DAIR: a query-efficient decision-based attack on image retrieval systems

Mingyang Chen; Junda Lu; Yi Wang; Jianbin Qin; Wei Wang

doi:10.1145/3404835.3462887

DAIR: a query-efficient decision-based attack on image retrieval systems

Mingyang Chen, Junda Lu, Yi Wang, Jianbin Qin, Wei Wang

Research output: Chapter in Book / Conference Paper › Conference Paper › peer-review

23 Citations (Scopus)

Abstract

There is an increasing interest in studying adversarial attacks on image retrieval systems. However, most of the existing attack methods are based on the white-box setting, where the attackers have access to all the model and database details, which is a strong assumption for practical attacks. The generic transfer-based attack also requires substantial resources yet the effect was shown to be unreliable. In this paper, we make the first attempt in proposing a query-efficient decision-based attack framework for the image retrieval (DAIR) to completely subvert the top-K retrieval results with human imperceptible perturbations. We propose an optimization-based method with a smoothed utility function to overcome the challenging discrete nature of the problem. To further improve the query efficiency, we propose a novel sampling method that can achieve the transferability between the surrogate and the target model efficiently. Our comprehensive experimental evaluation on the benchmark datasets shows that our DAIR method outperforms significantly the state-of-the-art decision-based methods. We also demonstrate that real image retrieval engines (Bing Visual Search and Face++ engines) can be attacked successfully with only several hundreds of queries.

Original language	English
Title of host publication	Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual
Place of Publication	U.S.
Publisher	Association for Computing Machinery
Pages	1064–1073
Number of pages	10
ISBN (Print)	9781450380379
DOIs	https://doi.org/10.1145/3404835.3462887
Publication status	Published - 2021
Externally published	Yes
Event	ACM-SIGIR International Conference on Information Storage and Retrieval - Virtual Duration: 11 Jul 2021 → 15 Jul 2021 Conference number: 44th

Conference

Conference	ACM-SIGIR International Conference on Information Storage and Retrieval
Period	11/07/21 → 15/07/21

Keywords

adversarial attack in deep learning
content-based image retrieval
decision-based attack in deep learning

Access to Document

10.1145/3404835.3462887Licence: CC BY

Full textFinal published version, 2.77 MBLicence: CC BY

Cite this

Chen, M., Lu, J., Wang, Y., Qin, J., & Wang, W. (2021). DAIR: a query-efficient decision-based attack on image retrieval systems. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual (pp. 1064–1073). Association for Computing Machinery. https://doi.org/10.1145/3404835.3462887

@inproceedings{de13f79d88e04740bbb99f5a1ea1723f,

title = "DAIR: a query-efficient decision-based attack on image retrieval systems",

abstract = "There is an increasing interest in studying adversarial attacks on image retrieval systems. However, most of the existing attack methods are based on the white-box setting, where the attackers have access to all the model and database details, which is a strong assumption for practical attacks. The generic transfer-based attack also requires substantial resources yet the effect was shown to be unreliable. In this paper, we make the first attempt in proposing a query-efficient decision-based attack framework for the image retrieval (DAIR) to completely subvert the top-K retrieval results with human imperceptible perturbations. We propose an optimization-based method with a smoothed utility function to overcome the challenging discrete nature of the problem. To further improve the query efficiency, we propose a novel sampling method that can achieve the transferability between the surrogate and the target model efficiently. Our comprehensive experimental evaluation on the benchmark datasets shows that our DAIR method outperforms significantly the state-of-the-art decision-based methods. We also demonstrate that real image retrieval engines (Bing Visual Search and Face++ engines) can be attacked successfully with only several hundreds of queries.",

keywords = "adversarial attack in deep learning, content-based image retrieval, decision-based attack in deep learning",

author = "Mingyang Chen and Junda Lu and Yi Wang and Jianbin Qin and Wei Wang",

year = "2021",

doi = "10.1145/3404835.3462887",

language = "English",

isbn = "9781450380379",

pages = "1064–1073",

booktitle = "Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual",

publisher = "Association for Computing Machinery",

note = "ACM-SIGIR International Conference on Information Storage and Retrieval ; Conference date: 11-07-2021 Through 15-07-2021",

}

Chen, M, Lu, J, Wang, Y, Qin, J & Wang, W 2021, DAIR: a query-efficient decision-based attack on image retrieval systems. in Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual. Association for Computing Machinery, U.S., pp. 1064–1073, ACM-SIGIR International Conference on Information Storage and Retrieval, 11/07/21. https://doi.org/10.1145/3404835.3462887

DAIR: a query-efficient decision-based attack on image retrieval systems. / Chen, Mingyang; Lu, Junda; Wang, Yi et al.
Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual. U.S.: Association for Computing Machinery, 2021. p. 1064–1073.

Research output: Chapter in Book / Conference Paper › Conference Paper › peer-review

TY - GEN

T1 - DAIR: a query-efficient decision-based attack on image retrieval systems

AU - Chen, Mingyang

AU - Lu, Junda

AU - Wang, Yi

AU - Qin, Jianbin

AU - Wang, Wei

N1 - Conference code: 44th

PY - 2021

Y1 - 2021

N2 - There is an increasing interest in studying adversarial attacks on image retrieval systems. However, most of the existing attack methods are based on the white-box setting, where the attackers have access to all the model and database details, which is a strong assumption for practical attacks. The generic transfer-based attack also requires substantial resources yet the effect was shown to be unreliable. In this paper, we make the first attempt in proposing a query-efficient decision-based attack framework for the image retrieval (DAIR) to completely subvert the top-K retrieval results with human imperceptible perturbations. We propose an optimization-based method with a smoothed utility function to overcome the challenging discrete nature of the problem. To further improve the query efficiency, we propose a novel sampling method that can achieve the transferability between the surrogate and the target model efficiently. Our comprehensive experimental evaluation on the benchmark datasets shows that our DAIR method outperforms significantly the state-of-the-art decision-based methods. We also demonstrate that real image retrieval engines (Bing Visual Search and Face++ engines) can be attacked successfully with only several hundreds of queries.

AB - There is an increasing interest in studying adversarial attacks on image retrieval systems. However, most of the existing attack methods are based on the white-box setting, where the attackers have access to all the model and database details, which is a strong assumption for practical attacks. The generic transfer-based attack also requires substantial resources yet the effect was shown to be unreliable. In this paper, we make the first attempt in proposing a query-efficient decision-based attack framework for the image retrieval (DAIR) to completely subvert the top-K retrieval results with human imperceptible perturbations. We propose an optimization-based method with a smoothed utility function to overcome the challenging discrete nature of the problem. To further improve the query efficiency, we propose a novel sampling method that can achieve the transferability between the surrogate and the target model efficiently. Our comprehensive experimental evaluation on the benchmark datasets shows that our DAIR method outperforms significantly the state-of-the-art decision-based methods. We also demonstrate that real image retrieval engines (Bing Visual Search and Face++ engines) can be attacked successfully with only several hundreds of queries.

KW - adversarial attack in deep learning

KW - content-based image retrieval

KW - decision-based attack in deep learning

UR - http://www.scopus.com/inward/record.url?scp=85111695579&partnerID=8YFLogxK

U2 - 10.1145/3404835.3462887

DO - 10.1145/3404835.3462887

M3 - Conference Paper

SN - 9781450380379

SP - 1064

EP - 1073

BT - Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '21), July 11 - 15, 2021, Virtual

PB - Association for Computing Machinery

CY - U.S.

T2 - ACM-SIGIR International Conference on Information Storage and Retrieval

Y2 - 11 July 2021 through 15 July 2021

ER -

DAIR: a query-efficient decision-based attack on image retrieval systems

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this