A Generative Victim Model for Segmentation

Adversarial attacks are designed to perturb input samples to induce incorrect predictions from a model, which are key tools for assessing model robustness. Although extensive research has focused on designing adversarial attacks for classification tasks, robustness analysis for segmentation tasks remains relatively underexplored. Given that segmentation enables fine-grained, pixel-wise semantic analysis, we argue that adversarial attacks aiming at pixel-level robustness assessment are particularly valuable. A fundamental prerequisite for generating adversarial examples is the availability of a well-trained victim model (VM), which is the model being attacked. However, relying on task-specific architectures limits the generality and flexibility of attack strategies. To address this issue, we design an effective adversarial attack without relying on victim models. In particular, we propose a novel adversarial sample generation model, termed the Data Distribution Estimation (DDE) model, for segmentation tasks. Built upon DDE, our model operates without relying on any segmentation-specific model architecture. This adversarial sample generation model operates directly on the data distribution by estimating its gradient and perturbing samples at the pixel level toward lower-density regions, effectively guiding the samples away from the natural image manifold. Extensive experiments show that our method can generate effective and transferable adversarial examples for segmentation tasks. These results validate the feasibility and potential of generating adversarial samples solely based on data distributions, providing a new perspective for studying robustness in dense prediction tasks.