Adversarial Attacks and Defences For Image Retrieval Systems

Abstract

In this thesis, we study the adversarial machine learning problem for image retrieval systems. Recent studies found that DNN (Deep Neural Network)-based systems are vulnerable to adversarial attacks. Hence there has been a surging interest in studying the adversarial machine learning problems. It is essential to investigate how the DNN-based image retrieval systems are affected by attacks and how to defend against adversarial attacks. We study this problem in four settings. Firstly, we study adversarial attacks in the white-box setting in which the attacker can access all details of the systems. Because of the discrete nature of retrieval systems, it is hard to design suitable continuous objective functions. We propose an AP-oriented (average precision) surrogate objective function to enable efficient optimisation. In addition, we design a dimension-wise surrogate Hamming distance function to reduce perturbations further. Experiments show that our framework achieves the same attack performance with much less perturbation cost than the existing works. Secondly, we study adversarial attacks in the black-box attack setting that the attacker can only obtain the system’s outputs. Based on the Projected Natural Evolutionary Strategy (PNES)-based framework, we deeply study how to estimate the gradient efficiently. We propose novel surrogate-based sampling strategies and an average dropout technique. We successfully attack real-world search engines with only hundreds of queries. Thirdly, we study the vulnerability of the index of image retrieval systems. The index is a non-differentiable part, and its discrete nature makes gradient-based algorithms inapplicable. We propose an Integer Programming based algorithm. We prove this problem is NP-hard and present an approximate solution with less running time. Extensive experiments demonstrate that image retrieval systems with indexes are indeed vulnerable to adversarial attacks. Finally, we study defence strategies to improve the robustness of retrieval systems. We present a novel algorithm that generates hash centres optimally so that the average distance is maximised. Then we further improve the minimum distance by solving a maximum Boolean satisfiability (max-SAT) problem. Finally, we involve our algorithm in the adversarial training to improve the robustness. Experiment results show that our algorithm generates centres with larger distances, and our defence strategy enhances the robustness of the system.