LipSim: A Provably Robust Perceptual
Similarity Metric

General Robustness for Perceptual Metric. A perceptual similarity metric can have a lot of important use cases, e.g., image retrieval, copy detection, etc. In order to make a robust perceptual metric we need to ensure that when a small perturbation is added to the input image, the output distance should not change a lot. In the following, we demonstrate a general robustness property when the feature extractor is 1-Lipschitz and the embeddings lie on the unit $\ell_{2}$ ball, i.e., $\norm{f(x)}_{2}=1$. {restatable}propositionpropdistance Let $f:\mathcal{X}\rightarrow\mathbb{R}^{k}$ be a $1$-Lipschitz feature extractor and $\norm{f(x)}_{2}=1$, let $d$ be a distance metric defined as in Equation 1 and let $\delta\in\mathcal{X}$ and $\varepsilon\in\mathbb{R}^{+}$ such that $\norm{\delta}_{2}\leq\varepsilon$. Then, we have,

$$|d(x_{1},x_{2})-d(x_{1}+\delta,x_{2})|\leq\norm{\delta}_{2}$$

(3)

The proof is deferred to Appendix A. This proposition implies that when the feature extractor is $1$-Lipschitz and its output is projected on the unit $\ell_{2}$ ball then the composition of the distance metric $d$ and the feature extractor, i.e., $d\circ f$, is also $1$-Lipschitz with respect to its first argument. This result provides some general stability results and guarantees that the distance metric cannot change more than the norm of the perturbation.

Certified Robustness for 2AFC datasets. We aim to go even further and provide certified robustness for perceptual similarity metrics with 2AFC datasets, i.e., in a classification setting. In the following, we show that with the same assumptions as in Proposition 4.1, the classifier $h$ can obtain certified accuracy. First, let us define a soft classifier $H:\mathcal{X}\rightarrow\mathbb{R}^{2}$ with respect to some feature extractor $f$ as follows:

$$H(x)=\left[d(x,x_{1}),d(x,x_{0})\right]$$

(4)

It is clear that $h(x)=\operatorname*{arg\,max}_{i\in\{0,1\}}\,H_{i}(x)$ where $H_{i}$ represent the $i$-th value of the output of $H$. The classifier $h$ is said to be certifiably robust at radius $\epsilon\geq 0$ at point $x$ if for all $\norm{\delta}_{2}\leq\epsilon$ we have:

$$h(x+\delta)=h(x)$$

(5)

Equivalently, one can look at the margin of the soft classifier: $M_{H,x}:=H_{y}(x)-H_{1-y}(x)$ and provide a provable guarantee that:

$$M_{H,x+\delta}>0$$

(6)

{restatable}

[Certified Accuracy for Perceptual Distance Metric]theoremmainresult Let $H:\mathcal{X}\rightarrow\mathbb{R}^{2}$ be the soft classifier as defined in Equation 4. Let $\delta\in\mathcal{X}$ and $\varepsilon\in\mathbb{R}^{+}$ such that $\norm{\delta}_{2}\leq\varepsilon$. Assume that the feature extractor $f:\mathcal{X}\rightarrow\mathbb{R}^{k}$ is 1-Lipschitz and that for all $x$, $\norm{f(x)}_{2}=1$, then we have the following result:

$$M_{H,x}\geq\varepsilon\norm{f(x_{0})-f(x_{1})}_{2}\quad\Longrightarrow\quad M_{H,x+\delta}\geq 0$$

(7)

The proof is deferred to Appendix A. Based on Theorem 6, and assuming $x_{1}\neq x_{0}$, the certified radius for the classier $h$ at point $x$ can be computed as follows:

$$R(h,x)=\frac{M_{H,x}}{\norm{f(x_{0})-f(x_{1})}}_{2}$$

(8)

Theorem 6 provides the necessary condition for a provable perceptual distance metric without changing the underlying distance on the embeddings (i.e., cosine similarity). This result has two key advantages. First, as in Tsuzuku et al. (2018), computing the certificate at each point only requires efficient computation of the classifier margin $H$. Leveraging Lipschitz continuity enables efficient certificate computation, unlike the randomized smoothing approach of Kumar & Goldstein (2021) which requires Monte Carlo sampling for each point. Second, the bound obtained on the margin to guarantee the robustness is in fact tighter than the one provided by Tsuzuku et al. (2018). Recall Tsuzuku et al. (2018) result states that for a L-Lipschitz classifier $H$, we have:

$$M_{H,x}\geq\varepsilon\sqrt{2}L\quad\Longrightarrow\quad M_{H,x+\delta}\geq 0$$

(9)

Given that the Lipschitz constant of $H$¹¹1Recall the Lipschitz of the concatenation. Let $f$ and $g$ be $L_{f}$ and $L_{g}$-Lipschitz, then the function $x\mapsto[f(x),g(x)]$ can be upper bounded by $\sqrt{L_{f}^{2}+L_{g}^{2}}$-Lipschitz is $\sqrt{2}$, this lead to the following bound:

$$M_{H,x}\geq 2\varepsilon\geq\varepsilon\norm{f(x_{0})-f(x_{1})}_{2}$$

(10)

simply based on the triangle inequality and the assumption that $\norm{f(x)}_{2}=1$.

To design a reliable feature extractor that can be used with Proposition 4.1 and Theorem 6, we combined a 1-Lipschitz neural network architecture with an Euclidean projection. Let $f:\mathcal{X}\rightarrow\mathbb{R}^{k}$ such that:

$$f(x)=\mathcal{\pi}_{B_{2}(0,1)}\circ\beta\circ\phi^{(l)}\circ\cdots\circ\phi^{(1)}(x)$$

(11)

where $l$ is the number of layers, $\mathcal{\pi}_{B_{2}(0,1)}$ is a projection on the unit $\ell_{2}$ ball, i.e., $\mathcal{\pi}_{B_{2}(0,1)}(x)=\operatorname*{arg\,min}_{z\in B_{2}(0,1)}\norm{x-z}_{2}$ and where the layers $\phi$ are the SDP-based Lipschitz Layers (SLL) proposed by Araujo et al. (2023):

$$\phi(x)=x-2W\text{diag}\left(\sum_{j=1}^{n}|W^{\top}W|_{ij}\right)^{-1}\sigma(W^{\top}x+b),$$

(12)

where $W$ is a parameter matrix being either dense or a convolution, $\{q_{i}\}$ forms a diagonal scaling matrix and $\sigma$ is the ReLU nonlinear activation.

To apply Theorem 6 for certification, we need $\norm{f(x)}_{2}=1$ with $f$ 1-Lipschitz. To respect these conditions, we need $\norm{\beta\circ\phi^{(l)}\circ\cdots\circ\phi^{(1)}(x)}_{2}\geq 1$ in order for the projection $\mathcal{\pi}_{B_{2}(0,1)}$ to be 1-Lipschitz. The mapping $\beta:x\mapsto x+b$ is a 1-Lipschitz translation which is set to increase the norm of the embedding (i.e., ideally above one) before the Euclidean projection. However, we do not have a guarantee that the norm of the embedding after the $\beta$ projection is above one, and therefore concerning the assumption of Theorem 6, in such cases, we abstain from the prediction. In practice, however, for all the samples of the NIGHT dataset $\norm{\beta\circ\phi^{(l)}\circ\cdots\circ\phi^{(1)}(x)}_{2}\geq 1$ and thus the abstain percentage is equal to zero.

To investigate the vulnerabilities of DreamSim to adversarial attacks, we aim to answer two questions in this section; Can adversarial attacks against SOTA metrics cause: (1) misalignment with human perception? (2) large changes in distance between perturbed and original images?

In this section, we aim to leverage the framework introduced in the paper and evaluate the LipSim perceptual metric. In the first step (i.e., right of Figure 2), we train a 1-Lipschitz network for the backbone of the LipSim metric and use the SSL architecture which has 20 Layers of Conv-SSL and 7 layers of Linear-SSL. For training the 1-Lipschitz feature extractor, the ImageNet-1k dataset is used (without labels) and the knowledge distillation approach is applied to utilize the state-of-the-art feature extractors including DINO, OpenCLIP, and DreamSim which is an ensemble of ViT-based models. To enhance the effectiveness of LipSim, we incorporate two parallel augmentation pipelines: standard and jittered. The standard version passes through the feature extractor and the teacher model while the jittered only passes through the feature extractor. Then, the RMSE loss is applied to enforce similarity between the embeddings of the jittered and standard images. This enables LipSim to focus more on the semantics of the image, rather than its colors. After training the 1-Lipschitz backbone of LipSim, we further fine-tune our model on the NIGHT dataset (i.e., step 2 see right of Figure 2). During the fine-tuning process, the embeddings are produced and are projected to the unit $\ell_{2}$ ball. In order to maintain the margin between logits, the hinge loss is employed similarly to DreamSim. However, while DreamSim has used a margin parameter of 0.05, we used a margin parameter of 0.5 for fine-tuning LipSim in order to boost the robustness of the metric. Remarkably, LipSim achieves strong robustness using a 1-Lipschitz pipeline composed of a 1-Lipschitz feature extractor and a projection to the unit $\ell_{2}$ ball that guarantees the 1-Lipschitzness of cosine distance. To evaluate the performance of LipSim and compare its performance against other perceptual metrics, we report empirical and certified results of LipSim for different settings.

Empirical Robustness Evaluation. We provide the empirical results of LipSim against $\ell_{2}$-APGD in Table 1. Although the natural score of LipSim is lower than the natural score of DreamSim, there is a large gap between the adversary scores. We can observe that LipSim outperforms all state-of-the-art metrics. The results of a more comprehensive comparison between LipSim, state-of-the-art perceptual metrics, previously proposed perceptual metrics, and pixel-wise metrics are presented in Figure 3(a). The pre-trained and fine-tuned natural accuracies are comparable with the state-of-the-art metrics and even higher in comparison to CLIP. In terms of empirical robustness, LipSim demonstrates great resilience. More comparisons have been performed in this sense, the empirical results over $\ell_{\infty}$-APGD and $\ell_{p}$-MIA are also reported in Table 4 and Table 5 in Appendix D which aligns with the $\ell_{2}$ results and shows strong empirical robustness of LipSim. In order to evaluate the robustness of LipSim outside the classification setting, we have performed $\ell_{2}$-PGD attack ($\epsilon=1.0$) using the MSE loss defined in Equation 14 and the distribution of $d(x,x+\delta)$ is shown at Figure 3(b). The values of $d(x,x+\delta)$ are pretty much close to zero which illustrates the general robustness of LipSim as discussed in proposition 1. The histogram of the same attack with a bigger perturbation budget ($\epsilon=3.0$) is shown in Figure 6 of the Appendix.

Certified Robustness Evaluation. In order to find the certified radius for data points, the margin between logits is computed and divided by the $\ell_{2}$ norm distance between embeddings of distorted images ($\norm{f(x_{0})-f(x_{1})}_{2}$). The results for certified 2AFC scores for different settings of LipSim are reported in Table 2, which demonstrates the robustness of LipSim along with a high natural score. The value of the margin parameter in hinge loss used during fine-tuning is mentioned in the table which clearly shows the trade-off between robustness and accuracy. A larger margin parameter leads to more robustness and therefore higher certified scores but lower natural scores.

After demonstrating the robustness of LipSim in terms of certified and empirical scores, the focus of this section is on one of the real-world applications of a distance metric which is image retrieval. We employed the image retrieval dataset proposed by Fu et al. (2023), which has 500 images randomly selected from the COCO dataset. The top-1 closest neighbor to an image with respect to LipSim and DreamSim distance metrics are shown at the ❶ rows of Figure 4. In order to investigate the impact of adversarial attacks on the performance of LipSim and DreamSim in terms of Image Retrieval application, we have performed $\ell_{2}$-PGD attack ($\epsilon=2.0$) with the same MSE loss defined in Equation 14 separately for the two metrics and the results are depicted at the ❷ rows of Figure 4. In adversarial rows, the LipSim sometimes generates a different image as the closest which is semantically similar to the closest image generated for the original image.