ML Security PapersTowards Adversarially Robust Deep Metric Learning
Published on arXiv
2501.01025
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
EAT greatly outperforms adaptations of classification-model defenses for adversarially robust DML in clustering-based inference scenarios across three datasets and two architectures.
EAT (Ensemble Adversarial Training)
Novel technique introduced
Deep Metric Learning (DML) has shown remarkable successes in many domains by taking advantage of powerful deep neural networks. Deep neural networks are prone to adversarial attacks and could be easily fooled by adversarial examples. The current progress on this robustness issue is mainly about deep classification models but pays little attention to DML models. Existing works fail to thoroughly inspect the robustness of DML and neglect an important DML scenario, the clustering-based inference. In this work, we first point out the robustness issue of DML models in clustering-based inference scenarios. We find that, for the clustering-based inference, existing defenses designed DML are unable to be reused and the adaptions of defenses designed for deep classification models cannot achieve satisfactory robustness performance. To alleviate the hazard of adversarial examples, we propose a new defense, the Ensemble Adversarial Training (EAT), which exploits ensemble learning and adversarial training. EAT promotes the diversity of the ensemble, encouraging each model in the ensemble to have different robustness features, and employs a self-transferring mechanism to make full use of the robustness statistics of the whole ensemble in the update of every single model. We evaluate the EAT method on three widely-used datasets with two popular model architectures. The results show that the proposed EAT method greatly outperforms the adaptions of defenses designed for deep classification models.
Key Contributions
- Identifies a neglected adversarial robustness vulnerability in DML models under clustering-based inference, distinct from classification-based inference
- Proposes Ensemble Adversarial Training (EAT) that encourages diverse robustness features across ensemble members via a self-transferring mechanism
- Demonstrates that existing DML defenses and adapted classification defenses fail for clustering-based inference, while EAT significantly outperforms them
🛡️ Threat Analysis
Paper focuses on adversarial examples attacking DML models at inference time and proposes adversarial training as a defense — the core ML01 threat of input manipulation causing incorrect model outputs.