While neural networks allow highly accurate predictions in many tasks, their lack of robustness towards even slight input perturbations hampers their deployment in many real-world applications. Recent research towards evaluating the robustness of neural networks such as the seminal projected gradient descent(PGD) attack and subsequent works have drawn significant attention, as they provide an effective insight into the quality of representations learned by the network. However, these methods predominantly focus on image classification tasks, while only a few approaches specifically address the analysis of pixel-wise prediction tasks such as semantic segmentation, optical flow, disparity estimation, and others, respectively. Thus, there is a lack of a unified adversarial robustness benchmarking tool(algorithm) that is applicable to all such pixel-wise prediction tasks. In this work, we close this gap and propose CosPGD, a novel white-box adversarial attack that allows optimizing dedicated attacks for any pixel-wise prediction task in a unified setting. It leverages the cosine similarity between the distributions over the predictions and ground truth (or target) to extend directly from classification tasks to regression settings. We outperform the SotA on semantic segmentation attacks in our experiments on PASCAL VOC2012 and CityScapes. Further, we set a new benchmark for adversarial attacks on optical flow, and image restoration displaying the ability to extend to any pixel-wise prediction task.

翻译：尽管神经网络在许多任务中能够实现高精度预测，但其对微小输入扰动的鲁棒性不足，阻碍了其在众多实际应用中的部署。近年来，诸如经典投影梯度下降攻击（PGD）及其后续工作等评估神经网络鲁棒性的研究引起了广泛关注，因为它们为网络学习到的表示质量提供了有效见解。然而，这些方法主要聚焦于图像分类任务，仅有少数方法专门针对语义分割、光流估计、视差估计等像素级预测任务进行分析。因此，目前缺乏一种适用于所有此类像素级预测任务的统一对抗鲁棒性基准测试工具（算法）。在本工作中，我们弥补了这一空白，提出了CosPGD——一种新颖的白盒对抗攻击方法，能够在统一框架下为任意像素级预测任务优化专用攻击。该方法利用预测分布与真实标签（或目标）分布之间的余弦相似度，将攻击从分类任务直接扩展到回归任务。在PASCAL VOC2012和CityScapes数据集上的实验中，我们在语义分割攻击方面超越了现有技术水平。此外，我们为光流估计和图像恢复任务设立了对抗攻击的新基准，展示了该方法向任意像素级预测任务扩展的能力。