Practical Order Attack in Deep Ranking

Recent studies have unveiled the vulnerabilities of deep ranking models, where an imperceptible perturbation could trigger dramatic changes in the ranking result. However, previous attempts focus on manipulating absolute ranks of certain candidates, while the possibility of adjusting their relative order remains under-explored. The objective of this paper is to formalize and practically implement a new adversarial attack against deep ranking systems, i.e., the Order Attack, which covertly alters the relative order of a selected set of candidates according to a permutation vector predefined by the attacker, with only limited interference to other unrelated candidates. Although this Order Attack can be formulated as a triplet-style loss constraint imposing an inequality chain that reflects the attacker's desired permutation, direct optimization of such loss is inapplicable in a real-world black-box attack scenario due to the inaccessibility of gradients, limited query budget, truncated ranking results, and lack of similarity scores. To address these challenges, we propose a new Short-range Ranking Correlation metric as a surrogate objective function to approximate Kendall's ranking correlation while maintaining robustness to these practical limitations. The proposed white-box and black-box attacks are evaluated on the Fashion-MNIST and Stanford-Online-Products datasets. Moreover, the black-box attack is successfully implemented on a major e-commerce platform. Extensive quantitative and qualitative experimental evaluations demonstrate the effectiveness of our proposed methods, revealing deep ranking systems' vulnerability to the Order Attack.