Towards Adversarially Robust Deep Metric Learning

TL;DR

This paper addresses the robustness of deep metric learning models against adversarial attacks, especially in clustering-based inference, and proposes a novel ensemble adversarial training method to improve their defenses.

Contribution

It introduces Ensemble Adversarial Training (EAT), a new defense mechanism tailored for DML in clustering scenarios, enhancing robustness beyond existing classification-focused defenses.

Findings

EAT significantly improves adversarial robustness of DML models.

EAT outperforms adapted defenses from classification models.

Robustness gains are validated on multiple datasets and architectures.

Abstract

Deep Metric Learning (DML) has shown remarkable successes in many domains by taking advantage of powerful deep neural networks. Deep neural networks are prone to adversarial attacks and could be easily fooled by adversarial examples. The current progress on this robustness issue is mainly about deep classification models but pays little attention to DML models. Existing works fail to thoroughly inspect the robustness of DML and neglect an important DML scenario, the clustering-based inference. In this work, we first point out the robustness issue of DML models in clustering-based inference scenarios. We find that, for the clustering-based inference, existing defenses designed DML are unable to be reused and the adaptions of defenses designed for deep classification models cannot achieve satisfactory robustness performance. To alleviate the hazard of adversarial examples, we propose a new defense, the Ensemble Adversarial Training (EAT), which exploits ensemble learning and adversarial training. EAT promotes the diversity of the ensemble, encouraging each model in the ensemble to have different robustness features, and employs a self-transferring mechanism to make full use of the robustness statistics of the whole ensemble in the update of every single model. We evaluate the EAT method on three widely-used datasets with two popular model architectures. The results show that the proposed EAT method greatly outperforms the adaptions of defenses designed for deep classification models.