Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Clean Image May be Dangerous: Data Poisoning Attacks Against Deep Hashing

Shuai Li, Jie Zhang, Yuang Qi, Kejiang Chen, Tianwei Zhang, Weiming Zhang, Nenghai Yu

TL;DR

The paper introduces PADHASH, a data poisoning attack against deep hashing for large-scale image retrieval, showing that clean trigger images can steer retrieval toward malicious targets without altering query inputs. PADHASH trains a surrogate model to imitate the victim, then uses Strict Gradient-Matching to generate poisoned images that, when injected into training, cause the victim model to retrieve target images for clean queries; the attack is demonstrated to be effective, transferable across hash methods and datasets, and stealthy with preserved MAP. Across CIFAR-10, ImageNet100, and MSCOCO, PADHASH achieves high attack success rates at very low poison ratios, and remains feasible in gray-box and black-box settings, highlighting practical security risks in deep hashing systems. The work concludes with defense considerations, including poisoned-data detection, data augmentation, and robust training, and discusses potential applications such as model fingerprinting and copyright verification, emphasizing the need for security-aware design in multimedia retrieval pipelines.

Abstract

Large-scale image retrieval using deep hashing has become increasingly popular due to the exponential growth of image data and the remarkable feature extraction capabilities of deep neural networks (DNNs). However, deep hashing methods are vulnerable to malicious attacks, including adversarial and backdoor attacks. It is worth noting that these attacks typically involve altering the query images, which is not a practical concern in real-world scenarios. In this paper, we point out that even clean query images can be dangerous, inducing malicious target retrieval results, like undesired or illegal images. To the best of our knowledge, we are the first to study data \textbf{p}oisoning \textbf{a}ttacks against \textbf{d}eep \textbf{hash}ing \textbf{(\textit{PADHASH})}. Specifically, we first train a surrogate model to simulate the behavior of the target deep hashing model. Then, a strict gradient matching strategy is proposed to generate the poisoned images. Extensive experiments on different models, datasets, hash methods, and hash code lengths demonstrate the effectiveness and generality of our attack method.

Clean Image May be Dangerous: Data Poisoning Attacks Against Deep Hashing

TL;DR

The paper introduces PADHASH, a data poisoning attack against deep hashing for large-scale image retrieval, showing that clean trigger images can steer retrieval toward malicious targets without altering query inputs. PADHASH trains a surrogate model to imitate the victim, then uses Strict Gradient-Matching to generate poisoned images that, when injected into training, cause the victim model to retrieve target images for clean queries; the attack is demonstrated to be effective, transferable across hash methods and datasets, and stealthy with preserved MAP. Across CIFAR-10, ImageNet100, and MSCOCO, PADHASH achieves high attack success rates at very low poison ratios, and remains feasible in gray-box and black-box settings, highlighting practical security risks in deep hashing systems. The work concludes with defense considerations, including poisoned-data detection, data augmentation, and robust training, and discusses potential applications such as model fingerprinting and copyright verification, emphasizing the need for security-aware design in multimedia retrieval pipelines.

Abstract

Large-scale image retrieval using deep hashing has become increasingly popular due to the exponential growth of image data and the remarkable feature extraction capabilities of deep neural networks (DNNs). However, deep hashing methods are vulnerable to malicious attacks, including adversarial and backdoor attacks. It is worth noting that these attacks typically involve altering the query images, which is not a practical concern in real-world scenarios. In this paper, we point out that even clean query images can be dangerous, inducing malicious target retrieval results, like undesired or illegal images. To the best of our knowledge, we are the first to study data \textbf{p}oisoning \textbf{a}ttacks against \textbf{d}eep \textbf{hash}ing \textbf{(\textit{PADHASH})}. Specifically, we first train a surrogate model to simulate the behavior of the target deep hashing model. Then, a strict gradient matching strategy is proposed to generate the poisoned images. Extensive experiments on different models, datasets, hash methods, and hash code lengths demonstrate the effectiveness and generality of our attack method.

Paper Structure

This paper contains 30 sections, 6 equations, 8 figures, 18 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Deep Hashing-based Similarity Retrieval
  4. Current Attacks Against Deep Hashing Models
  5. Data Poisoning Attacks
  6. Preliminaries
  7. Image Retrieval Based Deep Hashing
  8. Threat Model
  9. Notations
  10. Methodology
  11. Overview of Attack
  12. Training Surrogate Model
  13. Generating Poisoned Images And Compromise Victim Model
  14. Attack In The Inference.
  15. Expermients
  16. ...and 15 more sections

Figures (8)

  • Figure 1: Illusion on data poisoning attacks against deep hashing.
  • Figure 2: The framework of data poisoning attacks against deep hashing (PADHASH). The attacker first trains a surrogate deep hashing model, then uses Strict Gradient-Matching to generate poisoned images, and finally uses these poisoned images to attack the victim model to make the clean trigger images close to the malicious image in Hamming space.
  • Figure 3: The intuitive explanation of Strict Gradient-Matching.
  • Figure 4: The top-10 frequency categories in MS-COCO.
  • Figure 5: The ASR of PADHASH across deep hashing methods.
  • ...and 3 more figures