Papers
Topics
Authors
Recent
Search
2000 character limit reached

Transferable, Controllable, and Inconspicuous Adversarial Attacks on Person Re-identification With Deep Mis-Ranking

Published 8 Apr 2020 in cs.CV | (2004.04199v1)

Abstract: The success of DNNs has driven the extensive applications of person re-identification (ReID) into a new era. However, whether ReID inherits the vulnerability of DNNs remains unexplored. To examine the robustness of ReID systems is rather important because the insecurity of ReID systems may cause severe losses, e.g., the criminals may use the adversarial perturbations to cheat the CCTV systems. In this work, we examine the insecurity of current best-performing ReID models by proposing a learning-to-mis-rank formulation to perturb the ranking of the system output. As the cross-dataset transferability is crucial in the ReID domain, we also perform a back-box attack by developing a novel multi-stage network architecture that pyramids the features of different levels to extract general and transferable features for the adversarial perturbations. Our method can control the number of malicious pixels by using differentiable multi-shot sampling. To guarantee the inconspicuousness of the attack, we also propose a new perception loss to achieve better visual quality. Extensive experiments on four of the largest ReID benchmarks (i.e., Market1501 [45], CUHK03 [18], DukeMTMC [33], and MSMT17 [40]) not only show the effectiveness of our method, but also provides directions of the future improvement in the robustness of ReID systems. For example, the accuracy of one of the best-performing ReID systems drops sharply from 91.8% to 1.4% after being attacked by our method. Some attack results are shown in Fig. 1. The code is available at https://github.com/whj363636/Adversarial-attack-on-Person-ReID-With-Deep-Mis-Ranking.

Citations (79)

Summary

  • The paper introduces a novel adversarial attack that mis-ranks ReID systems by exploiting ranking vulnerabilities.
  • It proposes a multi-stage network and mis-ranking loss function to generate transferable, controllable, and visually inconspicuous perturbations.
  • Experiments demonstrate a dramatic accuracy drop (from 91.8% to 1.4%), emphasizing the need to enhance ReID system robustness.

Analyzing Transferable, Controllable, and Inconspicuous Adversarial Attacks on Person Re-identification

The presented paper explores the vulnerabilities of person re-identification (ReID) systems, particularly emphasizing their susceptibility to adversarial attacks. The study is motivated by the increasing implementation of deep neural networks (DNNs) in ReID tasks and the consequential need to address their robustness.

Problem Statement and Novel Contributions

ReID systems, pivotal for matching individuals across multiple camera views, benefit immensely from DNNs, which enhance feature discrimination and distance metric learning. However, the paper raises concerns about the adoption of potential DNN vulnerabilities in ReID systems. This insecurity is particularly worrying in contexts like criminal tracking, where adversarial perturbations could exploit these vulnerabilities, leading to severe repercussions.

The paper introduces a novel adversarial attack strategy specifically tailored for ReID systems. This approach transcends traditional methods by focusing on perturbing the ranking outcome instead of merely causing misclassification, thereby aligning more closely with the intrinsic nature of ReID tasks. The proposed method is characterized by its transferability, controllability, and inconspicuousness, distinguishing it from prior adversarial approaches.

Methodological Advances

The methodology includes a learning-to-mis-rank formulation intended to skew the ranking predictions of ReID models. The core innovation lies in a new mis-ranking loss function, which targets the ReID problem's ranking-based classification rather than a conventional label-based classification. Complementary to this, the study proposes a multi-stage network architecture for extracting more general and transferable features, thereby augmenting the attack's effectiveness in both white-box and black-box settings.

A key aspect of the method is its focus on maintaining the visual inconspicuousness of adversarial perturbations. This goal is achieved through a differentiated multi-shot sampling mechanism that limits the number of altered pixels, coupled with the introduction of a novel perception loss to enhance visual quality.

Experimental Evaluation and Results

Extensive experiments on four significant ReID datasets—Market1501, CUHK03, DukeMTMC, and MSMT17—demonstrate the significant impact of the proposed method. Notably, a substantial drop in accuracy is observed across various ReID systems following the attack, with one leading system's accuracy plummeting from 91.8% to 1.4%. This decline underlines the method's efficacy in substantially compromising ReID system performance.

The study also conducts a thorough examination of transferability across different datasets and model architectures, underlining the robustness and general applicability of the attack method. Furthermore, the paper provides insights into potential areas for improving the robustness of ReID systems against such adversarial perturbations.

Implications and Future Directions

The demonstrated vulnerabilities highlight a pressing need for enhancing ReID systems' resilience against adversarial attacks. The proposed method not only unveils critical security gaps in existing systems but also suggests a path forward for reinforcing these systems against potential real-world adversarial exploits. Additionally, the work opens up avenues for integrating adversarial examples into training protocols, thereby fortifying ReID systems through adversarial training.

In conclusion, this research makes a significant contribution to understanding and addressing the security challenges faced by ReID systems in the era of DNNs. As AI continues to permeate high-stakes applications, ensuring the robustness of such systems against adversarial threats remains a crucial area of development, with this paper providing valuable methodologies and insights for the community.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.