Keywords: Adversarial Attack, Deep Ranking, Relative Order, Black-Box Attack
Abstract: Recent studies have unveiled the vulnerabilities of deep ranking models, where
an imperceptible perturbation could trigger dramatic changes in the ranking
result. However, previous attempts focus on manipulating absolute ranks of
certain candidates, while the possibility of adjusting their relative order
remains under-explored. The objective of this paper is to formalize and
practically implement a new adversarial attack against deep ranking systems,
i.e., the Order Attack, which covertly alters the relative order of a selected
set of candidates according to a permutation vector predefined by the attacker,
with only limited interference to other unrelated candidates. Although this
Order Attack can be formulated as a triplet-style loss constraint imposing an
inequality chain that reflects the attacker's desired permutation, direct
optimization of such loss is inapplicable in a real-world black-box attack
scenario due to the inaccessibility of gradients, limited query budget,
truncated ranking results, and lack of similarity scores. To address these
challenges, we propose a new Short-range Ranking Correlation metric as a
surrogate objective function to approximate Kendall's ranking correlation while
maintaining robustness to these practical limitations. The proposed white-box
and black-box attacks are evaluated on the Fashion-MNIST and
Stanford-Online-Products datasets. Moreover, the black-box attack is
successfully implemented on a major e-commerce platform. Extensive
quantitative and qualitative experimental evaluations demonstrate the
effectiveness of our proposed methods, revealing deep ranking systems'
vulnerability to the Order Attack.
One-sentence Summary: A new challenging adversarial attack that changes the relative order among selected candidates in deep ranking.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Supplementary Material: zip
Reviewed Version (pdf): https://openreview.net/references/pdf?id=14E3grkpDm
5 Replies
Loading