Debiased Dual-Invariant Defense for Adversarially Robust Person Re-Identification

TL;DR

This work tackles adversarial robustness in person Re-Identification by identifying model bias and the need for dual generalization to unseen identities and attacks. It introduces a debiased dual-invariant defense comprising diffusion-model-based data balancing to fix inter-/intra-ID data biases and a bi-adversarial self-meta defense that combines FNES-based metric adversarial training with adversarially-enhanced self-meta learning to learn dual-invariant representations. The approach yields state-of-the-art robustness on standard ReID benchmarks, demonstrates strong cross-dataset transfer, and offers interpretability through attention and feature-distribution analyses. The proposed framework enhances reliability of ReID systems in security-critical applications by improving both robustness to unseen attacks and generalization to new identities, while providing practical insights into model fairness and generalization mechanisms.

Abstract

Person re-identification (ReID) is a fundamental task in many real-world applications such as pedestrian trajectory tracking. However, advanced deep learning-based ReID models are highly susceptible to adversarial attacks, where imperceptible perturbations to pedestrian images can cause entirely incorrect predictions, posing significant security threats. Although numerous adversarial defense strategies have been proposed for classification tasks, their extension to metric learning tasks such as person ReID remains relatively unexplored. Moreover, the several existing defenses for person ReID fail to address the inherent unique challenges of adversarially robust ReID. In this paper, we systematically identify the challenges of adversarial defense in person ReID into two key issues: model bias and composite generalization requirements. To address them, we propose a debiased dual-invariant defense framework composed of two main phases. In the data balancing phase, we mitigate model bias using a diffusion-model-based data resampling strategy that promotes fairness and diversity in training data. In the bi-adversarial self-meta defense phase, we introduce a novel metric adversarial training approach incorporating farthest negative extension softening to overcome the robustness degradation caused by the absence of classifier. Additionally, we introduce an adversarially-enhanced self-meta mechanism to achieve dual-generalization for both unseen identities and unseen attack types. Experiments demonstrate that our method significantly outperforms existing state-of-the-art defenses.

Figures (8)

• Figure 1: Statistics of sample counts for each ID.
• Figure 2: Biased model accuracy.
• Figure 3: Partial adversarial examples from the original dataset illustrating the challenge of homogenization.
• Figure 4: Overview of our proposed method, which consists of data balancing and bi-adversarial self-meta defense.
• Figure 5: Visualization of partial augmented data. The images with green borders are the original samples, while those with orange borders are the generated augmented samples.