Pytorch implementation of Ensemble-based Blackbox Attacks on Dense Prediction in CVPR 2023.
Ensemble-based Blackbox Attacks on Dense Prediction
Zikui Cai, Yaoteng Tan, M. Salman Asif
UC Riverside
We propose an approach for adversarial attacks on dense prediction models (such as object detectors and segmentation). In this paper, we show that a carefully designed ensemble can create effective attacks for a number of victim models. In particular, we show that normalization of the weights for individual models plays a critical role in the success of the attacks. We then demonstrate that by adjusting the weights of the ensemble according to the victim model can further improve the performance of the attacks. Finally, we show that our proposed method can also generate a single perturbation that can fool multiple blackbox detection and segmentation models simultaneously.
Below we generate perturbation to map the Bicycle on the right-hand-side to Train (top), and map the Car in the middle to Traffic Light (bottom). More details are in the paper.
Below we generate attacks on video frames to vanish the Jets (top), and perturb Cars to Cows (bottom). Videos are generated by perturbing each frames with EBAD and passing through the victim model. Same setting as N=5 in Table 2 for attacking RetinaNet as the blackbox victim model.
Click on the images to play videos.
 
- python==3.8
- torch==1.11.0
- torchvision==0.12.0
- mmcv-full==1.5.1
- mmdetection v2.24.1
- mmsegmentation v0.27.0
Object detection: get VOC and COCO datasets under /data folder.
cd data
bash get_voc.sh
bash get_coco.sh
Semantic segmentation:
Download and prepare Cityscapes and VOC datasets by the instructions. Place dataset folders under mmsegmentation/data folder.
- 
Download and place mmdetectionfolder under EBAD directory.
- 
run python mmdet_model_info.pyto download pre-trained models from MMCV.
- 
run python attack_bb_det.pyto perform attacks on object detection.
- 
Download and place mmsegmentationfolder under EBAD directory.
- 
Download and proccess datasets. Place dataset folders under mmsegmentation/data/.
- 
Replace definition of simple_testinmmsegmentation/mmseg/models/segmentors/encoder_decoder.pywith following code block in order to support our attack algorithm.
def simple_test(self, img, img_meta, rescale=True):
    """Simple test with single image."""
    seg_logit = self.inference(img, img_meta, rescale)
    seg_pred = seg_logit.argmax(dim=1) # clean prediction
    seg_pred_ll = seg_logit.argmin(dim=1)  # least likely
    seg_pred_ml = seg_logit.topk(2, dim=1).indices[:, 1, :] # 2nd-most likely
    if torch.onnx.is_in_onnx_export():
        # our inference backend only support 4D output
        seg_pred = seg_pred.unsqueeze(0)
        return seg_pred
    seg_pred = seg_pred.cpu().numpy()
    seg_pred_ll = seg_pred_ll.cpu().numpy()
    seg_pred_ml = seg_pred_ml.cpu().numpy()
    # unravel batch dim
    seg_pred = list(seg_pred)
    seg_pred_ll = list(seg_pred_ll)
    seg_pred_ml = list(seg_pred_ml)
    return seg_pred + seg_pred_ml + seg_pred_ll
- 
run python mmseg_model_info_cityscapes.pyandpython mmseg_model_info_voc.pyto download pre-trained models from MMCV.
- 
run python attack_bb_seg.py --target ll --n_wb 2 --iterw 20 --n_imgs 10 --victim PSPNet --data cityscapesto perform a N=2, Q=20 targeted ensemble attack using least-likely label against PSPNet on 10 Cityscapes imagesUse -untargetedoption to perform untargeted attack. Use-save_queriesto save visualization of each attack query result, and use-visualizeto save visualization of our attack.
To perform attacks on object detection and segmentation jointly, run python attack_bb_det_seg.py.
@InProceedings{cai2023ensemble,
    author    = {Cai, Zikui and Tan, Yaoteng and Asif, M. Salman},
    title     = {Ensemble-Based Blackbox Attacks on Dense Prediction},
    booktitle = {Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},
    month     = {June},
    year      = {2023},
    pages     = {4045-4055}
}
We thank the models support from MMCV.



