Abstract
The vulnerability of re-identification (re-ID) models under adversarial attacks is of significant concern as criminals may use adversarial perturbations to evade surveillance systems. Unlike a closed-world re-ID setting (i.e., a fixed number of training categories), a reliable re-ID system in the open world raises the concern of training a robust yet discriminative classifier, which still shows robustness in the context of unknown examples of an identity. In this work, we improve the robustness of open-world re-ID models by proposing a generative metric learning approach to generate adversarial examples that are regularized to produce robust distance metric. The proposed approach leverages the expressive capability of generative adversarial networks to defend the re-ID models against feature disturbance attacks. By generating the target people variants and sampling the triplet units for metric learning, our learned distance metrics are regulated to produce accurate predictions in the feature metric space. Experimental results on the three re-ID datasets, i.e., Market-1501, DukeMTMC-reID, and MSMT17 demonstrate the robustness of our method.
- [1] . 2018. Certified defenses against adversarial examples. In ICLR.Google Scholar
- [2] . 2015. An improved deep learning architecture for person re-identification. In CVPR. 3908–3916.Google Scholar
- [3] . 2015. Person re-identification by robust canonical correlation analysis. IEEE Sign. Process. Lett. 22, 8 (2015), 1103–1107.Google Scholar
Cross Ref
- [4] . 2018. Synthesizing robust adversarial examples. In ICML. 284–293.Google Scholar
- [5] . 2021. Metric attack and defence for person re-identification. IEEE Trans. Pattern Anal. Mach. Intell. 43, 6 (2021), 2119–2126.Google Scholar
Cross Ref
- [6] . 2017. Mitigating evasion attacks to deep neural networks via region-based classification. CoRR abs/1709.05583.Google Scholar
- [7] . 2017. Towards evaluating the robustness of neural networks. In S&P. 39–57.Google Scholar
- [8] . 2017. Beyond triplet loss: A deep quadruplet network for person re-identification. In CVPR. 1320–1329.Google Scholar
- [9] . 2017. Parseval networks: Improving robustness to adversarial examples. In ICML. 854–863.Google Scholar
- [10] . 1995. Support-vector networks. Mach. Learn. 20, 3 (1995), 273–297.Google Scholar
Cross Ref
- [11] . 2018. Image-image domain adaptation with preserved self-similarity and domain-dissimilarity for person re-identification. In CVPR.Google Scholar
- [12] . 2021. Beyond universal person re-identification attack. IEEE Trans. Inf. Forens. Secur. 16 (2021), 3442–3455.Google Scholar
Cross Ref
- [13] . 2018. Boosting adversarial attacks with momentum. In CVPR. 9185–9193.Google Scholar
- [14] . 2018. Deep adversarial metric learning. In CVPR. 2780–2789.Google Scholar
- [15] . 2010. Object detection with discriminatively trained part-based models. IEEE Trans. Pattern Anal. Mach. Intell. 32, 9 (2010), 1627–1645.Google Scholar
Digital Library
- [16] . 2021. A person re-identification data augmentation method with adversarial defense effect. arXiv:2101.08783. Retrieved from https://arxiv.org/abs/2101.08783.Google Scholar
- [17] . 2014. Generative adversarial nets. In NIPS.Google Scholar
- [18] . 2015. Explaining and harnessing adversarial examples. In ICLR.Google Scholar
- [19] . 2017. In defence of the triplet loss for person re-identification. arXiv:1703.07737. Retrieved from https://arxiv.org/abs/1703.07737.Google Scholar
- [20] . 2017. Densely connected convolutional networks. In CVPR.Google Scholar
- [21] . 2018. Adversarially occluded samples for person re-identification. In CVPR. 5098–5107.Google Scholar
- [22] . 2018. Black-box adversarial attacks with limited queries and information. In ICML. 2142–2151.Google Scholar
- [23] . 2019. Adversarial examples are not bugs, they are features. In NeurIPS. 125–136.Google Scholar
- [24] . 2018. Adversarial logit pairing. arXiv:1803.06373. Retrieved from https://arxiv.org/abs/1803.06373.Google Scholar
- [25] . 2019. Real-world attack on MTCNN face detection system. In SIBIRCON. 422–427.Google Scholar
- [26] . 2018. A Guide to Convolutional Neural Networks for Computer Vision (1st ed.). Morgan & Claypool Publishers, San Rafael, California. Google Scholar
Digital Library
- [27] . 2016. Adversarial examples in the physical world. In arXiv:1607.02533. Retrieved from https://arxiv.org/abs/1607.02533.Google Scholar
- [28] . 2019. Universal perturbation attack against image retrieval. In ICCV. 4899–4908.Google Scholar
- [29] . 2011. Deepreid: Deep filter pairing neural network for person re-identification. In CVPR.Google Scholar
- [30] . 2018. Harmonious attention network for person re-identification. In CVPR. 2285–2294.Google Scholar
- [31] . 2018. Adversarial open-world person re-identification. In ECCV. 287–303.Google Scholar
- [32] . 2015. Person re-identification by local maximal occurrence representation and metric learning. In CVPR. 2197–2206.Google Scholar
- [33] . 2017. Feature pyramid networks for object detection. In CVPR. 2117–2125.Google Scholar
- [34] . 2018. Towards deep learning models using resistant to adversarial attacks. In ICLR.Google Scholar
- [35] . 2019. Metric learning for adversarial robustness. In NeurIPS.Google Scholar
- [36] . 2017. Universal adversarial perturbations. In CVPR. 86–94.Google Scholar
- [37] . 2019. Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Trans. Pattern Anal. Mach. Intell. 41, 10 (2019), 2452–2465.Google Scholar
Digital Library
- [38] . 2015. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In CVPR. 427–436.Google Scholar
- [39] . 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. In CoRR abs/1605.07277.Google Scholar
- [40] . 2015. Faster r-cnn: Towards real-time object detection with region proposal networks. In NIPS. 91–99.Google Scholar
- [41] . 2016. Performance measures and a data set for multi-target, multi-camera tracking. In ECCV Workshop on Benchmarking Multi-Target Tracking. 17–35.Google Scholar
- [42] . 2018. Features for multi-target multi-camera tracking and person re-identification. In CVPR.Google Scholar
- [43] . 2018. Defense-gan: Protecting classifiers against adversarial attacks using generative models. arXiv:1805.06605. Retrieved from https://arxiv.org/abs/1805.06605.Google Scholar
- [44] . 2019. Adversarial training for free! In NeurIPS.Google Scholar
- [45] . 2016. Embedding deep metric for person re-identification: A study against large variations. In ECCV. 732–748.Google Scholar
- [46] . 2018. Beyond part models: Person retrieval with refined part pooling. In ECCV.Google Scholar
- [47] . 2014. Intriguing properties of neural networks. In ICLR.Google Scholar
- [48] . 2018. Ensemble adversarial training: Attacks and defenses. In ICLR.Google Scholar
- [49] . 2020. Transferable, controllable, and inconspicuous adversarial attacks on person re-identification with deep mis-ranking. In CVPR. 342–351.Google Scholar
- [50] . 2019. advPattern: Physical-world attacks on deep re-identification via adversarially transformable patterns. In ICCV. 8341–8350.Google Scholar
- [51] . 2018. Person transfer gan to bridge domain gap for person re- identification. In CVPR. 79–88.Google Scholar
- [52] . 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In ICLR.Google Scholar
- [53] . 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML. 5283–5292.Google Scholar
- [54] . 2018. Deep adaptive feature embedding with local sample distributions for person re-identification. Pattern Recogn. 73 (2018), 275–288.Google Scholar
Cross Ref
- [55] . 2020. Few-shot deep adversarial learning for video-based person re-identification. IEEE Trans. Image Process. 29, 1 (2020), 1233–1245.Google Scholar
Cross Ref
- [56] . 2019. Training for faster adversarial robustness verification via inducing relu stability. In ICLR.Google Scholar
- [57] . 2018. Feature denoising for improving adversarial robustness. CoRR abs/1812.03411.Google Scholar
- [58] . 2019. Me-net: Towards effective adversarial robustness with matrix estimation. In ICML.Google Scholar
- [59] . 2020. Deep learning for person re-identification: A survey and outlook. IEEE Trans. Pattern Anal. Mach. Intell. (2020).Google Scholar
- [60] . 2019. You only propagate once: Accelerating adversarial training via maximal principle. In NeurIPS.Google Scholar
- [61] . 2017. Alignedreid: Surpassing human-level performance in person re-identification.Google Scholar
- [62] . 2015. Scalable person re-identification: A benchmark. In ICCV.Google Scholar
- [63] . 2018. Person re-identification: Past, present and future. arXiv:1610.02984. Retrieved from https://arxiv.org/abs/1610.02984.Google Scholar
- [64] . 2013. Re-identification by relative distance comparison. IEEE Trans. Pattern Anal. Mach. Intell. 35, 3 (
March 2013), 653–668.Google ScholarDigital Library
- [65] . 2018. Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks. In NIPS. 7913–7922.Google Scholar
- [66] . 2019. Joint discriminative and generative learning for person re-identification. In CVPR. 2138–2146.Google Scholar
- [67] . 2017. Unlabeled samples generated by GAN improve the person re-identification baseline in vitro. In ICCV.Google Scholar
- [68] . 2018. Query attack via opposite-direction feature: Towards robust image retrieval. arXiv:1809.02681. Retrieved from https://arxiv.org/abs/1809.02681.Google Scholar
- [69] . 2017. Re-ranking person re-identification with k-reciprocal encoding. In ICCV.Google Scholar
- [70] . 2018. Generalizing a person retrieval model hetero and homogenerously. In ECCV. 172–188.Google Scholar
- [71] . 2018. Fast open-world person re-identification. IEEE Trans. Image Process. 27, 5 (2018), 2286–2300.Google Scholar
Digital Library
Index Terms
Generative Metric Learning for Adversarially Robust Open-world Person Re-Identification
Recommendations
Semi-supervised Region Metric Learning for Person Re-identification
In large-scale camera networks, label information for person re-identification is usually not available under a large amount of cameras due to expensive human labor efforts. Semi-supervised learning could be employed to train a discriminative classifier ...
Adversarial Robustness of Open-Set Recognition: Face Recognition and Person Re-identification
Computer Vision – ECCV 2020 WorkshopsAbstractRecent studies show that DNNs are vulnerable to adversarial attacks, in which carefully chosen imperceptible modifications to the inputs lead to incorrect predictions. However most existing attacks focus on closed-set classification, and ...
Deep Graph Metric Learning for Weakly Supervised Person Re-Identification
In conventional person re-identification (re-id), the images used for model training in the training probe set and training gallery set are all assumed to be instance-level samples that are manually labeled from raw surveillance video (likely with the ...






Comments