Transferable Adversarial Attacks on SAM and Its Downstream Models

TL;DR

This paper investigates the vulnerability of downstream models fine-tuned from the segment anything model (SAM) to transfer-based adversarial attacks, proposing a novel method that enhances attack transferability without needing access to downstream datasets.

Contribution

It introduces a universal meta-initialization algorithm and a gradient robust loss to improve transfer-based adversarial attacks on SAM and its downstream models, even without dataset access.

Findings

Effective adversarial attacks on SAM and downstream models demonstrated

Proposed methods outperform existing transfer-based attack techniques

Enhanced robustness and transferability of adversarial examples achieved

Abstract

The utilization of large foundational models has a dilemma: while fine-tuning downstream tasks from them holds promise for making use of the well-generalized knowledge in practical applications, their open accessibility also poses threats of adverse usage. This paper, for the first time, explores the feasibility of adversarial attacking various downstream models fine-tuned from the segment anything model (SAM), by solely utilizing the information from the open-sourced SAM. In contrast to prevailing transfer-based adversarial attacks, we demonstrate the existence of adversarial dangers even without accessing the downstream task and dataset to train a similar surrogate model. To enhance the effectiveness of the adversarial attack towards models fine-tuned on unknown datasets, we propose a universal meta-initialization (UMI) algorithm to extract the intrinsic vulnerability inherent in the foundation model, which is then utilized as the prior knowledge to guide the generation of adversarial perturbations. Moreover, by formulating the gradient difference in the attacking process between the open-sourced SAM and its fine-tuned downstream models, we theoretically demonstrate that a deviation occurs in the adversarial update direction by directly maximizing the distance of encoded feature embeddings in the open-sourced SAM. Consequently, we propose a gradient robust loss that simulates the associated uncertainty with gradient-based noise augmentation to enhance the robustness of generated adversarial examples (AEs) towards this deviation, thus improving the transferability. Extensive experiments demonstrate the effectiveness of the proposed universal meta-initialized and gradient robust adversarial attack (UMI-GRAT) toward SAMs and their downstream models. Code is available at https://github.com/xiasong0501/GRAT.