ML Security PapersFast and Flexible Robustness Certificates for Semantic Segmentation
Thomas Massena 1,2, Corentin Friedrich 3, Franck Mamalet 3, Mathieu Serrurier 1
Published on arXiv
2512.06010
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves real-time-compatible certified robustness for semantic segmentation ~600x faster than randomized smoothing with comparable certificates on an NVIDIA A100 GPU.
Lipschitz-certified semantic segmentation
Novel technique introduced
Deep Neural Networks are vulnerable to small perturbations that can drastically alter their predictions for perceptually unchanged inputs. The literature on adversarially robust Deep Learning attempts to either enhance the robustness of neural networks (e.g, via adversarial training) or to certify their decisions up to a given robustness level (e.g, by using randomized smoothing, formal methods or Lipschitz bounds). These studies mostly focus on classification tasks and few efficient certification procedures currently exist for semantic segmentation. In this work, we introduce a new class of certifiably robust Semantic Segmentation networks with built-in Lipschitz constraints that are efficiently trainable and achieve competitive pixel accuracy on challenging datasets such as Cityscapes. Additionally, we provide a novel framework that generalizes robustness certificates for semantic segmentation tasks, where we showcase the flexibility and computational efficiency of using Lipschitz networks. Our approach unlocks real-time compatible certifiably robust semantic segmentation for the first time. Moreover, it allows the computation of worst-case performance under $\ell_2$ attacks of radius $ε$ across a wide range of performance measures. Crucially, we benchmark the runtime of our certification process and find our approach to be around 600 times faster than randomized smoothing methods at inference with comparable certificates on an NVIDIA A100 GPU. Finally, we evaluate the tightness of our worstcase certificates against state-of-the-art adversarial attacks to further validate the performance of our method.
Key Contributions
- Certifiably robust semantic segmentation networks with built-in Lipschitz constraints that are efficiently trainable and achieve competitive pixel accuracy on Cityscapes
- A novel unifying framework that generalizes robustness certificates across a wide range of performance measures for segmentation tasks
- Certification runtime ~600x faster than randomized smoothing at comparable robustness guarantees, enabling real-time certified segmentation
🛡️ Threat Analysis
The paper directly addresses input manipulation attacks (ℓ2 adversarial perturbations at inference time) by providing certified robustness guarantees via Lipschitz-constrained networks for semantic segmentation — a defense against adversarial examples evaluated against state-of-the-art attacks.