Fast and Flexible Robustness Certificates for Semantic Segmentation

TL;DR

This paper introduces a new, efficient method for certifying the robustness of semantic segmentation neural networks against adversarial attacks, enabling real-time, provably robust segmentation with competitive accuracy.

Contribution

We propose a novel framework for certifiable robustness in semantic segmentation using Lipschitz-constrained networks, significantly improving computational efficiency and flexibility over existing methods.

Findings

Achieved competitive pixel accuracy on Cityscapes dataset.

Certification process is approximately 600 times faster than randomized smoothing.

Validated robustness certificates against state-of-the-art adversarial attacks.

Abstract

Deep Neural Networks are vulnerable to small perturbations that can drastically alter their predictions for perceptually unchanged inputs. The literature on adversarially robust Deep Learning attempts to either enhance the robustness of neural networks (e.g, via adversarial training) or to certify their decisions up to a given robustness level (e.g, by using randomized smoothing, formal methods or Lipschitz bounds). These studies mostly focus on classification tasks and few efficient certification procedures currently exist for semantic segmentation. In this work, we introduce a new class of certifiably robust Semantic Segmentation networks with built-in Lipschitz constraints that are efficiently trainable and achieve competitive pixel accuracy on challenging datasets such as Cityscapes. Additionally, we provide a novel framework that generalizes robustness certificates for semantic segmentation tasks, where we showcase the flexibility and computational efficiency of using Lipschitz networks. Our approach unlocks real-time compatible certifiably robust semantic segmentation for the first time. Moreover, it allows the computation of worst-case performance under $\ell_2$ attacks of radius $\epsilon$ across a wide range of performance measures. Crucially, we benchmark the runtime of our certification process and find our approach to be around 600 times faster than randomized smoothing methods at inference with comparable certificates on an NVIDIA A100 GPU. Finally, we evaluate the tightness of our worstcase certificates against state-of-the-art adversarial attacks to further validate the performance of our method.