Robust SAM: On the Adversarial Robustness of Vision Foundation Models

Authors

  • Jiahuan Long MoE Key Lab of Artificial Intelligence, AI Institute, Shanghai Jiao Tong University Defense Innovation Institute, Chinese Academy of Military Science Intelligent Game and Decision Laboratory
  • Zhengqin Xu MoE Key Lab of Artificial Intelligence, AI Institute, Shanghai Jiao Tong University
  • Tingsong Jiang Defense Innovation Institute, Chinese Academy of Military Science Intelligent Game and Decision Laboratory
  • Wen Yao Defense Innovation Institute, Chinese Academy of Military Science Intelligent Game and Decision Laboratory
  • Shuai Jia MoE Key Lab of Artificial Intelligence, AI Institute, Shanghai Jiao Tong University
  • Chao Ma MoE Key Lab of Artificial Intelligence, AI Institute, Shanghai Jiao Tong University
  • Xiaoqian Chen Chinese Academy of Military Science Intelligent Game and Decision Laboratory

DOI:

https://doi.org/10.1609/aaai.v39i6.32616

Abstract

The Segment Anything Model (SAM) is a widely used vision foundation model with diverse applications, including image segmentation, detection, and tracking. Given SAM's wide applications, understanding its robustness against adversarial attacks is crucial for real-world deployment. However, research on SAM's robustness is still in its early stages. Existing attacks often overlook the role of prompts in evaluating SAM's robustness, and there has been insufficient exploration of defense methods to balance the robustness and accuracy. To address these gaps, this paper proposes an adversarial robustness framework designed to evaluate and enhance the robustness of SAM. Specifically, we introduce a cross-prompt attack method to enhance the attack transferability across different prompt types. Besides attacking, we propose a few-parameter adaptation strategy to defend SAM against various adversarial attacks. To balance robustness and accuracy, we use the singular value decomposition (SVD) to constrain the space of trainable parameters, where only singular values are adaptable. Experiments demonstrate that our cross-prompt attack method outperforms previous approaches in terms of attack success rate on both SAM and SAM 2. By adapting only 512 parameters, we achieve at least a 15% improvement in mean intersection over union (mIoU) against various adversarial attacks. Compared to previous defense methods, our approach enhances the robustness of SAM while maximally maintaining its original performance.
AAAI-25 / IAAI-25 / EAAI-25 Proceedings Cover

Downloads

Published

2025-04-11

How to Cite

Long, J., Xu, Z., Jiang, T., Yao, W., Jia, S., Ma, C., & Chen, X. (2025). Robust SAM: On the Adversarial Robustness of Vision Foundation Models. Proceedings of the AAAI Conference on Artificial Intelligence, 39(6), 5775–5783. https://doi.org/10.1609/aaai.v39i6.32616

Issue

Vol. 39 No. 6: AAAI-25 Technical Tracks 6

Section

AAAI Technical Track on Computer Vision V