Semantic segmentation models are known vulnerable to small input perturbations. In this paper, we comprehensively analysis the performance of semantic segmentation models \wrt~adversarial attacks, and observe that the adversarial examples generated from a source model fail to attack the target models, \ie~the conventional attack methods, such as PGD and FGSM, do not transfer well to target models, making it necessary to study the transferable attacks, especially transferable attacks for semantic segmentation. We find that to achieve transferable attack, the attack should come with effective data augmentation and translation-invariant features to deal with unseen models, and stabilized optimization strategies to find the optimal attack direction. Based on the above observations, we propose an ensemble attack for semantic segmentation by aggregating several transferable attacks from classification to achieve more effective attacks with higher transferability. The source code and experimental results are publicly available via our project page: https://github.com/anucvers/TASS.

翻译：语义分割模型已知易受微小输入扰动的影响。本文全面分析了语义分割模型在对抗攻击下的性能表现，并观察到从源模型生成的对抗样本难以成功攻击目标模型，即传统的攻击方法（如PGD和FGSM）无法有效地迁移至目标模型，因此研究可迁移攻击（尤其是针对语义分割的可迁移攻击）具有必要性。我们发现，要实现可迁移攻击，需具备以下特性：有效的数据增强和应对未知模型的平移不变特征，以及稳定优化的策略以寻找最优攻击方向。基于上述观察，我们提出一种面向语义分割的集成攻击方法，通过聚合多个源自分类任务的可迁移攻击，实现更高迁移性的有效攻击。源代码与实验结果已通过项目页面公开：https://github.com/anucvers/TASS。