Adversarial training has achieved substantial performance in defending image retrieval against adversarial examples. However, existing studies in deep metric learning (DML) still suffer from two major limitations: weak adversary and model collapse. In this paper, we address these two limitations by proposing collapse-aware triplet decoupling (CA-TRIDE). Specifically, TRIDE yields a strong adversary by spatially decoupling the perturbation targets into the anchor and the other candidates. Furthermore, CA prevents the consequential model collapse, based on a novel metric, collapseness, which is incorporated into the optimization of perturbation. We also identify two drawbacks of the existing robustness metric in image retrieval and propose a new metric for a more reasonable robustness evaluation. Extensive experiments on three datasets demonstrate that CA-TRIDE outperforms existing defense methods in both conventional and new metrics.

翻译：对抗训练在防御图像检索中的对抗样本攻击方面已取得显著成效。然而，现有深度度量学习研究仍存在两大局限：弱对抗性与模型坍塌。本文通过提出崩溃感知三元组解耦方法（CA-TRIDE）应对上述问题。具体而言，TRIDE通过将扰动目标在空间上解耦为锚点与其他候选对象，从而生成强对抗样本。此外，CA基于创新的"坍塌度"指标防止后续模型坍塌，该指标被整合至扰动优化过程中。我们还指出现有图像检索鲁棒性评估指标的两项缺陷，并提出新指标以实现更合理的鲁棒性评估。在三个数据集上的广泛实验表明，CA-TRIDE在传统指标与新指标上均优于现有防御方法。