context of image classification, there is comparatively less research focused on semantic segmentation. Recently, we have proposed an uncertainty-based method for detecting adversarial attacks on neural networks for semantic segmentation. We observed that uncertainty, as measured by the entropy of the output distribution, behaves differently on clean versus adversely perturbed images, and we utilize this property to differentiate between the two. In this extended version of our work, we conduct a detailed analysis of uncertainty-based detection of adversarial attacks including a diverse set of adversarial attacks and various state-of-the-art neural networks. Our numerical experiments show the effectiveness of the proposed uncertainty-based detection method, which is lightweight and operates as a post-processing step, i.e., no model modifications or knowledge of the adversarial example generation process are required.