Person Re-Identification Black-Box Attack And Robustness

Person re-identification(Re ID)is a particular cross-camera person retrieval problem that involves non-overlapping cameras.With the continuous development of deep learning technology,the performance of person Re ID systems is greatly improved.However,it is being demonstrated that deep neural network-based Re ID systems are vulnerable to adversarial attacks,which cause the model to make incorrect judgments by adding imperceptible perturbations to the sample.This threat greatly hinders the deployment and application of Re ID technology.Therefore,to investigate the weaknesses and shortcomings of current Re ID algorithms in terms of security,this paper explores the adversarial robustness of Re ID models from the perspectives of attack and defense.The specific work includes:In order to explore vulnerabilities in existing Re ID systems,a query-efficient universal adversarial perturbation(UAP)black-box attack method is proposed.In the white-box setting,Re ID is more susceptible to UAP attacks compared to classification,and only a small amount of data iteration can cause a sharp drop in model performance.However,the white-box setting does not meet the requirements of real-world applications,which inspires the exploration of a query-based black-box attack method combined with UAP attacks.The proposed method reduces query quantity and maintains visual quality of adversarial samples by using importance sampling and coordinate-wise gradient estimation.Additionally,a loss function suitable for query-based Re ID attack tasks is designed to update perturbations,and a coordinate-wise gradient iteration attack algorithm with spatial momentum prior knowledge is proposed to further enhance the performance of the attack.Extensive experiments demonstrate the effectiveness of the method,achieves a good balance among total query quantity,attack success rate,and visual quality of adversarial samples in large-scale pedestrian re-identification attack tasks.An efficient adversarial training(AT)method for Re ID is proposed to address the issues of lengthy training time and poor generalization performance of existing methods.Firstly,the factors that lead to the lack of robustness of current Re ID models under adversarial sample attack are explored,and the reasons for this phenomenon are experimentally analyzed and discussed.Based on these explorations,a efficient adversarial training method is proposed by combining the training method of Free-AT with UAP,while maintaining the cost of adversarial training consistent with normal training.Additionally,a strategy of random restarts for UAP and retaining clean samples for training during the process are proposed.Experiments demonstrate the effectiveness of this method in improving the generalization performance of the model on clean samples and under black-box attacks.