Vulnerability of Person Re-Identification Models to Metric Adversarial Attacks

Abstract: Person re-identification (re-ID) is a key problem in smart supervision of camera networks. Over the past years, models using deep learning have become state of the art. However, it has been shown that deep neural networks are flawed with adversarial examples, i.e. human-imperceptible perturbations. Extensively studied for the task of image closedset classification, this problem can also appear in the case of open-set retrieval tasks. Indeed, recent work has shown that we can also generate adversarial examples … Show more

“…Opposite-Direction Feature Attack (ODFA) [10] exploits featurelevel adversarial gradients to generate adversarial examples to pull the feature in the opposite direction with an artificial guide. Self Metric Attack (SMA) [8] uses the image with added noise as the reference image and obtains the adversarial examples by attacking the feature distance between the original image and the reference image. This process does not require any additional images.…”

“…The metric defense schemes proposed by [7,8] correspond to offline adversarial training and online adversarial training respectively. The defense method used in [7] is offline adversarial training, which is based on a generation of an adversarial version of the training set obtained with a frozen version of the trained model.…”

“…As a frozen model is used to generate attacks, this method is referred to as offline adversarial training. The defense method used in [8] is online adversarial training, which generates adversarial examples online while the defended model evolves. However, adversarial training is prone to overfitting because dependent on the training data, so it usually reduces the generalization capacity of the model and still has a high misclassification rate for the adversarial examples from other attacks, which is its main deficiency.…”

“…adversarial metric attack cheats a ReID model by interfering with the image to modify the distance between image features, which means that it needs a reference image to alter the distance between the attacked image and other images with the same identity. Existing work of [7][8][9][10] has fully proved that the ReID models are susceptible to metric attacks from adversarial examples. Since the adversarial defense of ReID has not been fully studied, it remains a challenging problem to effectively defend while ensuring the generalization capability of the model.…”

“…Unless otherwise specified, the diversity learning in subsequent experiments combine with LHT by default.The advantages of the our method on Market1501 [21] compared to the adversarial training in the generalization capacity are shown in Figure6. CF, DL* and DL in the figure are the defense models proposed in this paper, and IFGSM[7], SMA[8], LTA, and DMR[9] are the offline adversarial training defense models corresponding to the attacks. It can be seen that the accuracy of the offline adversarial training model is significantly lower than that of…”

Robust Person Re-identification with Multi-Modal Joint Defence

“…Opposite-Direction Feature Attack (ODFA) [10] exploits featurelevel adversarial gradients to generate adversarial examples to pull the feature in the opposite direction with an artificial guide. Self Metric Attack (SMA) [8] uses the image with added noise as the reference image and obtains the adversarial examples by attacking the feature distance between the original image and the reference image. This process does not require any additional images.…”

“…The metric defense schemes proposed by [7,8] correspond to offline adversarial training and online adversarial training respectively. The defense method used in [7] is offline adversarial training, which is based on a generation of an adversarial version of the training set obtained with a frozen version of the trained model.…”

“…As a frozen model is used to generate attacks, this method is referred to as offline adversarial training. The defense method used in [8] is online adversarial training, which generates adversarial examples online while the defended model evolves. However, adversarial training is prone to overfitting because dependent on the training data, so it usually reduces the generalization capacity of the model and still has a high misclassification rate for the adversarial examples from other attacks, which is its main deficiency.…”

“…adversarial metric attack cheats a ReID model by interfering with the image to modify the distance between image features, which means that it needs a reference image to alter the distance between the attacked image and other images with the same identity. Existing work of [7][8][9][10] has fully proved that the ReID models are susceptible to metric attacks from adversarial examples. Since the adversarial defense of ReID has not been fully studied, it remains a challenging problem to effectively defend while ensuring the generalization capability of the model.…”

“…Unless otherwise specified, the diversity learning in subsequent experiments combine with LHT by default.The advantages of the our method on Market1501 [21] compared to the adversarial training in the generalization capacity are shown in Figure6. CF, DL* and DL in the figure are the defense models proposed in this paper, and IFGSM[7], SMA[8], LTA, and DMR[9] are the offline adversarial training defense models corresponding to the attacks. It can be seen that the accuracy of the offline adversarial training model is significantly lower than that of…”

Robust Person Re-identification with Multi-Modal Joint Defence

Query-UAP: Query-Efficient Universal Adversarial Perturbation for Large-Scale Person Re-Identification Attack

Robust Person Re-identification with Adversarial Examples Detection and Perturbation Extraction