Semantic segmentation is a fundamental visual task that finds extensive deployment in applications with security-sensitive considerations. Nonetheless, recent work illustrates the adversarial vulnerability of semantic segmentation models to white-box attacks. However, its adversarial robustness against black-box attacks has not been fully explored. In this paper, we present the first exploration of black-box decision-based attacks on semantic segmentation. First, we analyze the challenges that semantic segmentation brings to decision-based attacks through the case study. Then, to address these challenges, we first propose a decision-based attack on semantic segmentation, called Discrete Linear Attack (DLA). Based on random search and proxy index, we utilize the discrete linear noises for perturbation exploration and calibration to achieve efficient attack efficiency. We conduct adversarial robustness evaluation on 5 models from Cityscapes and ADE20K under 8 attacks. DLA shows its formidable power on Cityscapes by dramatically reducing PSPNet's mIoU from an impressive 77.83% to a mere 2.14% with just 50 queries.

翻译：语义分割是一项基础视觉任务，广泛应用于具有安全敏感性的场景中。然而，近期研究表明语义分割模型在面对白盒攻击时存在对抗脆弱性。但针对黑盒攻击的对抗鲁棒性尚未得到充分探索。本文首次对语义分割的黑盒决策型攻击进行了研究。首先，通过案例研究分析了语义分割为决策型攻击带来的挑战。其次，为应对这些挑战，我们提出了一种面向语义分割的决策型攻击方法——离散线性攻击（DLA）。该方法基于随机搜索与代理指数，利用离散线性噪声进行扰动探索与校准，从而实现高效攻击。我们在Cityscapes和ADE20K数据集上，对8种攻击下的5种模型进行了对抗鲁棒性评估。实验表明，DLA在Cityscapes上展现出强大的攻击能力，仅需50次查询即可将PSPNet的mIoU从惊人的77.83%降至2.14%。