Similarity Distribution based Membership Inference Attack on Person Re-identification

TL;DR

A formal and empirical analysis validates that the distribution shift of the inter-sample similarity between training and test set is a critical criterion for Re-ID membership inference, and proposes a novel membership inference attack method based on theInter- sample similarity distribution.

Abstract

While person Re-identification (Re-ID) has progressed rapidly due to its wide real-world applications, it also causes severe risks of leaking personal information from training data. Thus, this paper focuses on quantifying this risk by membership inference (MI) attack. Most of the existing MI attack algorithms focus on classification models, while Re-ID follows a totally different training and inference paradigm. Re-ID is a fine-grained recognition task with complex feature embedding, and model outputs commonly used by existing MI like logits and losses are not accessible during inference. Since Re-ID focuses on modelling the relative relationship between image pairs instead of individual semantics, we conduct a formal and empirical analysis which validates that the distribution shift of the inter-sample similarity between training and test set is a critical criterion for Re-ID membership inference. As a result, we propose a novel membership inference attack method based on the inter-sample similarity distribution. Specifically, a set of anchor images are sampled to represent the similarity distribution conditioned on a target image, and a neural network with a novel anchor selection module is proposed to predict the membership of the target image. Our experiments validate the effectiveness of the proposed approach on both the Re-ID task and conventional classification task.

Figures (7)

• Figure 1: The different outputs for classification model and Re-ID model under the black-box setting. For classification model (left), adversarial can access the logits and loss both during and after the training processing. However, for the Re-ID model (right), only similarity and feature embedding are accessible during inference, which is not suitable for existing classification-based MI attacks.
• Figure 2: The average and standard deviation gap of distance from every reference sample to training target images or test target images.
• Figure 3: Cumulative density function of the average and standard deviation of the distance from the all reference samples to training target images and test target images.
• Figure 4: The two-stages pipeline of our black-box MI attack. First, for each target image $x_t$ we compute the similarity vector $\boldsymbol{\tilde{v}_t}$ with reference samples. Second, we fed similarity vector $\boldsymbol{\tilde{v}_t}$ into the attack model to infer the membership of target image $x_t$. Furthermore, we propose the anchor selector module selecting useful anchor images in the limited reference set to better approximate the similarity distribution.
• Figure 5: The specific architectures of our attack model (b) and anchor selector module (a).