Delving into Decision-based Black-box Attacks on Semantic Segmentation

TL;DR

This paper tackles the robustness of semantic segmentation under black-box decision-based attacks, where only final pixel labels are observable. It analyzes three core challenges—inconsistent optimization goals, perturbation interference, and a large multi-constraint parameter space—and introduces Discrete Linear Attack (DLA), a two-stage method using discrete linear noises and a proxy index to guide perturbation exploration and calibration. DLA discretizes perturbations to the extreme points of the $l_\infty$ ball and employs horizontal/vertical linear noises plus hierarchical sign flips to achieve high query efficiency, outperforming seven baselines on Cityscapes and ADE20K across five models and eight attacks. Notably, on Cityscapes with PSPNet, it reduces mean IoU from $77.83\%$ to $2.14\%$ within $50$ queries, underscoring the method's strength for evaluating adversarial robustness and motivating defenses in security-sensitive applications.

Abstract

Semantic segmentation is a fundamental visual task that finds extensive deployment in applications with security-sensitive considerations. Nonetheless, recent work illustrates the adversarial vulnerability of semantic segmentation models to white-box attacks. However, its adversarial robustness against black-box attacks has not been fully explored. In this paper, we present the first exploration of black-box decision-based attacks on semantic segmentation. First, we analyze the challenges that semantic segmentation brings to decision-based attacks through the case study. Then, to address these challenges, we first propose a decision-based attack on semantic segmentation, called Discrete Linear Attack (DLA). Based on random search and proxy index, we utilize the discrete linear noises for perturbation exploration and calibration to achieve efficient attack efficiency. We conduct adversarial robustness evaluation on 5 models from Cityscapes and ADE20K under 8 attacks. DLA shows its formidable power on Cityscapes by dramatically reducing PSPNet's mIoU from an impressive 77.83% to a mere 2.14% with just 50 queries.

Figures (6)

• Figure 1: Based on Random attack, we give the changes in mIoU under various perturbation magnitudes. If we add a very large perturbation, this can make the mIoU very small. However, when reducing the perturbation magnitude, the mIoU increases, which makes the optimization goal and attack direction inconsistent.
• Figure 2: Random attack with different proxy indexes. Our design focuses on optimizing the adversarial perturbation by initiating from clean images and iteratively updating the example based on the observed changes in the proxy index.
• Figure 3: When facing black-box attacks on semantic segmentation, the update of perturbations causes the attacked pixels to revert to their original categories, resulting in optimization difficulties.
• Figure 4: Description of Perturbation Interaction. We use perturbations in the form of random, patch with overlap, patch without overlap, and line to attack, which shows that there is interference between perturbations. Less overlap can lead to better attack performance and linear noises achieve better results in both imperceptibility and attack.
• Figure 5: Visualization of different attacks on Cityscapes and the threat model is SegFormer.