Adversarial training has achieved substantial performance in defending image retrieval systems against adversarial examples. However, existing studies still suffer from two major limitations: model collapse and weak adversary. This paper addresses these two limitations by proposing collapse-oriented (COLO) adversarial training with triplet decoupling (TRIDE). Specifically, COLO prevents model collapse by temporally orienting the perturbation update direction with a new collapse metric, while TRIDE yields a strong adversary by spatially decoupling the update targets of perturbation into the anchor and the two candidates of a triplet. Experimental results demonstrate that our COLO-TRIDE outperforms the current state of the art by 7% on average over 10 robustness metrics and across 3 popular datasets. In addition, we identify the fairness limitations of commonly used robustness metrics in image retrieval and propose a new metric for more meaningful robustness evaluation. Codes will be made publicly available on GitHub.

翻译：对抗训练在防御图像检索系统免受对抗样本攻击方面取得了显著效果。然而，现有研究仍面临两大局限性：模型崩塌和对抗性弱。本文通过提出具有三元组解耦（TRIDE）的崩塌导向（COLO）对抗训练来解决这两个局限。具体而言，COLO通过利用新的崩塌度量在时间上引导扰动更新方向，从而防止模型崩塌；而TRIDE通过在空间上将扰动的更新目标解耦为锚点与三元组中的两个候选，从而生成强对抗性。实验结果表明，在10项鲁棒性指标和3个常用数据集上，我们的COLO-TRIDE平均比当前最先进方法提升7%。此外，我们揭示了图像检索中常用鲁棒性指标的公平性局限，并提出了一种新的指标以实现更有意义的鲁棒性评估。代码将在GitHub上公开。