Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Learning to Learn Transferable Generative Attack for Person Re-Identification

Yuan Bian, Min Liu, Xueping Wang, Yunfeng Ma, Yaonan Wang

TL;DR

This paper addresses the vulnerability of person re-identification systems to adversarial perturbations by introducing MTGA, a meta-learning framework that trains a generative attacker to produce highly transferable adversarial examples across cross-model, cross-dataset, and cross-test scenarios. MTGA constructs extensive transfer-based meta-tasks using a data zoo and a model zoo, and introduces Perturbation Random Erasing (PRE) to prevent overfitting to model-specific features and Normalization Mix (NorMix) to simulate diverse embedding spaces, thereby enhancing cross-domain robustness. The method achieves state-of-the-art transferability across six black-box settings, with notable improvements in mean mAP drop rate, aAP, and mDR, and demonstrates resilience against common defenses. These results provide a rigorous benchmark and reveal practical vulnerabilities in real-world re-id systems, guiding future development of more robust models and defenses.

Abstract

Deep learning-based person re-identification (re-id) models are widely employed in surveillance systems and inevitably inherit the vulnerability of deep networks to adversarial attacks. Existing attacks merely consider cross-dataset and cross-model transferability, ignoring the cross-test capability to perturb models trained in different domains. To powerfully examine the robustness of real-world re-id models, the Meta Transferable Generative Attack (MTGA) method is proposed, which adopts meta-learning optimization to promote the generative attacker producing highly transferable adversarial examples by learning comprehensively simulated transfer-based cross-model\&dataset\&test black-box meta attack tasks. Specifically, cross-model\&dataset black-box attack tasks are first mimicked by selecting different re-id models and datasets for meta-train and meta-test attack processes. As different models may focus on different feature regions, the Perturbation Random Erasing module is further devised to prevent the attacker from learning to only corrupt model-specific features. To boost the attacker learning to possess cross-test transferability, the Normalization Mix strategy is introduced to imitate diverse feature embedding spaces by mixing multi-domain statistics of target models. Extensive experiments show the superiority of MTGA, especially in cross-model\&dataset and cross-model\&dataset\&test attacks, our MTGA outperforms the SOTA methods by 21.5\% and 11.3\% on mean mAP drop rate, respectively. The code of MTGA will be released after the paper is accepted.

Learning to Learn Transferable Generative Attack for Person Re-Identification

TL;DR

This paper addresses the vulnerability of person re-identification systems to adversarial perturbations by introducing MTGA, a meta-learning framework that trains a generative attacker to produce highly transferable adversarial examples across cross-model, cross-dataset, and cross-test scenarios. MTGA constructs extensive transfer-based meta-tasks using a data zoo and a model zoo, and introduces Perturbation Random Erasing (PRE) to prevent overfitting to model-specific features and Normalization Mix (NorMix) to simulate diverse embedding spaces, thereby enhancing cross-domain robustness. The method achieves state-of-the-art transferability across six black-box settings, with notable improvements in mean mAP drop rate, aAP, and mDR, and demonstrates resilience against common defenses. These results provide a rigorous benchmark and reveal practical vulnerabilities in real-world re-id systems, guiding future development of more robust models and defenses.

Abstract

Deep learning-based person re-identification (re-id) models are widely employed in surveillance systems and inevitably inherit the vulnerability of deep networks to adversarial attacks. Existing attacks merely consider cross-dataset and cross-model transferability, ignoring the cross-test capability to perturb models trained in different domains. To powerfully examine the robustness of real-world re-id models, the Meta Transferable Generative Attack (MTGA) method is proposed, which adopts meta-learning optimization to promote the generative attacker producing highly transferable adversarial examples by learning comprehensively simulated transfer-based cross-model\&dataset\&test black-box meta attack tasks. Specifically, cross-model\&dataset black-box attack tasks are first mimicked by selecting different re-id models and datasets for meta-train and meta-test attack processes. As different models may focus on different feature regions, the Perturbation Random Erasing module is further devised to prevent the attacker from learning to only corrupt model-specific features. To boost the attacker learning to possess cross-test transferability, the Normalization Mix strategy is introduced to imitate diverse feature embedding spaces by mixing multi-domain statistics of target models. Extensive experiments show the superiority of MTGA, especially in cross-model\&dataset and cross-model\&dataset\&test attacks, our MTGA outperforms the SOTA methods by 21.5\% and 11.3\% on mean mAP drop rate, respectively. The code of MTGA will be released after the paper is accepted.
Paper Structure (19 sections, 15 equations, 7 figures, 14 tables, 1 algorithm)

This paper contains 19 sections, 15 equations, 7 figures, 14 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Transferable Adversarial Attack
  4. Adversarial Attack Against Open-set Task
  5. Meta-learning
  6. Methodology
  7. Problem Definition
  8. Overall Framework
  9. Meta Task Generation
  10. Optimization Procedure
  11. Experiments
  12. Experimental Setup
  13. Experimental Results
  14. Ablation Studies
  15. Adversarial Example Quality
  16. ...and 4 more sections

Figures (7)

  • Figure 1: Comparison of transfer-based black-box generative attacks between classification and re-id tasks. In black-box attack on classification tasks, the target models share the same feature embedding space and the training data of these models are aimed to be attacked. In black-box attack on re-id tasks, the target models may have diverse feature embedding spaces and unseen domain queries need to be attacked. Therefore, the re-id task attack has additional cross-dataset and cross-test transferability demands compared to the cross-model demand with the classification task attack.
  • Figure 2: The overall framework of our MTGA. CAS is applied to generate cross-model&dataset meta attack tasks. In each task, the meta-train process calculates adversarial loss and generative loss as the meat-train loss and updates the copied generator by it. In meta-test process, Normalization Mix and Perturbation Random Erasing modules are conducted to promote the attacker possessing cross-test and cross-model transferability capability. The meta-test loss is calculated on the updated model and the sum of meta-test loss of all attack tasks are utilized to update the original adversarial generator.
  • Figure 3: Attention maps of benign images and adversarial examples (AE) on different models, visualized by Grad-CAM selvaraju2017grad.
  • Figure 4: Analysis of mDR under different perturbation strength, task number, learning rate, mix coefficient, PRE probability and mask percentage values on the cross-model&dataset(C-M&D) and cross-model&dataset&test(C-M&D&T) scenarios.
  • Figure 5: Visualization of perturbations (Pert) and adversarial examples (AE) that generated by our MTGA across multiple datasets. The perturbations are imperceptible and human body-like.
  • ...and 2 more figures