We propose an approach for adversarial attacks on dense prediction models (such as object detectors and segmentation). It is well known that the attacks generated by a single surrogate model do not transfer to arbitrary (blackbox) victim models. Furthermore, targeted attacks are often more challenging than the untargeted attacks. In this paper, we show that a carefully designed ensemble can create effective attacks for a number of victim models. In particular, we show that normalization of the weights for individual models plays a critical role in the success of the attacks. We then demonstrate that by adjusting the weights of the ensemble according to the victim model can further improve the performance of the attacks. We performed a number of experiments for object detectors and segmentation to highlight the significance of the our proposed methods. Our proposed ensemble-based method outperforms existing blackbox attack methods for object detection and segmentation. Finally we show that our proposed method can also generate a single perturbation that can fool multiple blackbox detection and segmentation models simultaneously. Code is available at https://github.com/CSIPlab/EBAD.

翻译：我们提出了一种针对稠密预测模型（如目标检测器和分割模型）的对抗攻击方法。众所周知，由单个代理模型生成的攻击无法迁移到任意（黑盒）受害模型。此外，定向攻击通常比非定向攻击更具挑战性。在本文中，我们表明精心设计的集成可以为多个受害模型产生有效的攻击。特别地，我们发现单个模型权重的归一化在攻击成功中起着关键作用。随后，我们证明通过根据受害模型调整集成权重可以进一步提高攻击性能。我们对目标检测器和分割模型进行了大量实验，以突出所提方法的重要性。我们提出的基于集成的方法在目标检测和分割任务上优于现有的黑盒攻击方法。最后，我们展示了所提方法还可以生成单个扰动，同时欺骗多个黑盒检测和分割模型。代码可在 https://github.com/CSIPlab/EBAD 获取。