We analysis performance of semantic segmentation models wrt. adversarial attacks, and observe that the adversarial examples generated from a source model fail to attack the target models. i.e The conventional attack methods, such as PGD and FGSM, do not transfer well to target models, making it necessary to study the transferable attacks, especially transferable attacks for semantic segmentation. We find two main factors to achieve transferable attack. Firstly, the attack should come with effective data augmentation and translation-invariant features to deal with unseen models. Secondly, stabilized optimization strategies are needed to find the optimal attack direction. Based on the above observations, we propose an ensemble attack for semantic segmentation to achieve more effective attacks with higher transferability. The source code and experimental results are publicly available via our project page: https://github.com/anucvers/TASS.

翻译：我们分析了语义分割模型在对抗攻击下的性能表现，并观察到从源模型生成的对抗样本无法成功攻击目标模型。即传统攻击方法（如PGD和FGSM）难以有效迁移至目标模型，这使得研究可迁移攻击（尤其是针对语义分割的可迁移攻击）具有必要性。我们发现实现可迁移攻击的两个主要因素：首先，攻击需结合有效的数据增强和平移不变特征处理未见模型；其次，需要稳定优化策略以寻找最优攻击方向。基于上述观察，我们提出了一种针对语义分割的集成攻击方法，以实现更高迁移性的有效攻击。源代码与实验结果已通过项目页面公开提供：https://github.com/anucvers/TASS。