A Unified Spatial Alignment Framework for Highly Transferable Transformation-Based Attacks on Spatially Structured Tasks

TL;DR

This paper introduces a unified Spatial Alignment Framework (SAF) that enhances the transferability of transformation-based adversarial attacks on spatially structured tasks by synchronously transforming labels with inputs.

Contribution

The paper proposes a novel SAF that addresses label misalignment issues in structured tasks, significantly improving attack transferability across various spatially structured tasks.

Findings

SAF reduces mIoU on Cityscapes from 24.50 to 11.34

SAF decreases mIoU on Kvasir-SEG from 49.91 to 31.80

SAF lowers COCO mAP from 17.89 to 5.25

Abstract

Transformation-based adversarial attacks (TAAs) demonstrate strong transferability when deceiving classification models. However, existing TAAs often perform unsatisfactorily or even fail when applied to structured tasks such as semantic segmentation and object detection. Encouragingly, recent studies that categorize transformations into non-spatial and spatial transformations inspire us to address this challenge. We find that for non-structured tasks, labels are spatially non-structured, and thus TAAs are not required to adjust labels when applying spatial transformations. In contrast, for structured tasks, labels are spatially structured, and failing to transform labels synchronously with inputs can cause spatial misalignment and yield erroneous gradients. To address these issues, we propose a novel unified Spatial Alignment Framework (SAF) for highly transferable TAAs on spatially structured tasks, where the TAAs spatially transform labels synchronously with the input using the proposed Spatial Alignment (SA) algorithm. Extensive experiments demonstrate the crucial role of our SAF for TAAs on structured tasks. Specifically, in non-targeted attacks, our SAF degrades the average mIoU on Cityscapes from 24.50 to 11.34, and on Kvasir-SEG from 49.91 to 31.80, while reducing the average mAP of COCO from 17.89 to 5.25.