Deep hashing has been extensively utilized in massive image retrieval because of its efficiency and effectiveness. However, deep hashing models are vulnerable to adversarial examples, making it essential to develop adversarial defense methods for image retrieval. Existing solutions achieved limited defense performance because of using weak adversarial samples for training and lacking discriminative optimization objectives to learn robust features. In this paper, we present a min-max based Center-guided Adversarial Training, namely CgAT, to improve the robustness of deep hashing networks through worst adversarial examples. Specifically, we first formulate the center code as a semantically-discriminative representative of the input image content, which preserves the semantic similarity with positive samples and dissimilarity with negative examples. We prove that a mathematical formula can calculate the center code immediately. After obtaining the center codes in each optimization iteration of the deep hashing network, they are adopted to guide the adversarial training process. On the one hand, CgAT generates the worst adversarial examples as augmented data by maximizing the Hamming distance between the hash codes of the adversarial examples and the center codes. On the other hand, CgAT learns to mitigate the effects of adversarial samples by minimizing the Hamming distance to the center codes. Extensive experiments on the benchmark datasets demonstrate the effectiveness of our adversarial training algorithm in defending against adversarial attacks for deep hashing-based retrieval. Compared with the current state-of-the-art defense method, we significantly improve the defense performance by an average of 18.61\%, 12.35\%, and 11.56\% on FLICKR-25K, NUS-WIDE, and MS-COCO, respectively. The code is available at https://github.com/xunguangwang/CgAT.

翻译：深度哈希因其高效性和有效性被广泛应用于大规模图像检索。然而，深度哈希模型对对抗样本存在脆弱性，因此开发面向图像检索的对抗防御方法至关重要。现有方案因使用弱对抗样本进行训练且缺乏判别性优化目标以学习鲁棒特征，导致防御性能有限。本文提出一种基于最小-最大化的中心引导对抗训练方法（CgAT），通过最坏情况对抗样本来提升深度哈希网络的鲁棒性。具体而言，我们首先将中心码定义为输入图像内容的语义判别性表征，该表征保持与正样本的语义相似性和与负样本的差异性。我们证明可通过数学公式直接计算中心码。在深度哈希网络每次优化迭代获取中心码后，将其用于引导对抗训练过程。一方面，CgAT通过最大化对抗样本哈希码与中心码之间的汉明距离，生成最坏情况对抗样本作为增强数据；另一方面，CgAT通过最小化与中心码的汉明距离，学习减轻对抗样本的影响。在基准数据集上的大量实验表明，我们的对抗训练算法能有效防御针对深度哈希检索的对抗攻击。与当前最先进的防御方法相比，在FLICKR-25K、NUS-WIDE和MS-COCO数据集上，我们分别将防御性能平均提升18.61%、12.35%和11.56%。代码开源于https://github.com/xunguangwang/CgAT。