Transferable Attack for Semantic Segmentation

TL;DR

This paper investigates the transferability of adversarial attacks on semantic segmentation models, identifying key factors for effective transferable attacks and proposing an ensemble attack method to improve attack success across models.

Contribution

It introduces an ensemble attack method for semantic segmentation that enhances transferability by incorporating data augmentation, translation-invariant features, and stabilized optimization strategies.

Findings

Conventional attacks like PGD and FGSM do not transfer well.

Effective transferability requires data augmentation and translation-invariant features.

The proposed ensemble attack achieves higher transferability across models.

Abstract

We analysis performance of semantic segmentation models wrt. adversarial attacks, and observe that the adversarial examples generated from a source model fail to attack the target models. i.e The conventional attack methods, such as PGD and FGSM, do not transfer well to target models, making it necessary to study the transferable attacks, especially transferable attacks for semantic segmentation. We find two main factors to achieve transferable attack. Firstly, the attack should come with effective data augmentation and translation-invariant features to deal with unseen models. Secondly, stabilized optimization strategies are needed to find the optimal attack direction. Based on the above observations, we propose an ensemble attack for semantic segmentation to achieve more effective attacks with higher transferability. The source code and experimental results are publicly available via our project page: https://github.com/anucvers/TASS.