PB-UAP: Hybrid Universal Adversarial Attack For Image Segmentation
Yufei Song, Ziqi Zhou, Minghui Li, Xianlong Wang, Hangtao Zhang, Menghao Deng, Wei Wan, Shengshan Hu, Leo Yu Zhang
TL;DR
PB-UAP tackles the vulnerability of semantic segmentation to universal perturbations by introducing a hybrid spatial-frequency attack. It optimizes a single perturbation that degrades pixel-wise predictions by simultaneously disturbing final-layer features and ground-truth-aligned outputs, while amplifying low-frequency disruptions to break intra-class coherence. The method combines a dual feature deviation loss and a low-frequency scattering loss into a unified objective, achieving high attack success rates and strong transferability across models on VOC2012 and Cityscapes. Empirical results show PB-UAP outperforms existing segmentation UAPs in both effectiveness and cross-model generalization, with robust performance under practical perturbation budgets. This work provides a new vector for understanding segmentation robustness and informs defenses against universal perturbations in safety-critical vision systems.
Abstract
With the rapid advancement of deep learning, the model robustness has become a significant research hotspot, \ie, adversarial attacks on deep neural networks. Existing works primarily focus on image classification tasks, aiming to alter the model's predicted labels. Due to the output complexity and deeper network architectures, research on adversarial examples for segmentation models is still limited, particularly for universal adversarial perturbations. In this paper, we propose a novel universal adversarial attack method designed for segmentation models, which includes dual feature separation and low-frequency scattering modules. The two modules guide the training of adversarial examples in the pixel and frequency space, respectively. Experiments demonstrate that our method achieves high attack success rates surpassing the state-of-the-art methods, and exhibits strong transferability across different models.