用于攻击深度哈希图像检索模型的双分支自编码器网络

doi:10.11959/j.issn.1000-0801.2023246

电信科学 ›› 2023, Vol. 39 ›› Issue (11): 96-106.doi: 10.11959/j.issn.1000-0801.2023246

• 研究与开发 • 上一篇

用于攻击深度哈希图像检索模型的双分支自编码器网络

符思政, 曹春杰, 刘志远, 陶方舰, 孙敬张

海南大学网络空间安全学院，海南海口 570228

修回日期:2023-11-10 出版日期:2023-11-01 发布日期:2023-11-01
作者简介:符思政（1999- ），男，海南大学硕士生，主要研究方向为人工智能安全、对抗样本攻防、图像检索
曹春杰（1977- ），男，博士，海南大学博士生导师，主要研究方向为认知无线网络安全、区块链、人工智能安全等
刘志远（1999- ），男，海南大学硕士生，主要研究方向为对抗样本攻防、异常检测、图对比学习
陶方舰（1991- ），男，海南大学博士生，主要研究方向为人工智能安全、对抗样本攻防
孙敬张（1993- ），男，博士，海南大学硕士生导师，主要研究方向为无线安全、深度学习、图像处理
基金资助:
国家自然科学基金联合基金资助项目(U19B2044);海南省重点研发计划项目(ZDYF2020012)

Dual-branch autoencoder network for attacking deep hashing image retrieval models

Sizheng FU, Chunjie CAO, Zhiyuan LIU, Fangjian TAO, Jingzhang SUN

School of Cyberspace Security, Hainan University, Haikou 570228, China

Revised:2023-11-10 Online:2023-11-01 Published:2023-11-01
Supported by:
The National Natural Science Foundation of China(U19B2044);The Key Research and Development Project of Hainan Province, China(ZDYF2020012)

摘要/Abstract

摘要：

由于其强大的表示学习能力和高效的计算能力，基于深度学习的哈希（深度哈希）方法在大规模图像检索中被广泛应用。然而，对深度哈希模型的安全性研究较少。提出了双分支自编码器网络（DBAE）来研究这种检索的目标攻击。DBAE 的主要目标是生成难以察觉的对抗样本作为查询图像，使深度哈希模型检索的图像在语义上与原始图像无关，与目标图像相关。大量实验证明，DBAE 可以成功地生成具有小扰动的对抗样本来误导深度哈希模型，验证了这些扰动在各种设置下的可迁移性。

关键词: 目标攻击, 深度哈希, 对抗攻击, 图像检索

Abstract:

Due to its powerful representation learning capabilities and efficient computing capabilities, deep learning-based hashing (deep hashing) methods are widely used in large-scale image retrieval.However, there are less studies on the security of deep hashing models.A dual-branch autoencoder network (DBAE) to study targeted attacks on such retrieval was proposed.The main goal of DBAE was to generate imperceptible adversarial samples as query images in order to make the images retrieved by the deep hashing model semantically irrelevant to the original image and relevant to the target image.Numerous experiments demonstrate that DBAE can successfully generate adversarial samples with small perturbations to mislead deep hashing models, and italso verifies the transferability of these perturbations under various settings.

Key words: targeted attack, deep hashing, adversarial attack, image retrieval

中图分类号:

TP393

符思政, 曹春杰, 刘志远, 陶方舰, 孙敬张. 用于攻击深度哈希图像检索模型的双分支自编码器网络[J]. 电信科学, 2023, 39(11): 96-106.

Sizheng FU, Chunjie CAO, Zhiyuan LIU, Fangjian TAO, Jingzhang SUN. Dual-branch autoencoder network for attacking deep hashing image retrieval models[J]. Telecommunications Science, 2023, 39(11): 96-106.

图/表 8

图1

表1

图2

图3

表2

图4

表3

表4

参考文献 32

[1]	XU Y J , ZHAO X H , LIANG Y C . Robust power control and beamforming in cognitive radio networks:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2015,17(4): 1834-1857.
[2]	XIA R , PAN Y , LAI H ,et al. Supervised hashing for image retrieval via image representation learning[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2014.
[3]	CAO Z J , LONG M S , WANG J M ,et al. HashNet:deep learning to hash by continuation[C]// Proceedings of 2017 IEEE International Conference on Computer Vision (ICCV). Piscataway:IEEE Press, 2017: 5609-5618.
[4]	LI W J , WANG S , KANG W C . Feature learning based deep supervised hashing with pairwise labels[J]. arXiv preprint arXiv:1511.03855, 2015.
[5]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv preprint arXiv:1312.6199, 2013.
[6]	胡永进, 郭渊博, 马骏 ,等. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020,41(9): 59-70.
	HU Y J , GUO Y B , MA J ,et al. Method to generate cyber deception traffic based on adversarial sample[J]. Journal on Communications, 2020,41(9): 59-70.
[7]	程旭, 王莹莹, 张年杰 ,等. 基于空间感知的多级损失目标跟踪对抗攻击方法[J]. 通信学报, 2021,42(11): 242-254.
	CHENG X , WANG Y Y , ZHANG N J ,et al. Multi-level loss object tracking adversarial attack method based on spatial perception[J]. Journal on Communications, 2021,42(11): 242-254.
[8]	WANG D , CUI P , OU M ,et al. Learning compact hash codes for multimodal representations using orthogonal deep structure[J]. IEEE Transactions on Multimedia, 2015,17(9): 1404-1416.
[9]	YANG E , LIU T , DENG C ,et al. Adversarial examples for hamming space search[J]. IEEE transactions on cybernetics, 2018,50(4): 1473-1484.
[10]	ZHANG R , LIN L , ZHANG R ,et al. Bit-scalable deep hashing with regularized similarity learning for image retrieval and person re-identification[J]. IEEE Transactions on Image Processing, 2015,24(12): 4766-4779.
[11]	LIU B , CAO Y , LONG M ,et al. Deep triplet quantization[C]// Proceedings of the 26th ACM international conference on Multimedia. New York:ACM Press, 2018: 755-763.
[12]	SHEN F , XU Y , LIU L ,et al. Unsupervised deep hashing with similarity-adaptive and discrete optimization[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2018,40(12): 3034-3044.
[13]	SONG J , HE T , GAO L ,et al. Binary generative adversarial networks for image retrieval[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2018,32(1).
[14]	LIN K , LU J W , CHEN C S ,et al. Learning compact binary descriptors with unsupervised deep neural networks[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 1183-1192.
[15]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv:1412.6572, 2014.
[16]	MOOSAVI-DEZFOOLI S M , FAWZI A , FROSSARD P . DeepFool:a simple and accurate method to fool deep neural networks[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 2574-2582.
[17]	MADRY A , MAKELOV A , SCHMIDT L ,et al. Towards deep learning models resistant to adversarial attacks[J]. arXiv preprint arXiv:1706.06083, 2017.
[18]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 39-57.
[19]	CHEN P Y , ZHANG H , SHARMA Y ,et al. ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 15-26.
[20]	MOPURI K R , OJHA U , GARG U ,et al. NAG:network for adversary generation[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 742-751.
[21]	BAI J , CHEN B , LI Y ,et al. Targeted attack for deep hashing based retrieval[C]// Proceedings of Computer Vision–ECCV 2020:16th European Conference. Cham:Springer, 2020: 618-634.
[22]	HU S S , ZHOU Z Q , ZHANG Y C ,et al. BadHash:invisible backdoor attacks against deep hashing with clean label[C]// Proceedings of the 30th ACM International Conference on Multimedia. New York:ACM Press, 2022: 678-686.
[23]	HU S S , ZHANG Y C , LIU X G ,et al. AdvHash:set-to-set targeted attack on deep hashing with one single adversarial patch[C]// Proceedings of the 29th ACM International Conference on Multimedia. New York:ACM Press, 2021: 2335-2343.
[24]	HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778.
[25]	SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[J]. arXiv preprint arXiv:1409.1556, 2014.
[26]	YU C Q , GAO C X , WANG J B ,et al. BiSeNet V2:bilateral network with guided aggregation for real-time semantic segmentation[J]. International Journal of Computer Vision, 2021,129(11): 3051-3068.
[27]	FU Y , WU X J . A dual-branch network for infrared and visible image fusion[C]// Proceedings of 2020 25th International Conference on Pattern Recognition (ICPR). Piscataway:IEEE Press, 2021: 10675-10680.
[28]	HUISKES M J , LEW M S . The MIR flickr retrieval evaluation[C]// Proceedings of the 1st ACM international conference on Multimedia information retrieval. New York:ACM Press, 2008: 39-43.
[29]	LIN T Y , MAIRE M , BELONGIE S ,et al. Microsoft COCO:common objects in context[M]// Computer Vision – ECCV 2014. Cham: Springer International Publishing, 2014: 740-755.
[30]	CHUA T S , TANG J H , HONG R C ,et al. NUS-WIDE:a real-world web image database from National University of Singapore[C]// Proceedings of the ACM International Conference on Image and Video Retrieval. New York:ACM Press, 2009: 1-9.
[31]	WANG Z J , ZHANG Z , LUO Y D ,et al. Deep collaborative discrete hashing with semantic-invariant structure[C]// Proceedings of the 42nd International ACM SIGIR Conference on Research and Development in Information Retrieval. New York:ACM Press, 2019: 905-908.
[32]	JIANG Q Y , LI W J . Deep cross-modal hashing[C]// Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2017: 3270-3278.

方法	指标	FLICKR-25K				NUS-WIDE				MS-COCO
方法	指标	12bit	24bit	32 bit	48 bit	12 bit	24 bit	32 bit	48 bit	12 bit	24 bit	32 bit	48 bit
Original	t-MAP	65.52%	65.91%	66.06%	66.76%	56.32%	56.39%	56.47%	57.62%	43.81%	44.61%	45.47%	45.52%
DHTA-FGSM	t-MAP	73.96%	74.23%	74.41%	74.45%	59.08%	61.49%	62.81%	63.04%	48.14%	48.75%	49.18%	50.10%
P2P	t-MAP	83.57%	85.11%	85.81%	85.84%	74.27%	76.24%	76.41%	76.81%	59.30%	61.10%	60.01%	60.11%
DHTA	t-MAP	86.69%	88.21%	89.41%	89.36%	76.68%	78.42%	78.76%	78.89%	62.04%	64.49%	63.76%	64.17%
DBAE	t-MAP	87.93%	89.10%	90.16%	90.38%	77.42%	79.81%	79.96%	80.72%	63.62%	65.80%	64.63%	65.43%
Original	MAP	79.97%	81.36%	82.10%	82.54%	70.39%	71.89%	71.64%	72.55%	58.60%	61.88%	61.46%	62.33%

攻击方法	迭代次数	FLICKR-25K		NUS-WIDE		MS-COCO
攻击方法	迭代次数	t-MAP	生成时间/s	t-MAP	生成时间/s	t-MAP	生成时间/s
DHTA-FGSM	1	74.45%	0.021	63.04%	0.021	50.10%	0.024
DHTA	2 000	89.36%	9.37	78.89%	9.19	64.17%	9.36
DBAE	1	90.38%	0.021	80.72%	0.023	65.43%	0.013

被攻击模型	DBAE ＆ H-ResNet50	DBAE ＆ H-ResNet50*	DBAE ＆ H-VGG11	DBAE ＆ H-VGG11*
D-ResNet50*	76.11%	75.63%	63.08%	68.86%
D-VGG11*	60.16%	62.56%	77.36%	76.44%

被攻击模型	DHTA ＆ H-ResNet50	DHTA ＆ H-ResNet50*	DHTA ＆ H-VGG11	DHTA ＆ H-VGG11*
D-ResNet50*	68.14%	65.22%	59.39%	59.51%
D-VGG11*	57.36%	57.42%	74.11%	73.56%

用于攻击深度哈希图像检索模型的双分支自编码器网络

Dual-branch autoencoder network for attacking deep hashing image retrieval models

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 32

相关文章 1

Metrics

推荐阅读 0