Unsupervised Adversarial Attacks on Deep Feature-based Retrieval with GAN

TL;DR

This paper introduces UAA-GAN, an unsupervised adversarial attack method that effectively disrupts deep feature-based image retrieval systems using minimal unlabeled data, with subtle perturbations that are hard to detect.

Contribution

The paper presents a novel unsupervised GAN-based approach to generate adversarial queries that significantly impair retrieval performance across multiple applications.

Findings

UAA-GAN successfully reduces retrieval accuracy in various scenarios.

Adversarial examples contain subtle, perceptually inconspicuous perturbations.

The method requires only small amounts of unlabeled data for training.

Abstract

Studies show that Deep Neural Network (DNN)-based image classification models are vulnerable to maliciously constructed adversarial examples. However, little effort has been made to investigate how DNN-based image retrieval models are affected by such attacks. In this paper, we introduce Unsupervised Adversarial Attacks with Generative Adversarial Networks (UAA-GAN) to attack deep feature-based image retrieval systems. UAA-GAN is an unsupervised learning model that requires only a small amount of unlabeled data for training. Once trained, it produces query-specific perturbations for query images to form adversarial queries. The core idea is to ensure that the attached perturbation is barely perceptible to human yet effective in pushing the query away from its original position in the deep feature space. UAA-GAN works with various application scenarios that are based on deep features, including image retrieval, person Re-ID and face search. Empirical results show that UAA-GAN cripples retrieval performance without significant visual changes in the query images. UAA-GAN generated adversarial examples are less distinguishable because they tend to incorporate subtle perturbations in textured or salient areas of the images, such as key body parts of human, dominant structural patterns/textures or edges, rather than in visually insignificant areas (e.g., background and sky). Such tendency indicates that the model indeed learned how to toy with both image retrieval systems and human eyes.