Cross-Task Attack: A Self-Supervision Generative Framework Based on Attention Shift

TL;DR

This work tackles the robustness challenge of multi-task AI systems by proposing Cross-Task Attack (CTA), a self-supervised framework that uses co-attention and anti-attention maps to guide adversarial perturbations across multiple vision tasks. CTA operates in two stages: extracting per-task attention via Grad-CAM to form a co-attention map and its complement anti-attention, then training a generator to shift input attention away from co-attention toward anti-attention without ground-truth labels. The method demonstrates strong cross-task attacks on image classification, object detection, and semantic segmentation, and maintains effectiveness against some adversarially trained defenses, outperforming prior cross-task approaches in many settings. The results imply CTA offers a practical and scalable way to stress-test and improve the robustness of multi-task AI systems, with clear insights into attention dynamics during adversarial perturbation.

Abstract

Studying adversarial attacks on artificial intelligence (AI) systems helps discover model shortcomings, enabling the construction of a more robust system. Most existing adversarial attack methods only concentrate on single-task single-model or single-task cross-model scenarios, overlooking the multi-task characteristic of artificial intelligence systems. As a result, most of the existing attacks do not pose a practical threat to a comprehensive and collaborative AI system. However, implementing cross-task attacks is highly demanding and challenging due to the difficulty in obtaining the real labels of different tasks for the same picture and harmonizing the loss functions across different tasks. To address this issue, we propose a self-supervised Cross-Task Attack framework (CTA), which utilizes co-attention and anti-attention maps to generate cross-task adversarial perturbation. Specifically, the co-attention map reflects the area to which different visual task models pay attention, while the anti-attention map reflects the area that different visual task models neglect. CTA generates cross-task perturbations by shifting the attention area of samples away from the co-attention map and closer to the anti-attention map. We conduct extensive experiments on multiple vision tasks and the experimental results confirm the effectiveness of the proposed design for adversarial attacks.

Figures (6)

• Figure 1: Schematic illustration of the proposed idea for cross-task attacks. In the schematic diagram, $R_1$, $R_2$ and $R_3$ represent the attention regions of the input image for three different visual tasks, respectively, and $R_4$ represents all regions of the image. Co-attention represents the union of $R_1$, $R_2$, and $R_3$, while anti-attention represents the complement of co-attention in $R_4$. $A$ represents the attention point of the original sample, located within the co-attention area, so the original image can be accurately recognized by all visual tasks. Conversely, $A'$ represents the attention point of the adversarial sample, located within the anti-attention area, so the adversarial sample can effectively evade recognition of all visual tasks.
• Figure 2: Grad-CAM heatmaps for different visual tasks are displayed. The first row presents the heatmaps, while the second row overlays these heatmaps onto the original image. The column (a) is the classification task based on ResNet50, the column (b) is the semantic segmentation task based on DeepLabv3, the column (c) is the object detection task based on Faster-RCNN, and the column (d) is the co-attention heatmap that all visual tasks focus on.
• Figure 3: The framework diagram about our proposed self-supervised cross-task attack method. We use existing pre-trained models to extract the anti-attention map of the input image as the ground-true label of the framework. We use the generator to generate adversarial perturbation to change the mapping of image in feature space. By shortening the MSE distance between the adversarial attention map and the anti-attention map, the attention area of the adversarial image falls in the area that is ignored by all visual tasks.
• Figure 4: The mAP of Faster-RCNN on the adversarial samples generated by different adversarial attack methods. The abscissa is the 20 categories of the VOC 2012 validation dataset, and the ordinate is mean Average Precision. Under the condition of $\epsilon$ = 16, we compared the performance differences between our proposed CTA method and existing adversarial attack methods DR, RB-DR, $\text{S}^{2}$I-FGSM and $\text{S}^{2}$I-SI-TI-DIM.
• Figure 5: The mIoU of DeepLabv3 on the adversarial samples generated by different adversarial attack methods. The abscissa is the 21 categories of the VOC 2012 validation dataset including the background category, and the ordinate is mean Intersection over Union. Under the condition of $\epsilon$ = 16, we compared the performance differences between our proposed CTA method and existing adversarial attack methods DR, RB-DR, $\text{S}^{2}$I-FGSM and $\text{S}^{2}$I-SI-TI-DIM.