Universal Perturbation Attack Against Image Retrieval
Despite the remarkable success, deep learning models have shown to be vulnerable to the universal adversarial perturbation (UAP). The existing endeavors on UAP methods mainly focus on attacking the image classification models. Nevertheless, little attention has been paid to attacking image retrieval systems. In this paper, we make the first attempt for UAP attacking to deep feature based image retrieval. Concretely, attacking image retrieval is to make the retrieval system return more irrelevant images to the query at the top ranking list, whose key design is to corrupt the relationships among features. To this end, we propose a unified method to generate retrieval-based UAP to break the relationships between image features from point-wise, label-wise, and list-wise aspects. We further analyze the impact of the resizing operation in generating UAP, and thus provide a solution to attack high-performance retrieval systems with query resizing. We evaluate the proposed methods on four widely-used image retrieval datasets, i.e., Oxford5k and Paris6k with their revised versions, which lead to a significant performance drop in terms of different metrics, such as mAP, and mP@10. Finally, we test our attacking methods on the real-world visual search engine, i.e., Google Images, which demonstrates the potential of our methods.
READ FULL TEXT