Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

CosPGD: an efficient white-box adversarial attack for pixel-wise prediction tasks (2302.02213v3)

Published 4 Feb 2023 in cs.CV

Abstract: While neural networks allow highly accurate predictions in many tasks, their lack of robustness towards even slight input perturbations often hampers their deployment. Adversarial attacks such as the seminal projected gradient descent (PGD) offer an effective means to evaluate a model's robustness and dedicated solutions have been proposed for attacks on semantic segmentation or optical flow estimation. While they attempt to increase the attack's efficiency, a further objective is to balance its effect, so that it acts on the entire image domain instead of isolated point-wise predictions. This often comes at the cost of optimization stability and thus efficiency. Here, we propose CosPGD, an attack that encourages more balanced errors over the entire image domain while increasing the attack's overall efficiency. To this end, CosPGD leverages a simple alignment score computed from any pixel-wise prediction and its target to scale the loss in a smooth and fully differentiable way. It leads to efficient evaluations of a model's robustness for semantic segmentation as well as regression models (such as optical flow, disparity estimation, or image restoration), and it allows it to outperform the previous SotA attack on semantic segmentation. We provide code for the CosPGD algorithm and example usage at https://github.com/shashankskagnihotri/cospgd.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. A high-quality denoising dataset for smartphone cameras. In 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1692–1700, 2018. doi: 10.1109/CVPR.2018.00182.
  2. Square attack: a query-efficient black-box adversarial attack via random search. 2020.
  3. On the robustness of semantic segmentation models to adversarial attacks, 2017. URL https://arxiv.org/abs/1711.09856.
  4. Adversarial patch, 2017. URL https://arxiv.org/abs/1712.09665.
  5. Analysis of explainers of black box deep neural networks for computer vision: A survey, 2019. URL https://arxiv.org/abs/1911.12116.
  6. A naturalistic open source movie for optical flow evaluation. In A. Fitzgibbon et al. (Eds.), editor, European Conf. on Computer Vision (ECCV), Part IV, LNCS 7577, pages 611–625. Springer-Verlag, October 2012.
  7. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. IEEE, 2017.
  8. Rethinking atrous convolution for semantic image segmentation, 2017.
  9. Simple baselines for image restoration, 2022.
  10. The cityscapes dataset for semantic urban scene understanding, 2016.
  11. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In ICML, 2020.
  12. Mind the box: l1subscript𝑙1l_{1}italic_l start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT-apgd for sparse adversarial attacks on image classifiers. In ICML, 2021.
  13. Robustbench: a standardized adversarial robustness benchmark. CoRR, abs/2010.09670, 2020. URL https://arxiv.org/abs/2010.09670.
  14. Robustbench: a standardized adversarial robustness benchmark. In Thirty-fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track (Round 2), 2021. URL https://openreview.net/forum?id=SSKZPJCt7B.
  15. Flownet: Learning optical flow with convolutional networks. In IEEE International Conference on Computer Vision (ICCV), 2015. URL http://lmb.informatik.uni-freiburg.de/Publications/2015/DFIB15.
  16. The PASCAL Visual Object Classes Challenge 2012 (VOC2012) Results. http://www.pascal-network.org/challenges/VOC/voc2012/workshop/index.html.
  17. Flownet: Learning optical flow with convolutional networks, 2015. URL https://arxiv.org/abs/1504.06852.
  18. Generating targeted adversarial attacks and assessing their effectiveness in fooling deep neural networks. In 2022 IEEE International Conference on Signal Processing and Communications (SPCOM), pages 1–5, 2022. doi: 10.1109/SPCOM55316.2022.9840784.
  19. Imagenet-trained cnns are biased towards texture; increasing shape bias improves accuracy and robustness, 2018. URL https://arxiv.org/abs/1811.12231.
  20. Shortcut learning in deep neural networks. Nature Machine Intelligence, 2(11):665–673, nov 2020. doi: 10.1038/s42256-020-00257-z. URL https://doi.org/10.1038%2Fs42256-020-00257-z.
  21. Explaining and harnessing adversarial examples, 2014. URL https://arxiv.org/abs/1412.6572.
  22. Segpgd: An effective and efficient adversarial attack for evaluating and boosting segmentation robustness. 2022a. doi: 10.48550/ARXIV.2207.12391. URL https://arxiv.org/abs/2207.12391.
  23. Segpgd: An effective and efficient adversarial attack for evaluating and boosting segmentation robustness. page 5, 2022b. doi: 10.48550/ARXIV.2207.12391. URL https://arxiv.org/abs/2207.12391.
  24. Semantic contours from inverse detectors. In International Conference on Computer Vision (ICCV), 2011.
  25. Hypercolumns for object segmentation and fine-grained localization. In 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 447–456, 2015. doi: 10.1109/CVPR.2015.7298642.
  26. Deep residual learning for image recognition, 2015. URL https://arxiv.org/abs/1512.03385.
  27. Benchmarking neural network robustness to common corruptions and perturbations, 2019. URL https://arxiv.org/abs/1903.12261.
  28. Natural adversarial examples, 2019. URL https://arxiv.org/abs/1907.07174.
  29. Flownet 2.0: Evolution of optical flow estimation with deep networks, 2016. URL https://arxiv.org/abs/1612.01925.
  30. Black-box adversarial attacks with limited queries and information. In Proceedings of the 35th International Conference on Machine Learning, ICML 2018, July 2018. URL https://arxiv.org/abs/1804.08598.
  31. Adversarial example generation with syntactically controlled paraphrase networks. In Proceedings of the 2018 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long Papers), pages 1875–1885, New Orleans, Louisiana, June 2018. Association for Computational Linguistics. doi: 10.18653/v1/N18-1170. URL https://aclanthology.org/N18-1170.
  32. Testing robustness against unforeseen adversaries, 2019. URL https://arxiv.org/abs/1908.08016.
  33. Adversarial attacks for image segmentation on multiple lightweight models. IEEE Access, 8:31359–31370, 2020. doi: 10.1109/ACCESS.2020.2973069.
  34. Imagenet classification with deep convolutional neural networks. In F. Pereira, C.J. Burges, L. Bottou, and K.Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 25. Curran Associates, Inc., 2012. URL https://proceedings.neurips.cc/paper/2012/file/c399862d3b9d6b76c8436e924a68c45b-Paper.pdf.
  35. Adversarial examples in the physical world, 2016. URL https://arxiv.org/abs/1607.02533.
  36. Adversarial machine learning at scale, 2017.
  37. Revisiting stereo depth estimation from a sequence-to-sequence perspective with transformers. 2020. doi: 10.48550/ARXIV.2011.02910. URL https://arxiv.org/abs/2011.02910.
  38. A convnet for the 2020s, 2022. URL https://arxiv.org/abs/2201.03545.
  39. Towards deep learning models resistant to adversarial attacks, 2017. URL https://arxiv.org/abs/1706.06083.
  40. A large dataset to train convolutional networks for disparity, optical flow, and scene flow estimation. In IEEE International Conference on Computer Vision and Pattern Recognition (CVPR), 2016. URL http://lmb.informatik.uni-freiburg.de/Publications/2016/MIFDB16. arXiv:1512.02134.
  41. Object scene flow for autonomous vehicles. In Conference on Computer Vision and Pattern Recognition (CVPR), 2015.
  42. Deepfool: a simple and accurate method to fool deep neural networks, 2015. URL https://arxiv.org/abs/1511.04599.
  43. Textattack: A framework for adversarial attacks, data augmentation, and adversarial training in nlp, 2020. URL https://arxiv.org/abs/2005.05909.
  44. Deep multi-scale convolutional neural network for dynamic scene deblurring. In CVPR, July 2017.
  45. Semantically equivalent adversarial rules for debugging NLP models. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 856–865, Melbourne, Australia, July 2018. Association for Computational Linguistics. doi: 10.18653/v1/P18-1079. URL https://aclanthology.org/P18-1079.
  46. U-net: Convolutional networks for biomedical image segmentation, 2015. URL https://arxiv.org/abs/1505.04597.
  47. Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses, 2019.
  48. Proximal splitting adversarial attacks for semantic segmentation, 2023.
  49. A perturbation-constrained adversarial attack for evaluating the robustness of optical flow, 2022. URL https://arxiv.org/abs/2203.13214.
  50. Towards understanding adversarial robustness of optical flow networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 8916–8924, 2022.
  51. Local aggressive adversarial attacks on 3d point cloud, 2021. URL https://arxiv.org/abs/2105.09090.
  52. Raft: Recurrent all-pairs field transforms for optical flow, 2020. URL https://arxiv.org/abs/2003.12039.
  53. Berkay Mayalı username: mberkay0. mberkay0/pretrained-backbones-unet. https://github.com/mberkay0/pretrained-backbones-unet, 2023.
  54. Multiclass asma vs targeted pgd attack in image segmentation, 2022. URL https://arxiv.org/abs/2208.01844.
  55. Better diffusion models further improve adversarial training, 2023.
  56. Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing, 13(4):600–612, 2004. doi: 10.1109/TIP.2003.819861.
  57. Targeted adversarial perturbations for monocular depth prediction. In Advances in neural information processing systems, 2020a.
  58. Fast is better than free: Revisiting adversarial training, 2020b. URL https://arxiv.org/abs/2001.03994.
  59. Lessons and insights from creating a synthetic optical flow benchmark. In A. Fusiello et al. (Eds.), editor, ECCV Workshop on Unsolved Problems in Optical Flow and Stereo Estimation, Part II, LNCS 7584, pages 168–177. Springer-Verlag, October 2012.
  60. Aggregated residual transformations for deep neural networks, 2016. URL https://arxiv.org/abs/1611.05431.
  61. Restormer: Efficient transformer for high-resolution image restoration. In CVPR, 2022.
  62. 3d adversarial attacks beyond point cloud, 2021. URL https://arxiv.org/abs/2104.12146.
  63. Hengshuang Zhao. semseg. https://github.com/hszhao/semseg, 2019.
  64. Pyramid scene parsing network. In CVPR, 2017.
Citations (18)
View on Semantic Scholar

Summary

  • The paper introduces CosPGD, a unified method that leverages cosine similarity for scaling loss in pixel-wise adversarial attacks.
  • It demonstrates improved performance over PGD and SegPGD, significantly degrading metrics such as mIoU, mAcc, and endpoint error.
  • CosPGD offers a versatile framework to benchmark and enhance neural network robustness in safety-critical applications like autonomous driving and medical imaging.

An Analysis of "CosPGD: a unified white-box adversarial attack for pixel-wise prediction tasks"

The paper "CosPGD: a unified white-box adversarial attack for pixel-wise prediction tasks" presents a novel adversarial attack method, CosPGD, which targets the vulnerability of neural networks in pixel-wise prediction tasks such as semantic segmentation, optical flow, and image restoration. This paper is rooted in the context of adversarial machine learning, where the robustness of neural networks against imperceptible input perturbations has become a critical focus area. Adversarial attacks like PGD have mostly concentrated on classification tasks, leaving a gap for pixel-wise prediction tasks that this paper aims to fill.

Methodological Advancements

CosPGD distinguishes itself by using cosine similarity between the model's predictions and ground truth or target distributions for scaling the loss. This method stands in contrast to previous attacks like SegPGD, which utilize binary categorizations of correctness, a strategy that inherently limits their applicability to classification tasks. CosPGD leverages the continuous nature of cosine similarity, enabling its application across both classification and regression settings. This formulation allows CosPGD to effectively target a broad spectrum of pixel-wise prediction tasks in a unified framework, addressing semantic segmentation, optical flow estimation, and image restoration among others.

Strong Numerical Results

The experiments conducted across several architectures and datasets, including PASCAL VOC2012, Cityscapes, and KITTI2015, demonstrate the augmented performance of CosPGD over existing techniques like PGD and SegPGD. Particularly, in semantic segmentation tasks, CosPGD was able to reduce the mIoU (mean Intersection over Union) and mAcc (mean pixel accuracy) significantly more than SegPGD, indicating a higher efficacy in misleading the model predictions. In optical flow estimation, CosPGD achieved lower endpoint error (epe) values compared to PGD, highlighting its superior capability in approximating the target predictions.

Broader Implications and Future Work

The introduction of CosPGD offers a more generalized and effective tool for benchmarking the adversarial robustness of models engaged in pixel-wise prediction tasks. This tool opens avenues for further improvements in neural network robustness, a necessity for deploying these models in safety-critical applications like autonomous driving and medical imaging. The paper also mentions the potential for extending CosPGD to other types of attacks, including targeted in addition to non-targeted settings, thus providing a versatile framework adaptable to various model evaluations.

The discussions on leveraging pixel-wise cosine similarity for loss scaling also hint at broader implications for other machine learning tasks where continuous similarity scores might offer nuanced insights over binary or categorical evaluations. This presents another avenue for future exploration, potentially leading to novel applications and methods in adversarial machine learning.

Conclusion

In summary, this paper makes significant strides in addressing the gaps in adversarial robustness testing tools for pixel-wise prediction tasks by introducing CosPGD, a novel white-box attack method. Its methodological innovations, strong empirical results, and broad applicability underscore its potential as a valuable asset in evaluating and improving the robustness of neural networks. Future research might expand upon these foundations, exploring CosPGD's applicability in new contexts and further refining techniques to bolster neural network resilience against adversarial threats.

Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube