Adversarial training has achieved substantial performance in defending image retrieval against adversarial examples. However, existing studies in deep metric learning (DML) still suffer from two major limitations: weak adversary and model collapse. In this paper, we address these two limitations by proposing collapse-aware triplet decoupling (CA-TRIDE). Specifically, TRIDE yields a strong adversary by spatially decoupling the perturbation targets into the anchor and the other candidates. Furthermore, CA prevents the consequential model collapse, based on a novel metric, collapseness, which is incorporated into the optimization of perturbation. We also identify two drawbacks of the existing robustness metric in image retrieval and propose a new metric for a more reasonable robustness evaluation. Extensive experiments on three datasets demonstrate that CA-TRIDE outperforms existing defense methods in both conventional and new metrics.

翻译：对抗训练在防御图像检索免受对抗样本攻击方面取得了显著成效。然而，现有深度度量学习研究仍存在两大局限：弱对抗攻击与模型崩塌。本文通过提出崩塌感知三元组解耦方法来解决这两个问题。具体而言，TRIDE通过将扰动目标空间解耦为锚点与其他候选样本，从而生成强对抗攻击。此外，CA基于新提出的度量指标"崩塌度"防止由此引发的模型崩塌，该指标被嵌入扰动优化过程。我们还发现现有图像检索鲁棒性度量存在的两个缺陷，并提出新指标以实现更合理的鲁棒性评估。在三个数据集上的大量实验表明，CA-TRIDE在传统指标与新指标上均优于现有防御方法。