Adversarial attacks and robustness for segment anything model

Segment Anything Model (SAM), as a potent graphic segmentation model, has demonstrated its application potential in various fields. Before deploying SAM in various applications, the robustness of SAM against adversarial attacks is a security concern that must be addressed. In this paper, we ex...

Full description

Saved in:
Bibliographic Details
Main Author: Liu, Shifei
Other Authors: Jiang Xudong
Format: Final Year Project
Language:English
Published: Nanyang Technological University 2024
Subjects:
Online Access:https://hdl.handle.net/10356/177032
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Segment Anything Model (SAM), as a potent graphic segmentation model, has demonstrated its application potential in various fields. Before deploying SAM in various applications, the robustness of SAM against adversarial attacks is a security concern that must be addressed. In this paper, we experimentally conducted adversarial attacks on SAM and its downstream application mod els to evaluate their robustness. For SAM downstream models with unknown structures, the method of attacking by establishing a surrogate model has sev eral limitations. These include significant time and computational costs due to SAM’s large volume, as well as poor simulation effects of the surrogate model because of the unknown training set used by the model. This dissertation aimed to leverage open-source models to design a simple and feasible method for attacking SAM downstream application models. We used Gaussian functions to estimate the gradient of SAM downstream models on the image encoder. This approach significantly reduced computational and time costs compared to building surrogate models and improved the attack effectiveness. To further enhance the transferability of the attack, we applied random rota tion and erasing transformations to input images and trained using the Expec tation Over Transformation (EOT) loss. However, we found that the EOT-based method did not show a good performance gain in attacking downstream tasks. This inadequacy can be attributed to the intrinsic trade-off between the attack effectiveness and transferability, necessitating the determination of an optimal weight parameter through a heuristic search to strike a balance.