LipSim: A Provably Robust Perceptual Similarity Metric

We thank the reviewer for their valuable feedback and comments.

Q: Although there has been some previous works on robust perceptual metrics, authors claim theirs is the first one with provable guarantees. I still think discussing why this matters in practice is important.

We provide the first perceptual similarity metric with non-trivial provable guarantees. We do agree that comparing to existing work is important and we have added the comparison with other metrics to the appendix of the revision of our paper and provided the reference to it in the Related Work.

There exist two methods that apply randomized smoothing to perceptual similarity metrics [1, 2]. We have mentioned them in the related work section of our paper. These methods have important limitations:

• They are computationally very expensive due to the Monte Carlo sampling for each data point (i.e., [1] mentions 1 to 3 minutes for each image with a backbone smaller than the Dreamsim model) which makes this approach impractical for real use cases with a large model like Dreamsim
• The approach is probabilistic due to the estimation of the probability with the Monte Carlo sampling
• The proposed certified bounds are loose, for example, for LPIPS [6] the bound is as follows: $d(x, x+\delta) \leq 10 ||\delta||_2$. Therefore the results are reported for a perturbation budget of 0.01 to 0.05, whereas for the LipSim the certificates are provided for a perturbation budget of $\frac{36}{255}$ to $\frac{108}{255}$.

Q: I see the application for image retrieval, but how can someone have access to the model (white box) to actually attack it. Please elaborate.

In security research, it is common practice to study the worst-case setting, i.e., white-box attacks in the context of adversarial robustness. This is for multiple reasons:

• (1) in practice, many neural networks are released in white-box open form, for example, the most recent models from Meta. These networks do in fact need to be robust to adversarial attack.
• (2) Even black-box models might need to consider vulnerability to white-box attacks in case they are inadvertently leaked (data breaches are a common occurrence). Relying on a lack of access to the details of an implementation, i.e., security via obscurity, is considered as a bad practice in the literature.
• (3) Finally, several results show that black-box models can be attacked using transferability [3] i.e., attacks obtained on proxy models often work just as well on other models.

In this paper, we provide robustness in a white-box setting, specifically with certified robustness, and show that we can provide security and reliability within the certified bounds and we also evaluate our model with empirical approaches.

Q: Consider changing the colors in bar plot of Fig. 3.a. They are hard to distinguish.

Sure, based on your suggestion, we changed the colors of Fig. 3.a in the revision of our paper.

Q: Other datasets than NIGHTs dataset? What is the guarantee that these results will also generalize to other datasets?

Currently, two 2AFC datasets are available: NIGHT and BAPPS [8]. The result of LipSim on the NIGHT dataset is reported in the paper. Here we report the result of LipSim on the BAPPS dataset. The LipSim model is not finetuned on the BAPPS dataset and the same model which is finetuned on the NIGHT dataset is used.

Q: (1) Alternatively, shouldn’t two images differ significantly when perturbation is high? (2) Have you considered what happens at high perturbations? (3) Shouldn’t a good perceptual metric match human judgements regardless of perturbation magnitude? (4) Table 2 shows the certified scores. However, the scores for perturbation 72/255 and beyond are still pretty low. How do humans behave in those perturbations?

1 - Yes, two images should differ significantly when the perturbation is high.
2 - We have experimented with increasing perturbation, starting with a small perturbation $\epsilon = \frac{36}{255}$ and increasing to $\epsilon = \frac{108}{255}$. As shown in the paper, perceptual similarity metrics (as with neural networks) are not robust to small adversarial perturbations. It is therefore safe to say that won't be robust to large adversarial perturbations.
3 - Yes, a good perceptual metric should match human judgments regardless of perturbation magnitude. This highlights the fact that building a good perceptual metric is still an open problem and our contribution is a first step in this direction. Our Lipsim perceptual metric achieves competitive results on natural performance and obtains a good level of robustness that Dreamsim doesn't have.
4 - The perturbation level of $\epsilon = \frac{72}{255}$ is classic in the adversarial robustness literature, for example, the state-of-the-art certified robust classifier with Lipschitz continuity [9] reports a certified accuracy with $\epsilon = \frac{36}{255}$.

[1] Aounon Kumar and Tom Goldstein. Center smoothing: Certified robustness for networks with structured outputs. NeurIPS 2021
[2] Shao et al. Robustness certification for structured prediction with general inputs via safe region modeling in the semimetric output space. SIGKDD 2023
[3] Madry, Aleksander, et al. "Towards deep learning models resistant to adversarial attacks." arXiv preprint arXiv:1706.06083 (2017).
[4] Fu et al. DreamSim: Learning New Dimensions of Human Visual Similarity using Synthetic Data, NeurIPS 2023 Spotlight.
[5] Apple. CSAM Detection - Technical Summary. https://www.apple.com/childsafety/pdf/CSAM_Detection_Technical_Summary.pdf 2021.
[6] Struppek et al. "Learning to break deep perceptual hashing: The use case neuralhash." ACM Conference on Fairness, Accountability, and Transparency. 2022.
[7] Ding et al. Image quality assessment: Unifying structure and texture similarity. IEEE transactions on pattern analysis and machine intelligence 2020.
[8] Richard Zhang, Phillip Isola, Alexei A Efros, Eli Shechtman, and Oliver Wang. The unreasonable effectiveness of deep features as a perceptual metric. In Proceedings of the IEEE conference on computer vision and pattern recognition, 2018.
[9] Hu et al. Unlocking Deterministic Robustness Certification on ImageNet. NeuIPS 2023.

Q: Please mention why we need robust perceptual metrics??!!! In real world. In other words, how much impact such work has in real world and why it actually matters? An example may help here.

Perceptual metrics have many different applications in the real world, namely, the comparison of images using a human semantic measure for image and video processing, image retrieval based on semantic information, and filter detection in social media websites (e.g., CSAM$^1$ detection see below). These contexts can often be in an adversarial setting $^2$ and having a perceptual metric robust to small perturbation, i.e., perturbations that do not change the semantic, is a property that makes sense to have in this type of metric. We should note that perceptual metrics can also be used to train networks which requires a semantic loss, having a robust perceptual metric could lead to better and more robust models.

In this work, we leveraged the DreamSim metric [4] which is the state-of-the-art for perceptual similarity metric $^3$. While this metric provides a great similarity measure, we have demonstrated that it is not robust to small perturbations that do not change the semantic (As shown in Figure 1 of the paper, a small perturbation can change the perception of the Dreamsim metric, and two images semantically similar are then considered very different.). If this metric were to be deployed into real-world applications, this might lead to important security issues.

As an example of a real-world application, we could mention Apple’s NeuralHash [5] used for CSAM detection, which has two steps: (1) it uses a Convolutional Neural Network to map semantically similar images to close feature vectors (in terms of cosine similarity) and (2) it leverages those vectors to find the duplicates using hash functions. Based on the pipeline, the vulnerability of the NN generating the feature vectors is a serious security concern. We refer to [6] as one of the papers that worked on the adversarial vulnerabilities of the Neural Network generating the features for the NeuralHash and showed that using the proposed adversarial attack, the features can change and lead to a different output for the hash function. It would be a very interesting future work to use the robust embeddings we've trained as the backbone of NeuralHash to increase the robustness of the feature vectors.

$^1$ CSAM: Child Sexual Abuse Material
$^2$ CSAM detection is inherently an adversarial setting where malicious users would want to bypass the detection.
$^3$ The Dreamsim paper has been accepted at NeurIPS 2023 as a spotlight.

Q: How about some non NN-based similarity metrics? I am guessing maybe there are not as good as NN-based ones but at least they might be more robust! Can you compare your method against some of those Metrics? Is DISTS in Fig. 3.a NN-based?

We have reported the results for the non-NN-based metrics with the "Low level" title in Figure 3.A. The natural 2AFC scores are low and are not comparable with Dreamsim. This result is expected because the 2AFC score shows the alignment of the distance metric with human perception and how well the metric compares the images at the semantic level. Pixel-level metrics are more focused on the pixel level rather than the semantic level and therefore less aligned with human perception in comparison with the perceptual metrics which are more focused on the semantics. On the other hand, as the natural scores of non-NN-based metrics are already lower than LipSim's robust scores (under $\ell_2$-AutoAttack) (and their robust scores won't be better than their natural scores,) we didn't need to do the experiments under the attack for the "Low level" methods.

DISTS indeed offers competitive performance on the NIGHT dataset as shown in Figure 3.a. The DISTS[7] metric is based on the VGG architecture (like the LPIPS is based in the ALexNet architecture) and due to being based on a neural network is not robust to small perturbations crafted using a strong attack. However, the certified robustness of LipSim guarantees that independent from the strength of the attack, the certified scores cannot be broken.

We thank the reviewer for their valuable feedback and comments.

Q: The natural score of LipSim was observed to be lower than that of some competitors like DreamSim. This might raise concerns about its general performance when not under adversarial conditions.

This paper is set in the context of adversarial robustness. In this context, there is an inherent trade-off between natural performance and robustness $^1$. State-of-the-art methods, like DreamSim, can achieve high natural performance at the expense of losing robustness, as demonstrated in Figure 1 of our paper. LipSim does not achieve state-of-the-art natural performance but achieves competitive performance compared to Dreamsim and provides state-of-the-art empirical and certified robustness. We believe Lipsim is a major first step towards robust perceptual similarity metrics.

$^1$ As an example, the state-of-the-art robust neural network (accepted at NeurIPS 2023) [1] with Lipschitz continuity achieves 45.6% natural accuracy on ImageNet with 35.0% certified accuracy while the non-robust state-of-the-art results on ImageNet is 91.1% [2] and the community has been trying to boost the natural accuracy for robust models, despite the progressions this is still an ongoing topic of research.

Q: The real-world application testing of LipSim was primarily on image retrieval. It would be beneficial to see its performance on a wider variety of tasks.

Based on your suggestion, we are also adding KNN (k-nearest neighbors algorithm), which is a zero-shot classification task. It classifies test images based on the proximity of their feature vectors to the training images' feature vectors. We performed our experiment on Imagenette (ImageNet dataset with 10 classes) [3] and for $k=10,20$. The results of LipSim and DreamSim are reported in the following table, which are very close in terms of the Top 5 and LipSim is showing a decent performance in terms of the Top 1 as a zero-shot classifier.

[1] Hu et al. Unlocking Deterministic Robustness Certification on ImageNet. NeuIPS 2023
[2] Chen et al. Symbolic Discovery of Optimization Algorithms. NeuIPS 2023
[3] https://github.com/fastai/imagenette

Q: It would also be good to compare with other certified or non-certified defense methods.

Certified Defenses: There exist two methods that apply randomized smoothing to perceptual similarity metrics [6, 7]. We mentioned them in the related work section of our paper. These methods have important limitations:

• They are computationally very expensive due to the Monte Carlo sampling for each data point (i.e., [6] mentions 1 to 3 minutes for each image with a backbone smaller than the Dreamsim model) which makes this approach impractical for real use cases with a large model like Dreamsim
• The approach is probabilistic due to the estimation of the probability with the Monte Carlo sampling
• The proposed certified bounds are loose, for example, for LPIPS [6] the bound is as follows: $d(x, x+\delta) \leq 10 ||\delta||_2$. Therefore the results are reported for a perturbation budget of 0.01 to 0.05, whereas for the LipSim the certificates are provided for a perturbation budget of $\frac{36}{255}$ to $\frac{108}{255}$. We have highlighted the difference between Lipsim and previous approaches in the revision of the paper.

Non-certified Defenses (Empirical robustness): R-LPIPS [8] leverages the LPIPS perpetual similarity metric and Adversarial training to provide empirical robustness. We provided an empirical robustness score on the BAPPS dataset [9] as well as the NIGHT dataset [1] below. We would like to emphasize that R-LPIPS is trained on the BAPPS dataset while Lipsim is finetuned on the NIGHT dataset and Lipsim provides certified accuracy while R-LPIPS does not come with any provable guarantees.

• Results on the BAPPS dataset

• Results on the NIGHT dataset

[1] Fu et al. DreamSim: Learning New Dimensions of Human Visual Similarity using Synthetic Data, NeurIPS 2023 Spotlight.
[2] Croce et al. Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse. ICML 2020.
[3] Croce, F. and Hein, M. Minimally distorted adversarial examples with a fast adaptive boundary attack. In ICML, 2020. [4] Andriushchenko, M., Croce, F., Flammarion, N., and Hein, M. Square attack: a query-efficient black-box adversarial attack via random search. In ECCV, 2020. [5] Dong et al. Boosting Adversarial Attacks with Momentum. CVPR 2018
[6] Kumar et al. Center smoothing: Certified robustness for networks with structured outputs. NeurIPS 2021
[7] Shao et al. Robustness certification for structured prediction with general inputs via safe region modeling in the semimetric output space. SIGKDD 2023
[8] Ghazanfari et al. R-lpips: An adversarially robust perceptual similarity metric. ICML Workshop 2023.
[9] Richard Zhang, Phillip Isola, Alexei A Efros, Eli Shechtman, and Oliver Wang. The unreasonable effectiveness of deep features as a perceptual metric. In Proceedings of the IEEE conference on computer vision and pattern recognition, 2018.

We thank the reviewer for their valuable feedback and comments.

Q: The presentation could be better. For example, the explanation of 2AFC is little which making it difficult to get the messages from this paper.

We had provided a detailed explanation of 2AFC datasets in Appendix B.1 but did not reference it in the introduction. We have corrected this in the revised version of the paper.

Conceptually, 2AFC datasets are datasets labeled by humans that are used to align perceptual metrics to human judgment. The dataset is labeled via a two-alternative forced choice (2AFC) test that asks which of two variations of a reference image is more similar to it. We provided examples of the night dataset in Appendix B.1 and gave more detail on how the dataset is constructed. For a full description of this dataset, please see the DreamSim paper [1].

Q: The experiments only conducted with Auto Attack. However, there are different kinds of attacks, and it would be good to experiment with other attack methods as well.

We agree that it is important to evaluate with a diversity of different attacks. Indeed, AutoAttack [2] is itself an ensemble of four different white box and black box attacks (i.e. APGD-CE, APGD-DLR, with two existing complementary attacks, FAB [3] and Square Attack [4]). We have further clarified and emphasized this in the revised paper. By choosing AutoAttack, we have both the state-of-the-art attack and the diversity of white box and black box attacks as you mentioned. Based on your input, we have further increased attack diversity by adding results from two additional attacks as explained below.

For our experiment, we evaluate the LipSim in two different settings:

1 - NIGHT dataset (2AFC dataset): the night dataset is a binary classification setting and the attacker's goal is to make the model misclassify. The following attack methods are used to evaluate the robustness of LipSim in the 2AFC setting:

• We provided $\ell_2$-AutoAttack results in Table 1 of the paper. AutoAttack [2] is known as a state-of-the-art attack in the adversarial robustness community.
• We also have provided the results for the $\ell_{\infty}$-AutoAttack and $\ell_{\infty}$-PGD shown in Table 3 of the Appendix.
• Based on your suggestion regarding the evaluation of LipSim using different attacks, we added the Momentum Iterative Attack (MIA) [5] for both $\ell_{\infty}$ and $\ell_{2}$. The new results are in line with our previous results and show the superiority of LipSim compared with DreamSim in terms of robustness.
• We also added the results on another dataset per the suggestion of Reviewer sTNV.

2 - Perceptual metric: In this setting, we evaluate the robustness of Dream and LipSim (denoted $d$) using a direct attack to the metric by optimizing the perturbation within a budget in the loss defined in Equation 14 $\underset{||\delta||_2 \leq \epsilon}{argmax}\, d(x, x+\delta)$, we demonstrated that we can find small perturbations that fool the metric to predict larger values for $d(x, x+\delta)$. The distribution $d(x, x+\delta)$ is shown in Figure 3b, for both LipSim and DreamSim, which highlights the robustness gaps between LipSim and DreamSim.

• We added a reference for the explanation and instances of the 2AFC dataset to the introduction.
• To evaluate LipSim on more attacks we added the Momentum Iterative Attack (MIA).
• We also added the certified robustness results of LipSim on another 2AFC dataset (called BAPPS).
• We added the theoretical comparison of LipSim with two previous works on the certified robustness of perceptual metrics which have looser bounds.
• We added an empirical comparison between LipSim and a recent empirical defense (R-LPIPS).
• We added KNN (k-nearest neighbors algorithm) as a new application for LipSim besides Image Retrieval and compared our performance with DreamSim.
• We changed the color of the bar chart in Figure 3.a.