Benchmarking the Spatial Robustness of DNNs via Natural and Adversarial Localized Corruptions

TL;DR

This work examines the spatial robustness of semantic segmentation models under localized natural and adversarial corruptions. It introduces region-aware metrics and a region-aware multi-attack adversarial analysis to quantify how perturbations in image regions affect both perturbed and unperturbed areas, and it validates these methods on 14 models using Cityscapes. The results reveal contrasting behaviors: transformer-based architectures are robust to natural localized corruptions but vulnerable to localized adversarial attacks, while CNN-based models show the opposite trend; an ensemble approach can help balance these robustness aspects. The study provides practical insights for deploying dense vision systems in safety-critical contexts and points toward training-time localized augmentations and more nuanced ensembles as promising directions.

Abstract

The robustness of deep neural networks is a crucial factor in safety-critical applications, particularly in complex and dynamic environments (e.g., medical or driving scenarios) where localized corruptions can arise. While previous studies have evaluated the robustness of semantic segmentation (SS) models under whole-image natural or adversarial corruptions, a comprehensive investigation into the spatial robustness of dense vision models under localized corruptions remains underexplored. This paper fills this gap by introducing novel, region-aware metrics for benchmarking the spatial robustness of segmentation models, along with an evaluation framework to assess the impact of natural localized corruptions. Furthermore, it uncovers the inherent complexity of evaluating worst-case spatial robustness using only a single localized adversarial attack. To address this, the work proposes a region-aware multi-attack adversarial analysis to systematically assess model robustness across specific image regions. The proposed metrics and analysis were exploited to evaluate 14 segmentation models in driving scenarios, uncovering key insights into the effects of localized corruption in both natural and adversarial forms. The results reveal that models respond to these two types of threats differently; for instance, transformer-based segmentation models demonstrate notable robustness to localized natural corruptions but are highly vulnerable to adversarial ones, and vice versa for CNN-based models. Consequently, we also address the challenge of balancing robustness to both natural and adversarial localized corruptions by means of ensemble models, thereby achieving a broader threat coverage and improved reliability for dense vision tasks.

Figures (9)

• Figure 1: Illustrations of the proposed framework for evaluating localized natural corruptions. On the left, two example configurations define the settings for localized corruption analysis: patch size, corruption ratio, corruption type, and the severity level. The framework returns a dataset sample as a tuple consisting of the original image, the ground truth label, the corrupted image, and a mask highlighting the corrupted areas.
• Figure 2: Analysis of limitations for single localized perturbations in SS: (a) Inter-class analysis: clean prediction, attacked image, and predictions across different target classes, shown in sequence. (b) Intra-class analysis: Targeted multi-attack on the class ' Car'. The first row displays the fooling area, the attacked image, and the cumulative adversarial output. The second row shows the output after each attack iteration, while the last row visualizes how the fooling region is selected and which pixels are actually affected at each attack.
• Figure 3: Illustrations of the effects of localized natural corruptions across different semantic segmentation models (BiseNetX39, PSPNet, SegFormer-B1, DeepLabV3-ResNet) with a perturbation ratio of $r=0.3$ and severity level 3. The first row shows the clean image along with its ground truth label and corresponding model outputs. The second row presents the same image after applying localized Gaussian noise, and the third row shows it with synthetic snow applied.
• Figure 4: Analysis of the impact of the corruption ratio. We report the relative corruption error RCE with respect to the corrupted region (left plots) and the non-corrupted region (right plots). We used synthetic snow and gaussian noise, in the top and bottom plots, respectively, with severity level 3.
• Figure 5: Analysis of the accuracy in the non-corrupted region with (dark color) and without (light colors) localized adversarial perturbations. Attacks were performed using $\epsilon = 16/255$ and $\epsilon = 32/255$. The patch is always applied at the center of the image, with a size of (100, 100) in (a) and (200, 200) in (b), respectively.