Skip to main content
Nubint
QUICK REVIEW

[论文解读] A Unified Spatial Alignment Framework for Highly Transferable Transformation-Based Attacks on Spatially Structured Tasks

Jiaming Liang, Chi-Man Pun|arXiv (Cornell University)|Mar 26, 2026
Adversarial Robustness in Machine Learning被引用 0
一句话总结

论文提出空间对齐(SA)以同步标签与空间变换,使端到端的基于变换的对抗攻击(TAAs)在结构化任务如分割与检测上可实现,形成空间对齐框架(SAF)。

ABSTRACT

Transformation-based adversarial attacks (TAAs) demonstrate strong transferability when deceiving classification models. However, existing TAAs often perform unsatisfactorily or even fail when applied to structured tasks such as semantic segmentation and object detection. Encouragingly, recent studies that categorize transformations into non-spatial and spatial transformations inspire us to address this challenge. We find that for non-structured tasks, labels are spatially non-structured, and thus TAAs are not required to adjust labels when applying spatial transformations. In contrast, for structured tasks, labels are spatially structured, and failing to transform labels synchronously with inputs can cause spatial misalignment and yield erroneous gradients. To address these issues, we propose a novel unified Spatial Alignment Framework (SAF) for highly transferable TAAs on spatially structured tasks, where the TAAs spatially transform labels synchronously with the input using the proposed Spatial Alignment (SA) algorithm. Extensive experiments demonstrate the crucial role of our SAF for TAAs on structured tasks. Specifically, in non-targeted attacks, our SAF degrades the average mIoU on Cityscapes from 24.50 to 11.34, and on Kvasir-SEG from 49.91 to 31.80, while reducing the average mAP of COCO from 17.89 to 5.25.

研究动机与目标

  • 识别传统TAAs在空间结构任务(如分割、检测)上失败的原因。
  • 提出空间对齐(SA)以将标签与空间变换同步。
  • 将SA整合到统一的空间对齐框架(SAF)中以应用于结构化任务。
  • 在语义分割和目标检测中展示SAF的有效性。
  • 研究SAF如何改变在不同骨干网与数据集上的攻击转移性。

提出的方法

  • 将变换分解为非空间与空间分量以分析错位。
  • 通过对标签应用空间变换来推导SA使能的梯度形式: bar{μ} = (1/N) Σ ∇_{x_adv} J(f_s(T(x_adv)), T_s(y)) (Equation 8)。
  • 开发 Algorithm 1 Spatial Alignment,在迭代TAAs中实现SA(包括动量、多重变换对应物N、迭代次数L)。
  • 通过在输入同步变换标签来实现SAF,应用于语义分割和目标检测(分割的标签图;检测重新计算边界框)。
  • 在Cityscapes、Kvasir-SEG和MS COCO上使用多种TAAs(DEM、SIA、BSR、I-C)评估SAF。
  • 证明SA能够消除空间错位并提升TAAs在结构化任务上的转移性。
Figure 1 : Performance gains from integrating spatial alignment framework into various TAAs across spatially structured tasks. Four groups of bars correspond to DEM, SIA, BSR, and I-C, respectively. Surrogate models are indicated in gray boxes.
Figure 1 : Performance gains from integrating spatial alignment framework into various TAAs across spatially structured tasks. Four groups of bars correspond to DEM, SIA, BSR, and I-C, respectively. Surrogate models are indicated in gray boxes.

实验结果

研究问题

  • RQ1为何端到端的TAAs在空间结构任务上表现不及非结构化任务?
  • RQ2是否通过与输入同步变换标签(空间对齐)能使现有TAAs对分割和检测有效工作?
  • RQ3SAF是否提升多种TAAs在语义分割与目标检测基准上的转移性?
  • RQ4在非目标攻击与目标攻击以及常见输入预处理防御下,SAF的表现如何?

主要发现

  • SAF显著提升对结构化任务的攻击转移性,明显降低非SA基线的平均指标(如 Cityscapes mIoU 从 24.50 降至 11.34;Kvasir-SEG 从 49.91 降至 31.80;MS COCO mAP 从 17.89 降至 5.25)。
  • 在Cityscapes的非目标攻击中,基于SAF的TAAs在多种骨干网与检测器上优于现有基线。
  • 目标攻击显示SAF在传统TAAs因空间错位几乎失效的情形下重新获得有效性。
  • 在输入预处理防御(JPEG、BitR)下,SAF仍保持有效性,而非SA变体的性能下降更明显。
  • 在语义分割与目标检测领域,SAF使端到端TAAs在结构化任务上超越先前的性能极限。
Figure 2 : Illustration of the proposed Spatial Alignment Framework (SAF) .
Figure 2 : Illustration of the proposed Spatial Alignment Framework (SAF) .

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。