Adversarial Attack and Defense in Deep Ranking

Adversarial Attack and Defense in Deep Ranking

Deep Neural Network classifiers are vulnerable to adversarial attacks, where an imperceptible perturbation could result in misclassification. However, the vulnerability of DNN-based image ranking systems remains under-explored. In this paper, we propose two attacks against deep ranking systems, i.e....

Description complète

Détails bibliographiques
Publié dans:IEEE transactions on pattern analysis and machine intelligence. - 1979. - 46(2024), 8 vom: 26. Aug., Seite 5306-5324
Auteur principal: Zhou, Mo (Auteur)
Autres auteurs: Wang, Le, Niu, Zhenxing, Zhang, Qilin, Zheng, Nanning, Hua, Gang
Format: Article en ligne
Langue:English
Publié: 2024
Accès à la collection:IEEE transactions on pattern analysis and machine intelligence
Sujets:Journal Article
LEADER 01000caa a22002652c 4500
001 NLM368399583
003 DE-627
005 20250305193009.0
007 cr uuu---uuuuu
008 240214s2024 xx |||||o 00| ||eng c
024 7 |a 10.1109/TPAMI.2024.3365699  |2 doi 
028 5 2 |a pubmed25n1227.xml 
035 |a (DE-627)NLM368399583 
035 |a (NLM)38349823 
040 |a DE-627  |b ger  |c DE-627  |e rakwb 
041 |a eng 
100 1 |a Zhou, Mo  |e verfasserin  |4 aut 
245 1 0 |a Adversarial Attack and Defense in Deep Ranking 
264 1 |c 2024 
336 |a Text  |b txt  |2 rdacontent 
337 |a ƒaComputermedien  |b c  |2 rdamedia 
338 |a ƒa Online-Ressource  |b cr  |2 rdacarrier 
500 |a Date Revised 03.07.2024 
500 |a published: Print-Electronic 
500 |a Citation Status PubMed-not-MEDLINE 
520 |a Deep Neural Network classifiers are vulnerable to adversarial attacks, where an imperceptible perturbation could result in misclassification. However, the vulnerability of DNN-based image ranking systems remains under-explored. In this paper, we propose two attacks against deep ranking systems, i.e., Candidate Attack and Query Attack, that can raise or lower the rank of chosen candidates by adversarial perturbations. Specifically, the expected ranking order is first represented as a set of inequalities. Then a triplet-like objective function is designed to obtain the optimal perturbation. Conversely, an anti-collapse triplet defense is proposed to improve the ranking model robustness against all proposed attacks, where the model learns to prevent the adversarial attack from pulling the positive and negative samples close to each other. To comprehensively measure the empirical adversarial robustness of a ranking model with our defense, we propose an empirical robustness score, which involves a set of representative attacks against ranking models. Our adversarial ranking attacks and defenses are evaluated on MNIST, Fashion-MNIST, CUB200-2011, CARS196, and Stanford Online Products datasets. Experimental results demonstrate that our attacks can effectively compromise a typical deep ranking system. Nevertheless, our defense can significantly improve the ranking system's robustness and simultaneously mitigate a wide range of attacks 
650 4 |a Journal Article 
700 1 |a Wang, Le  |e verfasserin  |4 aut 
700 1 |a Niu, Zhenxing  |e verfasserin  |4 aut 
700 1 |a Zhang, Qilin  |e verfasserin  |4 aut 
700 1 |a Zheng, Nanning  |e verfasserin  |4 aut 
700 1 |a Hua, Gang  |e verfasserin  |4 aut 
773 0 8 |i Enthalten in  |t IEEE transactions on pattern analysis and machine intelligence  |d 1979  |g 46(2024), 8 vom: 26. Aug., Seite 5306-5324  |w (DE-627)NLM098212257  |x 1939-3539  |7 nnas 
773 1 8 |g volume:46  |g year:2024  |g number:8  |g day:26  |g month:08  |g pages:5306-5324 
856 4 0 |u http://dx.doi.org/10.1109/TPAMI.2024.3365699  |3 Volltext 
912 |a GBV_USEFLAG_A 
912 |a SYSFLAG_A 
912 |a GBV_NLM 
912 |a GBV_ILN_350 
951 |a AR 
952 |d 46  |j 2024  |e 8  |b 26  |c 08  |h 5306-5324