Visible to the public Vulnerability of Person Re-Identification Models to Metric Adversarial Attacks

TitleVulnerability of Person Re-Identification Models to Metric Adversarial Attacks
Publication TypeConference Paper
Year of Publication2020
AuthorsBouniot, Quentin, Audigier, Romaric, Loesch, Angélique
Conference Name2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW)
Date PublishedJune 2020
PublisherIEEE
ISBN Number978-1-7281-9360-1
KeywordsMeasurement, Metrics, metrics testing, Perturbation methods, Protocols, pubcrawl, Robustness, Task Analysis, Testing, Training
AbstractPerson re-identification (re-ID) is a key problem in smart supervision of camera networks. Over the past years, models using deep learning have become state of the art. However, it has been shown that deep neural networks are flawed with adversarial examples, i.e. human-imperceptible perturbations. Extensively studied for the task of image closed- set classification, this problem can also appear in the case of open-set retrieval tasks. Indeed, recent work has shown that we can also generate adversarial examples for metric learning systems such as re-ID ones. These models remain vulnerable: when faced with adversarial examples, they fail to correctly recognize a person, which represents a security breach. These attacks are all the more dangerous as they are impossible to detect for a human operator. Attacking a metric consists in altering the distances between the feature of an attacked image and those of reference images, i.e. guides. In this article, we investigate different possible attacks depending on the number and type of guides available. From this metric attack family, two particularly effective attacks stand out. The first one, called Self Metric Attack, is a strong attack that does not need any image apart from the attacked image. The second one, called FurthestNegative Attack, makes full use of a set of images. Attacks are evaluated on commonly used datasets: Market1501 and DukeMTMC. Finally, we propose an efficient extension of adversarial training protocol adapted to metric learning as a defense that increases the robustness of re-ID models.1
URLhttps://ieeexplore.ieee.org/document/9151088
DOI10.1109/CVPRW50498.2020.00405
Citation Keybouniot_vulnerability_2020