🤖 AI Summary
This work addresses the privacy risks posed by image geolocation systems and proposes RoadTrip Attack (RTA), a novel adversarial approach that formalizes attacks as “deceptive routes.” RTA sequentially misleads geolocation models by guiding them along a fabricated trajectory that progressively shifts the predicted location toward an attacker-specified target. Leveraging a beam search algorithm, the method iteratively generates imperceptible perturbations that maintain high visual fidelity while achieving strong transferability and precision under black-box settings. By minimizing perceptual distortion, RTA effectively manipulates query images to be mislocalized into the intended geographic region, demonstrating both practical feasibility and enhanced stealth compared to existing techniques.
📝 Abstract
Retrieval-based image geolocalization has emerged as a powerful technique for determining the location of a query image by matching it against a large, geotagged database. The success of deep learning based approaches has raised concerns regarding privacy and safety. A way to protect users from geolocalization is to design adversarial attacks for such methods. In this paper, we introduce RoadTrip Attack (RTA), a novel and highly effective targeted adversarial attack for geolocalization. RTA conceptualizes the adversarial process as finding an optimal distractor journey to a specific, attacker-chosen location. It employs a beam search algorithm to iteratively construct a sequence of incorrect geographic locations that form a path to the target. At each step, the attack generates subtle perturbations to the query image, guiding the geolocalization model toward the next location in this deceptive path. We show that our method is also strong in black-box settings, obtaining highly transferable attacks with less perceptible image artifacts.