计算机科学
一般化
预处理器
情报检索
集合(抽象数据类型)
图像(数学)
人工智能
训练集
图像检索
数据挖掘
语义学(计算机科学)
机器学习
数据集
语义鸿沟
主题模型
数据检索
查询扩展
数据预处理
威胁模型
查询语言
深度学习
作者
Dario Lazzaro,Raffaele Mura,Antonio Emanuele Ciná,Giuseppe Laurita,Gianni Vercelli,Luca Oneto,Battista Biggio,Fabio Roli
标识
DOI:10.1016/j.knosys.2025.115090
摘要
Text-to-Image retrieval (IR) systems are widely used to match images to specific textual queries, often leveraging publicly available Vision-Language Pretrained models (VLPs) for their generalization capabilities. However, due to the diverse and open nature of the image data they rely on, these systems remain vulnerable to data poisoning attacks, where malicious images are injected into the database to manipulate retrieval results. Prior work has demonstrated the effectiveness of attacks when the exact user query is known at retrieval time. However, this assumption is often impractical, as users tend to express similar intents using varied, semantically equivalent queries (e.g., through synonyms), which reduces the effectiveness of existing attacks. In this paper, we address this gap by proposing an attack that remains effective even when users issue semantically varied queries. We introduce Collisio, a novel poisoning method that crafts a single poisoned image to be retrieved under any semantically equivalent form of a target query. To achieve this, Collisio leverages an Expectation over Queries (EoQ) strategy, generating a diverse set of synthetic and selectively transformed query variants, and then optimizes the poisoned image to align with them. We extensively evaluate Collisio on the Flickr30k and MSCOCO datasets across multiple VLPs, demonstrating the severity of Collisio under realistic query variations. Given the implications of this vulnerability, we examine countermeasures based on adversarially trained models and a data preprocessing defense, highlighting both their mitigation potential and the trade-offs involved.
科研通智能强力驱动
Strongly Powered by AbleSci AI