research-article

Precise Target-Oriented Attack against Deep Hashing-based Retrieval

Authors:
Wenshuo Zhao

University of Electronic Science and Technology of China, Shenzhen, China

University of Electronic Science and Technology of China, Shenzhen, China

0009-0008-5106-0405
View Profile

,
Jingkuan Song

University of Electronic Science and Technology of China, Shenzhen, China

University of Electronic Science and Technology of China, Shenzhen, China

0000-0002-2549-8322
View Profile

,
Shengming Yuan

University of Electronic Science and Technology of China, Chengdu, China

University of Electronic Science and Technology of China, Chengdu, China

0009-0003-0183-2976
View Profile

,
Lianli Gao

University of Electronic Science and Technology of China, Shenzhen, China

University of Electronic Science and Technology of China, Shenzhen, China

0000-0002-2522-6394
View Profile

,
Yang Yang

University of Electronic Science and Technology of China, Chengdu, China

University of Electronic Science and Technology of China, Chengdu, China

0000-0002-5070-4511
View Profile

,
Hengtao Shen

University of Electronic Science and Technology of China, Chengdu, China

University of Electronic Science and Technology of China, Chengdu, China

0000-0002-2999-2088
View Profile

MM '23: Proceedings of the 31st ACM International Conference on MultimediaOctober 2023Pages 6379–6389https://doi.org/10.1145/3581783.3612364

Published:27 October 2023Publication History

MM '23: Proceedings of the 31st ACM International Conference on Multimedia

Pages 6379–6389

ABSTRACT

Deep hashing has been widely applied in large-scale image retrieval due to its powerful computational efficiency. Nevertheless, the vulnerability of deep hashing to adversarial examples has been revealed, particularly to targeted attacks with stronger manipulability. Existing targeted attack methods for deep hashing default to selecting target labels from random images, usually encompassing multiple classes for attack in multi-label datasets. However, they exhabit poor performance when facing a preciser single target label selection. In this work, we propose a novel Precise Target-Oriented Attack dubbed PTA, to enhance the precision of such targeted attacks. Specifically, we further categorize the general target label into preciser single target label for attack. By relaxing the non-differentiable indicator function, we directly adopt Average Precision (AP) as optimization objective to guide the generation of adversarial examples on a small subset of the entire database, thus achieving stronger precision. Extensive experiments demonstrate that the proposed PTA achieves state-of-the-art performance in both general and single target label selection, with superior transferability and universality.

References

Jiawang Bai, Bin Chen, Yiming Li, Dongxian Wu, Weiwei Guo, Shu-tao Xia, and En-hui Yang. 2020. Targeted attack for deep hashing based retrieval. In Computer Vision-ECCV 2020: 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part I 16. Springer, Springer, 618--634.Google ScholarDigital Library
Andrew Brown, Weidi Xie, Vicky Kalogeiton, and Andrew Zisserman. 2020. Smooth-ap: Smoothing the path towards large-scale image retrieval. In Computer Vision--ECCV 2020: 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part IX 16. Springer, 677--694.Google Scholar
Fatih Cakir, Kun He, Xide Xia, Brian Kulis, and Stan Sclaroff. 2019. Deep metric learning to rank. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 1861--1870.Google ScholarCross Ref
Zhangjie Cao, Mingsheng Long, Jianmin Wang, and Philip S Yu. 2017. Hashnet: Deep learning to hash by continuation. In Proceedings of the IEEE international conference on computer vision. 5608--5617.Google ScholarCross Ref
Zhangjie Cao, Ziping Sun, Mingsheng Long, Jianmin Wang, and Philip S Yu. 2018. Deep priority hashing. In Proceedings of the 26th ACM international conference on Multimedia. 1653--1661.Google ScholarDigital Library
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). Ieee, 39--57.Google Scholar
Tat-Seng Chua, Jinhui Tang, Richang Hong, Haojie Li, Zhiping Luo, and Yantao Zheng. 2009. Nus-wide: a real-world web image database from national university of singapore. In Proceedings of the ACM international conference on image and video retrieval. 1--9.Google ScholarDigital Library
Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition. 9185--9193.Google ScholarCross Ref
Lianli Gao, Yaya Cheng, Qilong Zhang, Xing Xu, and Jingkuan Song. 2021. Feature space targeted attacks by statistic alignment. arXiv preprint arXiv:2105.11645 (2021).Google Scholar
Lianli Gao, Qilong Zhang, Jingkuan Song, Xianglong Liu, and Heng Tao Shen. 2020. Patch-wise attack for fooling deep neural network. In Computer Vision-ECCV 2020: 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part XXVIII 16. Springer, 307--322.Google ScholarDigital Library
Aristides Gionis, Piotr Indyk, Rajeev Motwani, et al. 1999. Similarity search in high dimensions via hashing. In Vldb, Vol. 99. 518--529.Google ScholarDigital Library
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).Google Scholar
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.Google ScholarCross Ref
Shengshan Hu, Yechao Zhang, Xiaogeng Liu, Leo Yu Zhang, Minghui Li, and Hai Jin. 2021. AdvHash: Set-to-set Targeted Attack on Deep Hashing with One Single Adversarial Patch. In Proceedings of the 29th ACM International Conference on Multimedia. 2335--2343.Google ScholarDigital Library
Mark J Huiskes and Michael S Lew. 2008. The mir flickr retrieval evaluation. In Proceedings of the 1st ACM international conference on Multimedia information retrieval. 39--43.Google ScholarDigital Library
Qing-Yuan Jiang and Wu-Jun Li. 2017. Deep cross-modal hashing. In Proceedings of the IEEE conference on computer vision and pattern recognition. 3232--3240.Google ScholarCross Ref
Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2017. Imagenet classification with deep convolutional neural networks. Commun. ACM, Vol. 60, 6 (2017), 84--90.Google ScholarDigital Library
Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016).Google Scholar
Siyuan Li, Xing Xu, Zailei Zhou, Yang Yang, Guoqing Wang, and Heng Tao Shen. 2022. ARRA: Absolute-Relative Ranking Attack against Image Retrieval. In Proceedings of the 30th ACM International Conference on Multimedia. 610--618.Google ScholarDigital Library
Wu-Jun Li, Sheng Wang, and Wang-Cheng Kang. 2015. Feature learning based deep supervised hashing with pairwise labels. arXiv preprint arXiv:1511.03855 (2015).Google ScholarDigital Library
Tsung-Yi Lin, Michael Maire, Serge Belongie, James Hays, Pietro Perona, Deva Ramanan, Piotr Dollár, and C Lawrence Zitnick. 2014. Microsoft coco: Common objects in context. In Computer Vision--ECCV 2014: 13th European Conference, Zurich, Switzerland, September 6-12, 2014, Proceedings, Part V 13. Springer, 740--755.Google ScholarCross Ref
Haomiao Liu, Ruiping Wang, Shiguang Shan, and Xilin Chen. 2016. Deep supervised hashing for fast image retrieval. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2064--2072.Google ScholarCross Ref
Ye Liu, Yaya Cheng, Lianli Gao, Xianglong Liu, Qilong Zhang, and Jingkuan Song. 2022. Practical evaluation of adversarial robustness via adaptive auto attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15105--15114.Google ScholarCross Ref
Yuyang Long, Qilong Zhang, Boheng Zeng, Lianli Gao, Xianglong Liu, Jian Zhang, and Jingkuan Song. 2022a. Frequency Domain Model Augmentation for Adversarial Attack. In European Conference on Computer Vision.Google Scholar
Yuyang Long, Qilong Zhang, Boheng Zeng, Lianli Gao, Xianglong Liu, Jian Zhang, and Jingkuan Song. 2022b. Frequency domain model augmentation for adversarial attack. In European Conference on Computer Vision. Springer, 549--566.Google ScholarDigital Library
Junda Lu, Mingyang Chen, Yifang Sun, Wei Wang, Yi Wang, and Xiaochun Yang. 2021. A smart adversarial attack on deep hashing based image retrieval. In Proceedings of the 2021 international conference on multimedia retrieval. 227--235.Google ScholarDigital Library
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).Google Scholar
Chuan Qin, Liang Wu, Xinpeng Zhang, and Guorui Feng. 2021. Efficient non-targeted attack for deep hashing based image retrieval. IEEE Signal Processing Letters, Vol. 28 (2021), 1893--1897.Google ScholarCross Ref
Jerome Revaud, Jon Almazán, Rafael S Rezende, and Cesar Roberto de Souza. 2019. Learning with average precision: Training image retrieval with a listwise loss. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 5107--5116.Google ScholarCross Ref
Michal Rolínek, Vít Musil, Anselm Paulus, Marin Vlastelica, Claudio Michaelis, and Georg Martius. 2020. Optimizing rank-based metrics with blackbox differentiation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 7620--7630.Google ScholarCross Ref
Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).Google Scholar
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).Google Scholar
Giorgos Tolias, Filip Radenovic, and Ondrej Chum. 2019. Targeted mismatch adversarial attack: Query with a flower to retrieve the tower. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 5037--5046.Google ScholarCross Ref
Jingdong Wang, Ting Zhang, Nicu Sebe, Heng Tao Shen, et al. 2017. A survey on learning to hash. IEEE transactions on pattern analysis and machine intelligence, Vol. 40, 4 (2017), 769--790.Google Scholar
Tianshi Wang, Lei Zhu, Zheng Zhang, Huaxiang Zhang, and Junwei Han. 2023 b. Targeted Adversarial Attack against Deep Cross-modal Hashing Retrieval. IEEE Transactions on Circuits and Systems for Video Technology (2023).Google Scholar
Xunguang Wang, Jiawang Bai, Xinyue Xu, and Xiaomeng Li. 2023 a. Reliable and Efficient Evaluation of Adversarial Robustness for Deep Hashing-Based Retrieval. arXiv preprint arXiv:2303.12658 (2023).Google Scholar
Xunguang Wang, Zheng Zhang, Guangming Lu, and Yong Xu. 2021a. Targeted attack and defense for deep hashing. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 2298--2302.Google ScholarDigital Library
Xunguang Wang, Zheng Zhang, Baoyuan Wu, Fumin Shen, and Guangming Lu. 2021b. Prototype-supervised adversarial network for targeted attack of deep hashing. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 16357--16366.Google ScholarCross Ref
Tobias Weyand, Andre Araujo, Bingyi Cao, and Jack Sim. 2020. Google landmarks dataset v2-a large-scale benchmark for instance-level recognition and retrieval. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2575--2584.Google ScholarCross Ref
Yanru Xiao and Cong Wang. 2021. You see what I want you to see: Exploring targeted black-box transferability attack for hash-based image retrieval systems. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 1934--1943.Google ScholarCross Ref
Li Yuan, Tao Wang, Xiaopeng Zhang, Francis EH Tay, Zequn Jie, Wei Liu, and Jiashi Feng. 2020. Central similarity quantization for efficient image and video retrieval. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 3083--3092.Google ScholarCross Ref
Shengming Yuan, Qilong Zhang, Lianli Gao, Yaya Cheng, and Jingkuan Song. 2022. Natural color fool: Towards boosting black-box unrestricted attacks. Advances in Neural Information Processing Systems, Vol. 35 (2022), 7546--7560.Google Scholar
Qilong Zhang, Xiaodan Li, Yuefeng Chen, Jingkuan Song, Lianli Gao, Yuan He, and Hui Xue. 2022a. Beyond imagenet attack: Towards crafting adversarial examples for black-box domains. arXiv preprint arXiv:2201.11528 (2022).Google Scholar
Qilong Zhang, Chaoning Zhang, Chaoqun Li, Jingkuan Song, and Lianli Gao. 2022b. Practical no-box adversarial attacks with training-free hybrid image transformation. arXiv preprint arXiv:2203.04607 (2022).Google Scholar
Qilong Zhang, Xiaosu Zhu, Jingkuan Song, Lianli Gao, and Heng Tao Shen. 2021. Staircase sign method for boosting adversarial attacks. arXiv preprint arXiv:2104.09722 (2021).Google Scholar
Zheng Zhang, Li Liu, Fumin Shen, Heng Tao Shen, and Ling Shao. 2018. Binary multi-view clustering. IEEE transactions on pattern analysis and machine intelligence, Vol. 41, 7 (2018), 1774--1782.Google Scholar
Zheng Zhang, Qin Zou, Yuewei Lin, Long Chen, and Song Wang. 2019. Improved deep hashing with soft pairwise similarity for multi-label image retrieval. IEEE Transactions on Multimedia, Vol. 22, 2 (2019), 540--553.Google ScholarDigital Library
Lei Zhu, Tianshi Wang, Jingjing Li, Zheng Zhang, Jialie Shen, and Xinhua Wang. 2023. Efficient query-based black-box attack against cross-modal hashing retrieval. ACM Transactions on Information Systems, Vol. 41, 3 (2023), 1--25.Google ScholarDigital Library

Index Terms

Precise Target-Oriented Attack against Deep Hashing-based Retrieval

Recommendations

Targeted Attack and Defense for Deep Hashing
SIGIR '21: Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval

Deep hashing methods have been intensively studied and successfully applied in massive fast image retrieval. However, inherited from the deficiency of deep neural networks, deep hashing models can be easily fooled by adversarial examples, which brings a ...
Read More
A Smart Adversarial Attack on Deep Hashing Based Image Retrieval
ICMR '21: Proceedings of the 2021 International Conference on Multimedia Retrieval

Deep hashing based retrieval models have been widely used in large-scale image retrieval systems. Recently, there has been a surging interest in studying the adversarial attack problem in deep hashing based retrieval models. However, the effectiveness ...
Read More
BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean Label
MM '22: Proceedings of the 30th ACM International Conference on Multimedia

Due to its powerful feature learning capability and high efficiency, deep hashing has achieved great success in large-scale image retrieval. Meanwhile, extensive works have demonstrated that deep neural networks (DNNs) are susceptible to adversarial ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MM '23: Proceedings of the 31st ACM International Conference on Multimedia
October 2023
9913 pages
ISBN:9798400701085
DOI:10.1145/3581783
General Chairs:
Abdulmotaleb El Saddik
University of Ottawa, Canada & MBZUAI, UAE
,
Tao Mei
HiDream.ai, China
,
Rita Cucchiara
University of Modena and Reggio Emilia, Italy
,
Program Chairs:
Marco Bertini
University of Florence, Italy
,
Diana Patricia Tobon Vallejo
Unversidad de Medellin, Colombia
,
Pradeep K. Atrey
University at Albany, State University of New York, USA
,
M. Shamim Hossain
M. Shamim Hossain (King Saud University, KSA
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 October 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
deep hashing
image retrieval
targeted attack
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate995of4,171submissions,24%
Upcoming Conference
MM '24

Sponsor:

sigmm

MM '24: The 32nd ACM International Conference on Multimedia

October 28 - November 1, 2024

Melbourne , VIC , Australia
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 136
  Total Downloads
- Downloads (Last 12 months)136
- Downloads (Last 6 weeks)19
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Precise Target-Oriented Attack against Deep Hashing-based Retrieval

MM '23: Proceedings of the 31st ACM International Conference on Multimedia

ABSTRACT

References

Cited By

Index Terms

Recommendations

Targeted Attack and Defense for Deep Hashing

A Smart Adversarial Attack on Deep Hashing Based Image Retrieval

BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean Label