skip to main content
research-article

Generative Metric Learning for Adversarially Robust Open-world Person Re-Identification

Authors Info & Claims
Published:05 January 2023Publication History
Skip Abstract Section

Abstract

The vulnerability of re-identification (re-ID) models under adversarial attacks is of significant concern as criminals may use adversarial perturbations to evade surveillance systems. Unlike a closed-world re-ID setting (i.e., a fixed number of training categories), a reliable re-ID system in the open world raises the concern of training a robust yet discriminative classifier, which still shows robustness in the context of unknown examples of an identity. In this work, we improve the robustness of open-world re-ID models by proposing a generative metric learning approach to generate adversarial examples that are regularized to produce robust distance metric. The proposed approach leverages the expressive capability of generative adversarial networks to defend the re-ID models against feature disturbance attacks. By generating the target people variants and sampling the triplet units for metric learning, our learned distance metrics are regulated to produce accurate predictions in the feature metric space. Experimental results on the three re-ID datasets, i.e., Market-1501, DukeMTMC-reID, and MSMT17 demonstrate the robustness of our method.

REFERENCES

  1. [1] Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. 2018. Certified defenses against adversarial examples. In ICLR.Google ScholarGoogle Scholar
  2. [2] Ahmed Ejaz, Jones Michael, and Marks Tim K.. 2015. An improved deep learning architecture for person re-identification. In CVPR. 39083916.Google ScholarGoogle Scholar
  3. [3] An Le, Yang Songfan, and Bhanu Bir. 2015. Person re-identification by robust canonical correlation analysis. IEEE Sign. Process. Lett. 22, 8 (2015), 11031107.Google ScholarGoogle ScholarCross RefCross Ref
  4. [4] Athalye Anish, Engstrom Logan, Ilyas Andrew, and Kwok Kevin. 2018. Synthesizing robust adversarial examples. In ICML. 284293.Google ScholarGoogle Scholar
  5. [5] Bai Song, Li Yingwei, Zhou Yuyin, Li Qizhu, and Torr Philip H. S.. 2021. Metric attack and defence for person re-identification. IEEE Trans. Pattern Anal. Mach. Intell. 43, 6 (2021), 21192126.Google ScholarGoogle ScholarCross RefCross Ref
  6. [6] Cao Xiaoyu and Gong Neil Zhenqiang. 2017. Mitigating evasion attacks to deep neural networks via region-based classification. CoRR abs/1709.05583.Google ScholarGoogle Scholar
  7. [7] Carlini Nicholas and Wagner David A.. 2017. Towards evaluating the robustness of neural networks. In S&P. 3957.Google ScholarGoogle Scholar
  8. [8] Chen Weihua, Chen Xiaotang, Zhang Jianguo, and Huang Kaiqi. 2017. Beyond triplet loss: A deep quadruplet network for person re-identification. In CVPR. 13201329.Google ScholarGoogle Scholar
  9. [9] Cisse Moustapha, Grave Piotr Bojanowski annd Edouard, and Usunier Yann Douphin annd Nicolas. 2017. Parseval networks: Improving robustness to adversarial examples. In ICML. 854863.Google ScholarGoogle Scholar
  10. [10] Cortes Corinna and Vapnik Vladimir. 1995. Support-vector networks. Mach. Learn. 20, 3 (1995), 273297.Google ScholarGoogle ScholarCross RefCross Ref
  11. [11] Deng Weijian, Zheng Liang, Ye Qixiang, Kang Guoliang, Yang Yi, and Jiao Jianbin. 2018. Image-image domain adaptation with preserved self-similarity and domain-dissimilarity for person re-identification. In CVPR.Google ScholarGoogle Scholar
  12. [12] Ding Wenjie, Wei Xing, Ji Rongrong, Hong Xiaopeng, Tian Qi, and Gong Yihong. 2021. Beyond universal person re-identification attack. IEEE Trans. Inf. Forens. Secur. 16 (2021), 34423455.Google ScholarGoogle ScholarCross RefCross Ref
  13. [13] Dong Yinpeng, Liao Fangzhou, Pang Tianyu, Su Hang, Zhu Jun, Hu Xiaolin, and Li Jianguo. 2018. Boosting adversarial attacks with momentum. In CVPR. 91859193.Google ScholarGoogle Scholar
  14. [14] Duan Yueqi, Zheng Wanqing, Lin Xudong, Lu Jiwen, and Zhou Jie. 2018. Deep adversarial metric learning. In CVPR. 27802789.Google ScholarGoogle Scholar
  15. [15] Felzenszwalb Pedro F., Girshick Ross B., McAllester David, and Ramanan Deva. 2010. Object detection with discriminatively trained part-based models. IEEE Trans. Pattern Anal. Mach. Intell. 32, 9 (2010), 16271645.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. [16] Gong Yunpeng, Zeng Zhiyong, Chen Liwen, Luo Yifan, Weng Bin, and Ye Feng. 2021. A person re-identification data augmentation method with adversarial defense effect. arXiv:2101.08783. Retrieved from https://arxiv.org/abs/2101.08783.Google ScholarGoogle Scholar
  17. [17] Goodfellow Ian J., Pouget-Abadie Jean, Mirza Mehdi, Xu Bing, Warde-Farley David, Ozair Sherjil, Courville Aaron, and Bengio Yoshua. 2014. Generative adversarial nets. In NIPS.Google ScholarGoogle Scholar
  18. [18] Goodfellow Ian J., Shlens Jonathon, and Szegedy Christian. 2015. Explaining and harnessing adversarial examples. In ICLR.Google ScholarGoogle Scholar
  19. [19] Hermans Alexander, Beyer Lucas, and Leibe Bastian. 2017. In defence of the triplet loss for person re-identification. arXiv:1703.07737. Retrieved from https://arxiv.org/abs/1703.07737.Google ScholarGoogle Scholar
  20. [20] Huang Gao, Liu Zhuang, Maaten Laurens van der, and Weinberger Kilian Q.. 2017. Densely connected convolutional networks. In CVPR.Google ScholarGoogle Scholar
  21. [21] Huang Houjing, Li Dangwei, Zhang Zhang, Chen Xiaotang, and Huang Kaiqi. 2018. Adversarially occluded samples for person re-identification. In CVPR. 50985107.Google ScholarGoogle Scholar
  22. [22] Ilyas Andrew, Engstrom Logan, Athalye Anish, and Lin Jessy. 2018. Black-box adversarial attacks with limited queries and information. In ICML. 21422151.Google ScholarGoogle Scholar
  23. [23] Ilyas Andrew, Santurkar Shibani, Tsipras Dimitris, Engstrom Logan, Tran Brandon, and Madry Aleksander. 2019. Adversarial examples are not bugs, they are features. In NeurIPS. 125136.Google ScholarGoogle Scholar
  24. [24] Kannan Harini, Kurakin Alexey, and Goodfellow Ian J.. 2018. Adversarial logit pairing. arXiv:1803.06373. Retrieved from https://arxiv.org/abs/1803.06373.Google ScholarGoogle Scholar
  25. [25] Kaziakhmedov Edgar, Kireev Klim, Melnikov Grigorii, Pautov Mikhail, and Petiushko Aleksandr. 2019. Real-world attack on MTCNN face detection system. In SIBIRCON. 422427.Google ScholarGoogle Scholar
  26. [26] Khan Salman, Rahmani Hossein, Shah Syed Afaq Ali, and Bennamoun Mohammed. 2018. A Guide to Convolutional Neural Networks for Computer Vision (1st ed.). Morgan & Claypool Publishers, San Rafael, California. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. [27] Kurakin Alexey, Goodfellow Ian, and Bengio Samy. 2016. Adversarial examples in the physical world. In arXiv:1607.02533. Retrieved from https://arxiv.org/abs/1607.02533.Google ScholarGoogle Scholar
  28. [28] Li Jie, Ji Rongrong, Liu Hong, Hong Xiaopeng, Gao Yue, and Tian Qi. 2019. Universal perturbation attack against image retrieval. In ICCV. 48994908.Google ScholarGoogle Scholar
  29. [29] Li Wei, Zhao Rui, Xiao Tong, and Wang Xiaogang. 2011. Deepreid: Deep filter pairing neural network for person re-identification. In CVPR.Google ScholarGoogle Scholar
  30. [30] Li Wei, Zhu Xiatian, and Gong Shaogang. 2018. Harmonious attention network for person re-identification. In CVPR. 22852294.Google ScholarGoogle Scholar
  31. [31] Li Xiang, Wu Ancong, and Zheng Wei-Shi. 2018. Adversarial open-world person re-identification. In ECCV. 287303.Google ScholarGoogle Scholar
  32. [32] Liao Shengcai, Hu Yang, Zhu Xiangyu, and Li Stan Z.. 2015. Person re-identification by local maximal occurrence representation and metric learning. In CVPR. 21972206.Google ScholarGoogle Scholar
  33. [33] Lin Tsung-Yi, Dollár Piotr, Girshick Ross, He Kaiming, Hariharan Bharath, and Belongie Serge. 2017. Feature pyramid networks for object detection. In CVPR. 21172125.Google ScholarGoogle Scholar
  34. [34] Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, and Vladu Adrian. 2018. Towards deep learning models using resistant to adversarial attacks. In ICLR.Google ScholarGoogle Scholar
  35. [35] Mao Chengzhi, Zhong Ziyuan, Yang Junfeng, Vondrick Carl, and Ray Baishakhi. 2019. Metric learning for adversarial robustness. In NeurIPS.Google ScholarGoogle Scholar
  36. [36] Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, Fawzi Omar, and Frossard Pascal. 2017. Universal adversarial perturbations. In CVPR. 8694.Google ScholarGoogle Scholar
  37. [37] Mopuri Konda Reddy, Ganeshan Aditya, and Babu R. Venkatesh. 2019. Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Trans. Pattern Anal. Mach. Intell. 41, 10 (2019), 24522465.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. [38] Nguyen Anh, Yosinski Jason, and Clune Jeff. 2015. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In CVPR. 427436.Google ScholarGoogle Scholar
  39. [39] Papernot Nicolas, McDaniel Patrick D., and Goodfellow Ian J.. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. In CoRR abs/1605.07277.Google ScholarGoogle Scholar
  40. [40] Ren Shaoqing, he Kaiming, Girshick Ross, and Sun Jian. 2015. Faster r-cnn: Towards real-time object detection with region proposal networks. In NIPS. 9199.Google ScholarGoogle Scholar
  41. [41] Ristani Ergys, SoleraRoger Francesco, Cucchiara ZouRita, and Tomasi Carlo. 2016. Performance measures and a data set for multi-target, multi-camera tracking. In ECCV Workshop on Benchmarking Multi-Target Tracking. 1735.Google ScholarGoogle Scholar
  42. [42] Ristani Ergys and Tomasi Carlo. 2018. Features for multi-target multi-camera tracking and person re-identification. In CVPR.Google ScholarGoogle Scholar
  43. [43] Samangouei Pouya, Kabkab Maya, and Chellappa Rama. 2018. Defense-gan: Protecting classifiers against adversarial attacks using generative models. arXiv:1805.06605. Retrieved from https://arxiv.org/abs/1805.06605.Google ScholarGoogle Scholar
  44. [44] Shafahi Ali, Najibi Mahyar, Ghiasi Amin, Xu Zheng, Dickerson John, Studer Christoph, Davis Larry S, Taylor Gavin, and Goldstein Tom. 2019. Adversarial training for free! In NeurIPS.Google ScholarGoogle Scholar
  45. [45] Shi Hailin, Yang Yang, Zhu Xiangyu, Liao Shengcai, Lei Zhen, and Zheng Weishi. 2016. Embedding deep metric for person re-identification: A study against large variations. In ECCV. 732748.Google ScholarGoogle Scholar
  46. [46] Sun Yifan, Zheng Liang, Yang Yi, Tian Qi, and Wang Shengjin. 2018. Beyond part models: Person retrieval with refined part pooling. In ECCV.Google ScholarGoogle Scholar
  47. [47] Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian, and Fergus Rob. 2014. Intriguing properties of neural networks. In ICLR.Google ScholarGoogle Scholar
  48. [48] Tramèr Florian, Kurakin Alexey, Papernot Nicolas, Goodfellow Ian, Boneh Dan, and McDaniel Patrick. 2018. Ensemble adversarial training: Attacks and defenses. In ICLR.Google ScholarGoogle Scholar
  49. [49] Wang Hongjun, Wang Guangrun, Li Ya, Zhang Dongyu, and Lin Liang. 2020. Transferable, controllable, and inconspicuous adversarial attacks on person re-identification with deep mis-ranking. In CVPR. 342351.Google ScholarGoogle Scholar
  50. [50] Wang Zhibo, Zheng Siyang, Song Mengkai, Wang Qian, Rahimpour Alireza, and Qi Hairong. 2019. advPattern: Physical-world attacks on deep re-identification via adversarially transformable patterns. In ICCV. 83418350.Google ScholarGoogle Scholar
  51. [51] Wei Longhui, Zhang Shiliang, Gao Wen, and Tian Qi. 2018. Person transfer gan to bridge domain gap for person re- identification. In CVPR. 7988.Google ScholarGoogle Scholar
  52. [52] Wieland Brendel, Rauber Jonas, and Bethge Matthias. 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In ICLR.Google ScholarGoogle Scholar
  53. [53] Wong Eric and Kolter Zico. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In ICML. 52835292.Google ScholarGoogle Scholar
  54. [54] Wu Lin, Wang Yang, Gao Junbin, and Li Xue. 2018. Deep adaptive feature embedding with local sample distributions for person re-identification. Pattern Recogn. 73 (2018), 275288.Google ScholarGoogle ScholarCross RefCross Ref
  55. [55] Wu Lin, Wang Yang, Yin Hongzhi, Wang Meng, and Shao Ling. 2020. Few-shot deep adversarial learning for video-based person re-identification. IEEE Trans. Image Process. 29, 1 (2020), 12331245.Google ScholarGoogle ScholarCross RefCross Ref
  56. [56] Xiao Kai Y., Tjeng Vincent, Shafiullah Nur Muhammad, and Madry Aleksander. 2019. Training for faster adversarial robustness verification via inducing relu stability. In ICLR.Google ScholarGoogle Scholar
  57. [57] Xie Cihang, Wu Yuxin, Maaten Laurens van der, Yuille Alan L., and He Kaiming. 2018. Feature denoising for improving adversarial robustness. CoRR abs/1812.03411.Google ScholarGoogle Scholar
  58. [58] Yang Yuzhe, Zhang Guo, Katabi Dina, and Xu Zhi. 2019. Me-net: Towards effective adversarial robustness with matrix estimation. In ICML.Google ScholarGoogle Scholar
  59. [59] Ye Mang, Shen Jianbing, Lin Gaojie, Xiang Tao, Shao Ling, and Hoi Steven C. H.. 2020. Deep learning for person re-identification: A survey and outlook. IEEE Trans. Pattern Anal. Mach. Intell. (2020).Google ScholarGoogle Scholar
  60. [60] Zhang Dinghuai, Zhang Tianyuan, Lu Yiping, Zhu Zhanxing, and Dong Bin. 2019. You only propagate once: Accelerating adversarial training via maximal principle. In NeurIPS.Google ScholarGoogle Scholar
  61. [61] Zhang Xuan, Luo Hao, Fan Xing, Xiang Weilai, Sun Yixiao, Xiao Qiqi, Jiang Wei, Zhang Chi, and Sun Jian. 2017. Alignedreid: Surpassing human-level performance in person re-identification.Google ScholarGoogle Scholar
  62. [62] Zheng Liang, Shen Liyue, Tian Lu, Wang Shengjin, Wang Jingdong, and Tian Qi. 2015. Scalable person re-identification: A benchmark. In ICCV.Google ScholarGoogle Scholar
  63. [63] Zheng Liang, Yang Yi, and Hauptmann Alexander G.. 2018. Person re-identification: Past, present and future. arXiv:1610.02984. Retrieved from https://arxiv.org/abs/1610.02984.Google ScholarGoogle Scholar
  64. [64] Zheng Wei-Shi, Gong Shaogang, and Xiang Tao. 2013. Re-identification by relative distance comparison. IEEE Trans. Pattern Anal. Mach. Intell. 35, 3 (March2013), 653668.Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. [65] Zheng Zhihao and Hong Pengyu. 2018. Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks. In NIPS. 79137922.Google ScholarGoogle Scholar
  66. [66] Zheng Zhedong, Yang Xiaodong, Yu Zhiding, Zheng Liang, Yang Yi, and Kautz Jan. 2019. Joint discriminative and generative learning for person re-identification. In CVPR. 21382146.Google ScholarGoogle Scholar
  67. [67] Zheng Zhedong, Zheng Liang, and Yang Yi. 2017. Unlabeled samples generated by GAN improve the person re-identification baseline in vitro. In ICCV.Google ScholarGoogle Scholar
  68. [68] Zheng Zhedong, Zheng Liang, Yang Yi, and Wu Fei. 2018. Query attack via opposite-direction feature: Towards robust image retrieval. arXiv:1809.02681. Retrieved from https://arxiv.org/abs/1809.02681.Google ScholarGoogle Scholar
  69. [69] Zhong Zhun, Zheng Liang, Cao Donglin, and Li Shaozi. 2017. Re-ranking person re-identification with k-reciprocal encoding. In ICCV.Google ScholarGoogle Scholar
  70. [70] Zhong Zhun, Zheng Liang, Li Shaozi, and Yang Yi. 2018. Generalizing a person retrieval model hetero and homogenerously. In ECCV. 172188.Google ScholarGoogle Scholar
  71. [71] Zhu Xiatian, Wu Botong, Huang Dongcheng, and Zheng Wei-Shi. 2018. Fast open-world person re-identification. IEEE Trans. Image Process. 27, 5 (2018), 22862300.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Generative Metric Learning for Adversarially Robust Open-world Person Re-Identification

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Multimedia Computing, Communications, and Applications
      ACM Transactions on Multimedia Computing, Communications, and Applications  Volume 19, Issue 1
      January 2023
      505 pages
      ISSN:1551-6857
      EISSN:1551-6865
      DOI:10.1145/3572858
      • Editor:
      • Abdulmotaleb El Saddik
      Issue’s Table of Contents

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 5 January 2023
      • Online AM: 12 March 2022
      • Accepted: 24 February 2022
      • Revised: 8 January 2022
      • Received: 6 July 2021
      Published in tomm Volume 19, Issue 1

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Full Text

    View this article in Full Text.

    View Full Text

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!