Adversarial attacks and robustness for segment anything model
Segment Anything Model (SAM), as a potent graphic segmentation model, has demonstrated its application potential in various fields. Before deploying SAM in various applications, the robustness of SAM against adversarial attacks is a security concern that must be addressed. In this paper, we ex...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Final Year Project |
Language: | English |
Published: |
Nanyang Technological University
2024
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/177032 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
Summary: | Segment Anything Model (SAM), as a potent graphic segmentation model, has
demonstrated its application potential in various fields. Before deploying SAM
in various applications, the robustness of SAM against adversarial attacks is
a security concern that must be addressed. In this paper, we experimentally
conducted adversarial attacks on SAM and its downstream application mod
els to evaluate their robustness. For SAM downstream models with unknown
structures, the method of attacking by establishing a surrogate model has sev
eral limitations. These include significant time and computational costs due to
SAM’s large volume, as well as poor simulation effects of the surrogate model
because of the unknown training set used by the model.
This dissertation aimed to leverage open-source models to design a simple and
feasible method for attacking SAM downstream application models. We used
Gaussian functions to estimate the gradient of SAM downstream models on the
image encoder. This approach significantly reduced computational and time costs
compared to building surrogate models and improved the attack effectiveness.
To further enhance the transferability of the attack, we applied random rota
tion and erasing transformations to input images and trained using the Expec
tation Over Transformation (EOT) loss. However, we found that the EOT-based
method did not show a good performance gain in attacking downstream tasks.
This inadequacy can be attributed to the intrinsic trade-off between the attack
effectiveness and transferability, necessitating the determination of an optimal
weight parameter through a heuristic search to strike a balance. |
---|