Adversarial Hubness in Multi-Modal Retrieval

TL;DR

This paper explores how adversaries can exploit the hubness phenomenon in high-dimensional multi-modal retrieval systems to create universal or targeted adversarial content, revealing vulnerabilities in current mitigation techniques.

Contribution

It introduces a method for generating adversarial hubs in multi-modal retrieval systems and evaluates their effectiveness on benchmark datasets and real-world systems.

Findings

Adversarial hubs can be retrieved as top results for thousands of queries.

A single adversarial hub can dominate over 21,000 out of 25,000 queries.

Mitigation techniques for natural hubness are ineffective against targeted adversarial hubs.

Abstract

Hubness is a phenomenon in high-dimensional vector spaces where a point from the natural distribution is unusually close to many other points. This is a well-known problem in information retrieval that causes some items to accidentally (and incorrectly) appear relevant to many queries. In this paper, we investigate how attackers can exploit hubness to turn any image or audio input in a multi-modal retrieval system into an adversarial hub. Adversarial hubs can be used to inject universal adversarial content (e.g., spam) that will be retrieved in response to thousands of different queries, and also for targeted attacks on queries related to specific, attacker-chosen concepts. We present a method for creating adversarial hubs and evaluate the resulting hubs on benchmark multi-modal retrieval datasets and an image-to-image retrieval system implemented by Pinecone, a popular vector database. For example, in text-caption-to-image retrieval, a single adversarial hub, generated using 100 random queries, is retrieved as the top-1 most relevant image for more than 21,000 out of 25,000 test queries (by contrast, the most common natural hub is the top-1 response to only 102 queries), demonstrating the strong generalization capabilities of adversarial hubs. We also investigate whether techniques for mitigating natural hubness can also mitigate adversarial hubs, and show that they are not effective against hubs that target queries related to specific concepts.