├── images ├── __init__.py ├── Tar_Adv_Pred.jpg ├── Tar_Orig_Pred.jpg ├── Untar_Adv_Pred.jpg └── Untar_Orig_Pred.jpg ├── src ├── __init__.py ├── Targeted Attacks │ ├── PascalVOC_Targ.py │ └── utils.py └── Untargeted Attacks │ ├── PascalVOC_Untarg.py │ └── utils.py ├── scaling attacks ├── __init__.py ├── image_scaling.py └── utils.py └── README.md /images/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /src/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /scaling attacks/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /images/Tar_Adv_Pred.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Swaraj-72/Adversarial-Attacks-and-Defenses-on-Semantic-Segmentation-Networks/HEAD/images/Tar_Adv_Pred.jpg -------------------------------------------------------------------------------- /images/Tar_Orig_Pred.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Swaraj-72/Adversarial-Attacks-and-Defenses-on-Semantic-Segmentation-Networks/HEAD/images/Tar_Orig_Pred.jpg -------------------------------------------------------------------------------- /images/Untar_Adv_Pred.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Swaraj-72/Adversarial-Attacks-and-Defenses-on-Semantic-Segmentation-Networks/HEAD/images/Untar_Adv_Pred.jpg -------------------------------------------------------------------------------- /images/Untar_Orig_Pred.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Swaraj-72/Adversarial-Attacks-and-Defenses-on-Semantic-Segmentation-Networks/HEAD/images/Untar_Orig_Pred.jpg -------------------------------------------------------------------------------- /src/Targeted Attacks/PascalVOC_Targ.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import torch.nn as nn 3 | from torch.utils.data import DataLoader 4 | import torchvision 5 | from tqdm.auto import tqdm 6 | from torchvision.utils import make_grid 7 | from torchvision import models 8 | from torchvision import datasets, transforms as T 9 | 10 | import matplotlib.pyplot as plt 11 | import matplotlib.gridspec as gridspec 12 | %matplotlib inline 13 | from sklearn.metrics import accuracy_score 14 | import numpy as np 15 | from utils import pgd_targ, IoUAcc, decode_segmap 16 | 17 | device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu") 18 | print(device) 19 | torch.cuda.empty_cache() 20 | 21 | batch_size = 4 22 | img_size = (520, 520) # original input size to the model is (520,520) but all images in dataset are of different sizes 23 | 24 | trans = T.Compose([T.Resize(img_size),T.ToTensor(), T.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])]) 25 | dataset = datasets.VOCSegmentation(r'/home/shk/PascalVOC', year = '2012', 26 | image_set = 'trainval',download = False, transform = trans, 27 | target_transform = T.Resize(img_size), transforms = None)# change path for local use 28 | 29 | X, y, yrep = [], [], [] 30 | for i in range(batch_size): 31 | num = torch.randint(0,1449,(1,1)).item() 32 | X.append(dataset[num][0]) 33 | y.append(np.asarray(dataset[num][1])) 34 | yrep.append(dataset[num][1]) 35 | X, y = torch.stack(X), torch.tensor(y).unsqueeze(1) 36 | 37 | class_names = {0:'background', 1:'aeroplane', 2:'bicycle', 3:'bird', 4:'boat', 5:'bottle', 6:'bus', 7:'car', 8:'cat', 38 | 9:'chair', 10:'cow', 11:'diningtable', 12:'dog', 13:'horse', 14:'motorbike', 15:'person', 16:'pottedplant', 39 | 17:'sheep', 18:'sofa', 19:'train', 20:'tvmonitor', 255: 'void'} 40 | 41 | net = models.segmentation.deeplabv3_resnet101(pretrained=True, num_classes=21, aux_loss=None).eval() 42 | 43 | yp = net(X)['out'] 44 | m = torch.softmax(yp, 1) 45 | pred = torch.argmax(m, 1) 46 | IoUAcc(y, pred) 47 | 48 | delta = pgd_targ(net, X, y, epsilon=0.10, alpha=100, num_iter = 15, y_targ = y[1] ) # Second image in the batch is targeted 49 | ypa = net((X.float()+ delta.float()))['out'] 50 | n = torch.softmax(ypa, 1) 51 | preda = torch.argmax(n,1) 52 | IoUa, Acca = IoUAcc(y, preda) 53 | 54 | 55 | -------------------------------------------------------------------------------- /src/Untargeted Attacks/PascalVOC_Untarg.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import torch.nn as nn 3 | from torch.utils.data import DataLoader 4 | import torchvision 5 | from torchvision import models 6 | from torchvision import datasets, transforms as T 7 | from utils import decode_segmap, IoUAcc, pgd, pgd_steep 8 | 9 | import matplotlib.pyplot as plt 10 | import matplotlib.gridspec as gridspec 11 | %matplotlib inline 12 | from sklearn.metrics import accuracy_score 13 | import numpy as np 14 | 15 | device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu") 16 | print(device) 17 | torch.cuda.empty_cache() 18 | 19 | batch_size = 4 20 | 21 | img_size = (520,520) # original input size to the model is (520,520) but all images in dataset are of different sizes in PascalVOC 22 | 23 | trans = T.Compose([T.Resize(img_size),T.ToTensor(), T.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])]) 24 | 25 | dataset = datasets.VOCSegmentation(r'/datasets/PascalVOC/....', year = '2012', image_set = 'val',download = False, transform = trans, 26 | target_transform = T.Resize(img_size), transforms = None) # Path to be updated for local use. 27 | 28 | X, y, yrep = [], [], [] 29 | for i in range(batch_size): 30 | num = torch.randint(0,1449,(1,1)).item() 31 | X.append(dataset[num][0]) 32 | y.append(np.asarray(dataset[num][1])) 33 | yrep.append(dataset[num][1]) 34 | X, y = torch.stack(X), torch.tensor(y).unsqueeze(1) 35 | 36 | #print(X.size(), y.size()) 37 | 38 | net = models.segmentation.deeplabv3_resnet101(pretrained=True, progress=True, num_classes=21, aux_loss=None).eval() #Any pre-trained model from pytorch can be made used of. 39 | 40 | class_names = {1:'background', 2:'aeroplane', 3:'bicycle', 4:'bird', 5:'boat', 6:'bottle', 7:'bus', 8:'car', 9:'cat', 41 | 10:'chair', 11:'cow', 12:'diningtable', 13:'dog', 14:'horse', 15:'motorbike', 16:'person', 17:'pottedplant', 42 | 18:'sheep', 19:'sofa', 20:'train', 21:'tvmonitor' } 43 | 44 | yp = net(X)['out'] 45 | m = torch.softmax(yp,1) 46 | pred = torch.argmax(m,1) 47 | IoUAcc(y, pred) 48 | 49 | delta1 = pgd(net, X, y, epsilon=0.10, alpha=1e2, num_iter=10) # Various values of epsilon, alpha can be used to play with. 50 | ypa1 = net((X.float()+ delta1.float()))['out'] 51 | n = torch.softmax(ypa1,1) 52 | preda1 = torch.argmax(n,1) 53 | IoUa1, Acca1 = IoUAcc(y, preda1) 54 | -------------------------------------------------------------------------------- /src/Targeted Attacks/utils.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | 4 | 5 | 6 | def IoUAcc(y_trg, y_pred, class_names = class_names): 7 | 8 | trg = y_trg.squeeze(1) 9 | pred = y_pred 10 | iou_list = list() 11 | present_iou_list = list() 12 | 13 | pred = pred.view(-1) 14 | trg = trg.view(-1) 15 | for sem_class in range(21): # loop over each class for IoU calculation 16 | pred_inds = (pred == sem_class) 17 | target_inds = (trg == sem_class) 18 | if target_inds.long().sum().item() == 0: 19 | iou_now = float('nan') 20 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 21 | else: 22 | intersection_now = (pred_inds[target_inds]).long().sum().item() 23 | union_now = pred_inds.long().sum().item() + target_inds.long().sum().item() - intersection_now 24 | iou_now = float(intersection_now) / float(union_now) 25 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 26 | present_iou_list.append(iou_now) 27 | iou_list.append(iou_now) 28 | 29 | acc = accuracy_score(trg, pred) 30 | 31 | print('mIoU is {} and Pixel Accuracy is {}'.format(np.mean(present_iou_list)*100, acc*100)) 32 | return np.mean(present_iou_list)*100, acc*100 33 | 34 | 35 | def pgd_targ(model, X_, y, epsilon, alpha, num_iter, y_targ = y[0]): # Targeted Attack 1 36 | 37 | delta = torch.zeros_like(X_, requires_grad=True) 38 | if type(y_targ) == str: 39 | y_new = get_trg_class(y, y_targ) 40 | y_,_ = torch.max(y_new,1) 41 | else: 42 | y_ = torch.stack((y_targ,)*X.shape[0],0).squeeze(1) 43 | for t in range(num_iter): 44 | yp = model(X_.float() + delta.float())['out'] 45 | loss = nn.CrossEntropyLoss(ignore_index = 255)(yp, y_.long()) 46 | loss.backward() 47 | print('Loss after iteration {}: {}'.format(t+1, loss.item())) 48 | delta.data = (delta - alpha*delta.grad.data).clamp(-epsilon,epsilon) 49 | delta.grad.zero_() 50 | 51 | return delta.detach() 52 | 53 | def decode_segmap(image, nc=21): # visualise the decoded prediction (pred) 54 | 55 | label_colors = np.array([(0, 0, 0), 56 | (128, 0, 0), (0, 128, 0), (128, 128, 0), (0, 0, 128), (128, 0, 128), 57 | (0, 128, 128), (128, 128, 128), (64, 0, 0), (192, 0, 0), (64, 128, 0), 58 | (192, 128, 0), (64, 0, 128), (192, 0, 128), (64, 128, 128), (192, 128, 128), 59 | (0, 64, 0), (128, 64, 0), (0, 192, 0), (128, 192, 0), (0, 64, 128)]) 60 | r = torch.zeros_like(image, dtype = torch.uint8) 61 | g = torch.zeros_like(image, dtype = torch.uint8) 62 | b = torch.zeros_like(image, dtype = torch.uint8) 63 | 64 | for l in range(0, nc): 65 | idx = image == l 66 | r[idx] = label_colors[l, 0] 67 | g[idx] = label_colors[l, 1] 68 | b[idx] = label_colors[l, 2] 69 | 70 | rgb = torch.stack([r, g, b], axis=3) 71 | return rgb 72 | 73 | -------------------------------------------------------------------------------- /src/Untargeted Attacks/utils.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | 4 | 5 | def decode_segmap(image, nc=21): # visualise the decoded prediction (pred) 6 | 7 | label_colors = np.array([(0, 0, 0), 8 | (128, 0, 0), (0, 128, 0), (128, 128, 0), (0, 0, 128), (128, 0, 128), 9 | (0, 128, 128), (128, 128, 128), (64, 0, 0), (192, 0, 0), (64, 128, 0), 10 | (192, 128, 0), (64, 0, 128), (192, 0, 128), (64, 128, 128), (192, 128, 128), 11 | (0, 64, 0), (128, 64, 0), (0, 192, 0), (128, 192, 0), (0, 64, 128)]) 12 | r = torch.zeros_like(image, dtype = torch.uint8) 13 | g = torch.zeros_like(image, dtype = torch.uint8) 14 | b = torch.zeros_like(image, dtype = torch.uint8) 15 | 16 | for l in range(0, nc): 17 | idx = image == l 18 | r[idx] = label_colors[l, 0] 19 | g[idx] = label_colors[l, 1] 20 | b[idx] = label_colors[l, 2] 21 | 22 | rgb = torch.stack([r, g, b], axis=3) 23 | return rgb 24 | 25 | def IoUAcc(y_trg, y_pred, class_names = class_names): 26 | 27 | trg = y_trg.squeeze(1) 28 | pred = y_pred 29 | iou_list = list() 30 | present_iou_list = list() 31 | 32 | pred = pred.view(-1) 33 | trg = trg.view(-1) 34 | for sem_class in range(21): # loop over each class for IoU calculation 35 | pred_inds = (pred == sem_class) 36 | target_inds = (trg == sem_class) 37 | if target_inds.long().sum().item() == 0: 38 | iou_now = float('nan') 39 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 40 | else: 41 | intersection_now = (pred_inds[target_inds]).long().sum().item() 42 | union_now = pred_inds.long().sum().item() + target_inds.long().sum().item() - intersection_now 43 | iou_now = float(intersection_now) / float(union_now) 44 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 45 | present_iou_list.append(iou_now) 46 | iou_list.append(iou_now) 47 | 48 | acc = accuracy_score(trg, pred) 49 | 50 | return np.mean(present_iou_list)*100, acc*100 51 | 52 | 53 | def pgd(model, X, y, epsilon, alpha, num_iter): # Untargetted Attack 1 54 | 55 | delta = torch.zeros_like(X, requires_grad=True) 56 | trg = y.squeeze(1) 57 | 58 | for t in range(num_iter): 59 | loss = nn.CrossEntropyLoss(ignore_index = 255)(model(X + delta)['out'], trg.long()) 60 | loss.backward() 61 | print('Loss after iteration {}: {:.2f}'.format(t+1, loss.item())) 62 | delta.data = (delta + X.shape[0]*alpha*delta.grad.data).clamp(-epsilon,epsilon) 63 | delta.grad.zero_() 64 | 65 | return delta.detach() 66 | 67 | def pgd_steep(model, X, y, epsilon, alpha, num_iter): # Untargetted Attack 2 68 | 69 | delta = torch.zeros_like(X, requires_grad=True) 70 | trg = y.squeeze(1) 71 | 72 | for t in range(num_iter): 73 | loss = nn.CrossEntropyLoss(ignore_index = 255)(model(X + delta)['out'], trg.long()) 74 | loss.backward() 75 | print('Loss after iteration {}: {:.2f}'.format(t+1, loss.item())) 76 | delta.data = (delta + alpha*delta.grad.detach().sign()).clamp(-epsilon,epsilon) 77 | delta.grad.zero_() 78 | 79 | return delta.detach() 80 | -------------------------------------------------------------------------------- /scaling attacks/image_scaling.py: -------------------------------------------------------------------------------- 1 | # Please note that this file is to be run in the scaleatt folder of the repo https://github.com/EQuiw/2019-scalingattack to be functional. 2 | #The concept of scaling the image is directly taken from this repo. 3 | 4 | import torch 5 | import torch.nn as nn 6 | from torch.utils.data import DataLoader 7 | import torchvision 8 | from torchvision import models 9 | from torchvision import datasets, transforms as T 10 | from utils import result attack_image, IoUAcc, decode_segmap 11 | 12 | import matplotlib.pyplot as plt 13 | import matplotlib.gridspec as gridspec 14 | %matplotlib inline 15 | from sklearn.metrics import accuracy_score 16 | import numpy as np 17 | 18 | # Image scaling attack library (https://github.com/EQuiw/2019-scalingattack) 19 | # Note: File is to be created in scaleatt folder to comply with the following requirements 20 | from utils.plot_image_utils import plot_images_in_actual_size 21 | from scaling.ScalingGenerator import ScalingGenerator 22 | from scaling.SuppScalingLibraries import SuppScalingLibraries 23 | from scaling.SuppScalingAlgorithms import SuppScalingAlgorithms 24 | from scaling.ScalingApproach import ScalingApproach 25 | from attack.QuadrScaleAttack import QuadraticScaleAttack 26 | from attack.direct_attacks.DirectNearestScaleAttack import DirectNearestScaleAttack 27 | from attack.ScaleAttackStrategy import ScaleAttackStrategy 28 | 29 | 30 | device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu") 31 | print(device) 32 | torch.cuda.empty_cache() 33 | 34 | batch_size = 4 35 | img_size = (520, 520) # original input size to the model is (520,520) but all images in dataset are of different sizes 36 | trans = T.Compose([T.Resize(img_size), T.ToTensor(), T.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])]) 37 | #T.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])] 38 | dataset = datasets.VOCSegmentation(r'/home/shk/PascalVOC/', year = '2012', 39 | image_set = 'trainval',download = False, transform = trans, 40 | target_transform = T.Resize(img_size), transforms = None) 41 | X, y, yrep = [], [], [] 42 | for i in range(batch_size): 43 | num = torch.randint(0,1449,(1,1)).item() 44 | X.append(dataset[num][0]) 45 | y.append(np.asarray(dataset[num][1])) 46 | yrep.append(dataset[num][1]) 47 | X, y = torch.stack(X), torch.tensor(y) 48 | 49 | net = models.segmentation.deeplabv3_resnet101(pretrained=True, progress=True, num_classes=21, aux_loss=None).eval() 50 | 51 | yp = net(X)['out'] 52 | yp.size() 53 | pred = torch.argmax(yp,1) 54 | IoUAcc(y, pred) 55 | 56 | tran = T.Compose([T.ToTensor(), T.Normalize(mean=[0.485, 0.456, 0.406], std=[0.229, 0.224, 0.225])]) 57 | x = torch.zeros((X.size(0), 3, 130, 130)) 58 | X_targ = torch.zeros_like(X) 59 | delta_v, delta_h = [], [] 60 | inp = int(input('Which image to target (1,2,3,4): ')) 61 | for i in range(X.size(0)): 62 | att_img, lower, deltav_, deltah_ = result_attack_image(X[i], X[inp-1]) 63 | delta_v.append(deltav_) 64 | delta_h.append(deltah_) 65 | print('Attack image received') 66 | X_targ[i] = tran(att_img) 67 | x[i] = tran(lower) 68 | 69 | 70 | ypa = net(x)['out'] 71 | high = torch.nn.functional.interpolate(ypa, size = img_size, mode='nearest') 72 | preda = torch.argmax(high,1) 73 | preda.unique() 74 | IoUAcc(y,preda) 75 | -------------------------------------------------------------------------------- /scaling attacks/utils.py: -------------------------------------------------------------------------------- 1 | import torch 2 | import numpy as np 3 | 4 | def decode_segmap(image, nc=21): # visualise the decoded prediction (pred) 5 | 6 | label_colors = np.array([(0, 0, 0), 7 | (128, 0, 0), (0, 128, 0), (128, 128, 0), (0, 0, 128), (128, 0, 128), 8 | (0, 128, 128), (128, 128, 128), (64, 0, 0), (192, 0, 0), (64, 128, 0), 9 | (192, 128, 0), (64, 0, 128), (192, 0, 128), (64, 128, 128), (192, 128, 128), 10 | (0, 64, 0), (128, 64, 0), (0, 192, 0), (128, 192, 0), (0, 64, 128)]) 11 | r = torch.zeros_like(image, dtype = torch.uint8) 12 | g = torch.zeros_like(image, dtype = torch.uint8) 13 | b = torch.zeros_like(image, dtype = torch.uint8) 14 | 15 | for l in range(0, nc): 16 | idx = image == l 17 | r[idx] = label_colors[l, 0] 18 | g[idx] = label_colors[l, 1] 19 | b[idx] = label_colors[l, 2] 20 | 21 | rgb = torch.stack([r, g, b], axis=3) 22 | return rgb 23 | 24 | class_names = {0:'background', 1:'aeroplane', 2:'bicycle', 3:'bird', 4:'boat', 5:'bottle', 6:'bus', 7:'car', 8:'cat', 25 | 9:'chair', 10:'cow', 11:'diningtable', 12:'dog', 13:'horse', 14:'motorbike', 15:'person', 16:'pottedplant', 26 | 17:'sheep', 18:'sofa', 19:'train', 20:'tvmonitor' } 27 | 28 | 29 | def IoUAcc(y_trg, y_pred, class_names = class_names): 30 | 31 | trg = y_trg.squeeze(1) 32 | pred = y_pred 33 | iou_list = list() 34 | present_iou_list = list() 35 | 36 | pred = pred.view(-1) 37 | trg = trg.view(-1) 38 | for sem_class in range(21): # loop over each class for IoU calculation 39 | pred_inds = (pred == sem_class) 40 | target_inds = (trg == sem_class) 41 | if target_inds.long().sum().item() == 0: 42 | iou_now = float('nan') 43 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 44 | else: 45 | intersection_now = (pred_inds[target_inds]).long().sum().item() 46 | union_now = pred_inds.long().sum().item() + target_inds.long().sum().item() - intersection_now 47 | iou_now = float(intersection_now) / float(union_now) 48 | #print('Class {} IoU is {}'.format(class_names[sem_class+1], iou_now)) 49 | present_iou_list.append(iou_now) 50 | iou_list.append(iou_now) 51 | 52 | acc = accuracy_score(trg, pred) 53 | 54 | #print('mIoU is {} and Pixel Accuracy is {}'.format(np.mean(present_iou_list)*100, acc*100)) 55 | return np.mean(present_iou_list)*100, acc*100 56 | 57 | 58 | def result_attack_image(src_img, tar_img): # Function to apply Image Scaling Attack 59 | 60 | inv_normalize = T.Normalize(mean=[-0.485/0.229, -0.456/0.224, -0.406/0.225],std=[1/0.229, 1/0.224, 1/0.225]) 61 | src_img, tar_img = inv_normalize(src_img), inv_normalize(tar_img) 62 | 63 | low = torch.nn.functional.interpolate(tar_img.unsqueeze(0), 64 | size = (130,130), mode='bilinear').squeeze(0) 65 | src_img = np.array(src_img*255.0, dtype = np.uint8).transpose(1,2,0) 66 | tar_img = np.array(low*255.0, dtype = np.uint8).transpose(1,2,0) 67 | 68 | scaling_algorithm: SuppScalingAlgorithms = SuppScalingAlgorithms.NEAREST 69 | 70 | scaling_library: SuppScalingLibraries = SuppScalingLibraries.PIL 71 | 72 | scaler_approach: ScalingApproach = ScalingGenerator.create_scaling_approach(x_val_source_shape=src_img.shape, 73 | x_val_target_shape=tar_img.shape, 74 | lib=scaling_library, 75 | alg=scaling_algorithm) 76 | 77 | scale_att: ScaleAttackStrategy = QuadraticScaleAttack(eps=1, verbose=False) 78 | 79 | result_attack_image, deltav, deltah = scale_att.attack(src_image=src_img, 80 | target_image=tar_img, 81 | scaler_approach=scaler_approach) 82 | print('Scaling done') 83 | lower = scaler_approach.scale_image(xin=result_attack_image) 84 | 85 | return result_attack_image, lower, deltav, deltah 86 | 87 | 88 | def unnorm(X_norm): 89 | inv_normalize = T.Normalize(mean=[-0.485/0.229, -0.456/0.224, -0.406/0.225],std=[1/0.229, 1/0.224, 1/0.225]) 90 | for i in range(X_norm.size(0)): 91 | X_norm[i] = inv_normalize(X_norm[i]) 92 | return X_norm 93 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Adversarial Attacks and Defenses on Semantic Segmentation Networks 2 | Welcome to the repo of Adversarial attacks and defenses on Semantic Segmentation. Adversarial attacks prove to be the biggest challenge for deep neural networks. Even many state-of-the-art architectures are vulnerable to these attacks. Although many journals have tried to explain the defense mechanisms, we introduce other such methods focussing specially on Semantic Segmentation models and datasets like MS-COCO, PascalVOC, Cityscapes. 3 | 4 | ## Abstract 5 | The project explores and analyses various types of adversarial attacks, untargeted and targeted, used to fool the deep neural networks. Specially, we focus on the semantic segmentation networks with state-of-the-art pretrained models trained on two popular datasets, namely PascalVOC and Cityscapes.We restrict our scope only to white box attacks where the attacker has access to the model parameters. 6 | We first show how an imperceptible noise added to the images makes the network predict incorrect classes or segmentation maps. Next, we describe a method of mutli-scaling to reduce the risk of such attacks. Then we experiment similar attack now with a particular image among the batch as target. We plan the attack such that the network outputs the desired class or targeted image's segmentation map for all the images in the batch. We then explore methods of image reconstruction to lessen the damage caused by such attacks. 7 | For the entire experimentation, we make use of mean Intersection over Union (mIoU) and Pixel Accuracy as the metrics to measure how effective the attacks and defense mechanisms are on the semantic segmentation networks. Our findings pave way for robust semantic segmentation models which could be potentially implemented in safety critical applications. 8 | 9 | ## Plan of Attack 10 | The main idea is to perform adversarial attacks based on Projected Gradient Descent(PGD). There are two different types of attacks in particular we deal with. All our attacks are performed on the state-of-the-art pre-trained networks trained on PascalVOC and Cityscapes Datasets. We explore how these attacks fool the network to output a completely different segmentation map compared to that of the ground truth. 11 | Especially when the attack is targeted, we observe that the resulting segmentation map looks similar to that of the desired image. This way the attacks are performed to expose the vulnerability of segmentation networks. 12 | We also propose a defense mechanism namely multi-scaling for both targeted and untargeted attacks. This way it is observed that the mIoU and Accuracy values are being improved. We also discuss about the transferability of such attacks wherein a perturbated image obtained using one network is passed through another network to check the effect of perturbation. 13 | 14 | ## Results 15 | ### Untargeted Attacks 16 | The results shown below clearly indicate a unqiue segmentation map is produced for each image which is different from the original prediction of the network. 17 | ![untargeted_orig](https://user-images.githubusercontent.com/65396498/129730846-deb31b88-de11-4a90-8ba0-1b6b50693adf.jpg) 18 | ![untargeted](https://user-images.githubusercontent.com/65396498/129730860-f2e60f01-1e6e-4927-bf03-859c9c413c01.jpg) 19 | 20 | In the case of untargeted attacks, our goal is to maximize the loss simultaneously ensuring the perturbations are not visible to the naked eye. 21 | ### Targeted Attacks 22 | Here the second image in the batch of 4 images is targeted and it is observed that all other images now output similar segmentation map as the one that is targeted. 23 | ![Tar_Org](https://user-images.githubusercontent.com/65396498/129731350-108b56c9-20e7-487d-8c40-287cab9d86c0.jpg) 24 | ![Tar_adv](https://user-images.githubusercontent.com/65396498/129731372-541d3553-98f5-4375-b500-69f54d5017bf.jpg) 25 | Here, the goal is to minimize the loss between the targeted segmentation map and the other images' segmentation maps. Here too the perturbations shouldn't be visible to the naked eye. 26 | 27 | ### Image Scaling Attacks 28 | Here we use an target image to perturbate in a way that the original image predicts actual segmentation map when sent in with original size but when the image is scaled, then it outputs the targeted segmentation map. This is very good area of research because in many of the applications of deep learning, images are always resized to be input to the network. Sample images to be updated soon. 29 | 30 | The scaling part of this attack is completely taken from the repository by Erwin Quiring (https://github.com/EQuiw/2019-scalingattack) where they have described a novel method to illustrate the image scaling attack. We have applied his concept to our targeted segmentation map generation. 31 | 32 | 33 | --------------------------------------------------------------------------------