Deep hashing has been extensively utilized in massive image retrieval because of its efficiency and effectiveness. However, deep hashing models are vulnerable to adversarial examples, making it essential to develop adversarial defense methods for image retrieval. Existing solutions achieved limited defense performance because of using weak adversarial samples for training and lacking discriminative optimization objectives to learn robust features. In this paper, we present a min-max based Center-guided Adversarial Training, namely CgAT, to improve the robustness of deep hashing networks through worst adversarial examples. Specifically, we first formulate the center code as a semantically-discriminative representative of the input image content, which preserves the semantic similarity with positive samples and dissimilarity with negative examples. We prove that a mathematical formula can calculate the center code immediately. After obtaining the center codes in each optimization iteration of the deep hashing network, they are adopted to guide the adversarial training process. On the one hand, CgAT generates the worst adversarial examples as augmented data by maximizing the Hamming distance between the hash codes of the adversarial examples and the center codes. On the other hand, CgAT learns to mitigate the effects of adversarial samples by minimizing the Hamming distance to the center codes. Extensive experiments on the benchmark datasets demonstrate the effectiveness of our adversarial training algorithm in defending against adversarial attacks for deep hashing-based retrieval. Compared with the current state-of-the-art defense method, we significantly improve the defense performance by an average of 18.61\%, 12.35\%, and 11.56\% on FLICKR-25K, NUS-WIDE, and MS-COCO, respectively. The code is available at https://github.com/xunguangwang/CgAT.

翻译：深度哈希因其高效性和有效性而被广泛应用于大规模图像检索。然而，深度哈希模型易受对抗样本干扰，因此亟需开发面向图像检索的对抗防御方法。现有解决方案因使用弱对抗样本进行训练，且缺乏可学习鲁棒特征的判别性优化目标，导致防御性能有限。本文提出一种基于最小-最大化的中心引导对抗训练方法（CgAT），通过最坏情况下的对抗样本来提升深度哈希网络的鲁棒性。具体而言，我们首先将中心编码定义为输入图像内容的语义判别性表征，其能保持与正样本的语义相似性及与负样本的差异性。我们证明了可通过数学公式即时计算中心编码。在深度哈希网络的每次优化迭代中获取中心编码后，将其用于引导对抗训练过程：一方面，CgAT通过最大化对抗样本哈希码与中心编码之间的汉明距离，生成作为增强数据的最坏对抗样本；另一方面，CgAT通过最小化与中心编码的汉明距离，学习缓解对抗样本的影响。在基准数据集上的大量实验表明，我们的对抗训练算法能有效防御针对深度哈希检索的对抗攻击。与当前最先进的防御方法相比，我们在FLICKR-25K、NUS-WIDE和MS-COCO数据集上分别将防御性能平均提升了18.61%、12.35%和11.56%。代码已开源至https://github.com/xunguangwang/CgAT。