ARIA: Adversarially Robust Image Attribution for Content Provenance

TL;DR

This paper introduces ARIA, a robust deep visual fingerprinting method that resists adversarial perturbations, significantly improving image attribution accuracy and robustness against manipulations in online misinformation contexts.

Contribution

The paper presents a simple yet effective adversarial training approach for deep visual fingerprinting models, enhancing robustness without high computational costs.

Findings

Achieved 91.6% standard and 85.1% adversarial recall under $ ext{l}_ ext{infty}$ perturbations.

Models generalize robustness to unseen perturbation types.

Improved detection of editorial changes in images.

Abstract

Image attribution -- matching an image back to a trusted source -- is an emerging tool in the fight against online misinformation. Deep visual fingerprinting models have recently been explored for this purpose. However, they are not robust to tiny input perturbations known as adversarial examples. First we illustrate how to generate valid adversarial images that can easily cause incorrect image attribution. Then we describe an approach to prevent imperceptible adversarial attacks on deep visual fingerprinting models, via robust contrastive learning. The proposed training procedure leverages training on $\ell_\infty$-bounded adversarial examples, it is conceptually simple and incurs only a small computational overhead. The resulting models are substantially more robust, are accurate even on unperturbed images, and perform well even over a database with millions of images. In particular, we achieve 91.6% standard and 85.1% adversarial recall under $\ell_\infty$-bounded perturbations on manipulated images compared to 80.1% and 0.0% from prior work. We also show that robustness generalizes to other types of imperceptible perturbations unseen during training. Finally, we show how to train an adversarially robust image comparator model for detecting editorial changes in matched images.