Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cross-Model Transferability of Adversarial Patches in Real-time Segmentation for Autonomous Driving

Prashant Shekhar, Bidur Devkota, Dumindu Samaraweera, Laxima Niure Kandel, Manoj Babu

TL;DR

Adversarial patches threaten real-time semantic segmentation in autonomous driving. The authors propose an Expectation Over Transformations (EOT) based untargeted patch attack with a simplified adaptive loss and evaluate cross-model transferability across CNN- and ViT-based architectures on Cityscapes. They find that patches largely do not transfer across different models, with CNN patches causing localized degradation and ViT patches sometimes affecting broader regions, yet unseen-image transfer within the trained model remains strong under EOT. Per-class analysis shows varying susceptibility (e.g., sky more robust) and highlights architecture-dependent robustness, emphasizing the need for defenses. Overall, the work informs design guidelines for secure deployment of real-time segmentation systems in autonomous vehicles and motivates future multi-model robustness strategies.

Abstract

Adversarial attacks pose a significant threat to deep learning models, particularly in safety-critical applications like healthcare and autonomous driving. Recently, patch based attacks have demonstrated effectiveness in real-time inference scenarios owing to their 'drag and drop' nature. Following this idea for Semantic Segmentation (SS), here we propose a novel Expectation Over Transformation (EOT) based adversarial patch attack that is more realistic for autonomous vehicles. To effectively train this attack we also propose a 'simplified' loss function that is easy to analyze and implement. Using this attack as our basis, we investigate whether adversarial patches once optimized on a specific SS model, can fool other models or architectures. We conduct a comprehensive cross-model transferability analysis of adversarial patches trained on SOTA Convolutional Neural Network (CNN) models such PIDNet-S, PIDNet-M and PIDNet-L, among others. Additionally, we also include the Segformer model to study transferability to Vision Transformers (ViTs). All of our analysis is conducted on the widely used Cityscapes dataset. Our study reveals key insights into how model architectures (CNN vs CNN or CNN vs. Transformer-based) influence attack susceptibility. In particular, we conclude that although the transferability (effectiveness) of attacks on unseen images of any dimension is really high, the attacks trained against one particular model are minimally effective on other models. And this was found to be true for both ViT and CNN based models. Additionally our results also indicate that for CNN-based models, the repercussions of patch attacks are local, unlike ViTs. Per-class analysis reveals that simple-classes like 'sky' suffer less misclassification than others. The code for the project is available at: https://github.com/p-shekhar/adversarial-patch-transferability

Cross-Model Transferability of Adversarial Patches in Real-time Segmentation for Autonomous Driving

TL;DR

Adversarial patches threaten real-time semantic segmentation in autonomous driving. The authors propose an Expectation Over Transformations (EOT) based untargeted patch attack with a simplified adaptive loss and evaluate cross-model transferability across CNN- and ViT-based architectures on Cityscapes. They find that patches largely do not transfer across different models, with CNN patches causing localized degradation and ViT patches sometimes affecting broader regions, yet unseen-image transfer within the trained model remains strong under EOT. Per-class analysis shows varying susceptibility (e.g., sky more robust) and highlights architecture-dependent robustness, emphasizing the need for defenses. Overall, the work informs design guidelines for secure deployment of real-time segmentation systems in autonomous vehicles and motivates future multi-model robustness strategies.

Abstract

Adversarial attacks pose a significant threat to deep learning models, particularly in safety-critical applications like healthcare and autonomous driving. Recently, patch based attacks have demonstrated effectiveness in real-time inference scenarios owing to their 'drag and drop' nature. Following this idea for Semantic Segmentation (SS), here we propose a novel Expectation Over Transformation (EOT) based adversarial patch attack that is more realistic for autonomous vehicles. To effectively train this attack we also propose a 'simplified' loss function that is easy to analyze and implement. Using this attack as our basis, we investigate whether adversarial patches once optimized on a specific SS model, can fool other models or architectures. We conduct a comprehensive cross-model transferability analysis of adversarial patches trained on SOTA Convolutional Neural Network (CNN) models such PIDNet-S, PIDNet-M and PIDNet-L, among others. Additionally, we also include the Segformer model to study transferability to Vision Transformers (ViTs). All of our analysis is conducted on the widely used Cityscapes dataset. Our study reveals key insights into how model architectures (CNN vs CNN or CNN vs. Transformer-based) influence attack susceptibility. In particular, we conclude that although the transferability (effectiveness) of attacks on unseen images of any dimension is really high, the attacks trained against one particular model are minimally effective on other models. And this was found to be true for both ViT and CNN based models. Additionally our results also indicate that for CNN-based models, the repercussions of patch attacks are local, unlike ViTs. Per-class analysis reveals that simple-classes like 'sky' suffer less misclassification than others. The code for the project is available at: https://github.com/p-shekhar/adversarial-patch-transferability

Paper Structure

This paper contains 10 sections, 7 equations, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Adversarial Patch Attacks in Segmentation Models
  3. Real-Time Semantic Segmentation Models and Their Vulnerabilities
  4. Contributions of This Work
  5. Attack Model
  6. Experimental Results
  7. Patch training setup
  8. Segmentation performance decay during patch training
  9. Patch attack transferability and generalization
  10. Discussion and conclusion

Figures (4)

  • Figure 1: Demonstrating the impact of adversarial patch attacks. (a) shows an optimized patch attack for Cityscapes dataset with respect to pretrained PIDNet-L model. (b) shows the true segmentation mask and (c) shows the predicted segmentation mask in absence of any attack. (d) shows the predicted mask when the attacked image (shown in (a)) is passed through the same pretrained PIDNet-L model
  • Figure 2: (a): MIoU decay of real-time SS models as model-specific adversarial patches are trained on the Cityscapes-train dataset. (b,c,d): Per-class Intersection over Union (IoU) decay during patch training on the Cityscapes-train dataset with respect to PIDNet family of models. Class legends are shown at the bottom
  • Figure 3: Analysis of performance drop with Intra-Model (trained-on and attack the same model) and Inter-Model (trained-on and attack different models) patch based attack discussed in this paper. Here individual subplots demonstrate a model-specific patch attack evaluated on all 7 models under consideration. These patch attacks were trained using Cityscapes-train dataset and evaluated using Cityscapes-val dataset.
  • Figure 4: Demonstration of patch performance on 4 random images from Cityscapes-val. Top row shows the images attacked with PIDNet-L, ICNet, BiSeNetV1 and Segformer patches respectively. Rows 2-5 show the predicted segmentation mask from these 4 models (row2:PIDNet-L, row3:ICNet, row4:BiSeNetV1, row5:Segformer) across each of the attacks.