Learning to Learn Transferable Generative Attack for Person Re-Identification
0
Sign in to get full access
Overview
- The paper proposes a meta-learning approach for generating transferable adversarial examples to attack person re-identification (re-id) models.
- The key idea is to learn a generative model that can produce adversarial perturbations that are effective across multiple re-id models and datasets.
- The proposed method, called Transferable Generative Adversarial Attack (TGAA), outperforms state-of-the-art adversarial attack methods in terms of transferability.
Plain English Explanation
Person re-identification (re-id) is the task of identifying the same person across different camera views. Adversarial attacks aim to fool re-id models by adding small, imperceptible changes to images that cause the model to misclassify the person. However, these attacks often lack "transferability," meaning they only work on the model they were designed for and not on other re-id models.
The researchers in this paper propose a novel approach called TGAA that can generate adversarial perturbations that are effective across multiple re-id models and datasets. The key idea is to use a meta-learning technique to train a generative model that can produce transferable adversarial examples.
Instead of optimizing the adversarial perturbation for a single model, the TGAA generator is trained to fool a diverse set of re-id models. This teaches the generator to create perturbations that exploit common vulnerabilities across different re-id models, making the attacks more transferable.
The researchers demonstrate that TGAA outperforms existing adversarial attack methods in terms of fooling multiple re-id models, even when the models were not seen during training. This is an important step towards building more robust and generalizable re-id systems that can withstand a variety of adversarial threats.
Technical Explanation
The paper proposes a Transferable Generative Adversarial Attack (TGAA) method for generating adversarial examples that can effectively fool multiple person re-identification (re-id) models.
The approach uses a meta-learning framework, where the goal is to train a generative model that can produce perturbations that are transferable across different re-id models and datasets. The TGAA generator is trained to minimize the re-id accuracy of a diverse set of target re-id models, rather than a single model.
Specifically, the TGAA generator takes a clean image as input and outputs an adversarial perturbation. This perturbation is then added to the input image to create an adversarial example. The generator is trained using a bilevel optimization procedure, where the inner optimization minimizes the re-id accuracy of the target models, and the outer optimization updates the generator parameters to improve the transferability of the adversarial perturbations.
The researchers evaluate TGAA on several re-id datasets and compare its performance to state-of-the-art adversarial attack methods. The results show that TGAA can generate highly transferable adversarial examples that significantly degrade the performance of multiple re-id models, even those not seen during training.
Critical Analysis
The paper makes a valuable contribution by addressing the challenge of generating transferable adversarial examples for person re-identification. The proposed TGAA method represents an important step towards building more robust and generalizable re-id systems that can withstand a variety of adversarial threats.
One potential limitation of the work is that the evaluation is primarily focused on the transferability of the adversarial examples, without a detailed analysis of the visual quality or physical realizability of the perturbations. In a real-world setting, these factors may also be important considerations for the practicality of the attacks.
Additionally, the paper does not explore the potential for defending against the TGAA attacks. Investigating effective countermeasures, such as adversarial training or detection mechanisms, could be an interesting direction for future research.
Overall, the paper presents a novel and promising approach to the problem of transferable adversarial attacks, and the insights from this work could inspire further research in the area of robust and secure machine learning systems.
Conclusion
This paper introduces a meta-learning-based approach called Transferable Generative Adversarial Attack (TGAA) for generating adversarial examples that can effectively fool multiple person re-identification (re-id) models. By training the generator to minimize the re-id accuracy of a diverse set of target models, TGAA can produce highly transferable adversarial perturbations that degrade the performance of re-id systems across different datasets.
The proposed method represents an important step towards building more robust and generalizable re-id systems that can withstand a variety of adversarial threats. While the paper primarily focuses on the transferability of the attacks, future work could explore the visual quality and physical realizability of the perturbations, as well as investigate effective countermeasures to defend against such attacks.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
0
Learning to Learn Transferable Generative Attack for Person Re-Identification
Yuan Bian, Min Liu, Xueping Wang, Yunfeng Ma, Yaonan Wang
Deep learning-based person re-identification (re-id) models are widely employed in surveillance systems and inevitably inherit the vulnerability of deep networks to adversarial attacks. Existing attacks merely consider cross-dataset and cross-model transferability, ignoring the cross-test capability to perturb models trained in different domains. To powerfully examine the robustness of real-world re-id models, the Meta Transferable Generative Attack (MTGA) method is proposed, which adopts meta-learning optimization to promote the generative attacker producing highly transferable adversarial examples by learning comprehensively simulated transfer-based cross-model&dataset&test black-box meta attack tasks. Specifically, cross-model&dataset black-box attack tasks are first mimicked by selecting different re-id models and datasets for meta-train and meta-test attack processes. As different models may focus on different feature regions, the Perturbation Random Erasing module is further devised to prevent the attacker from learning to only corrupt model-specific features. To boost the attacker learning to possess cross-test transferability, the Normalization Mix strategy is introduced to imitate diverse feature embedding spaces by mixing multi-domain statistics of target models. Extensive experiments show the superiority of MTGA, especially in cross-model&dataset and cross-model&dataset&test attacks, our MTGA outperforms the SOTA methods by 21.5% and 11.3% on mean mAP drop rate, respectively. The code of MTGA will be released after the paper is accepted.
Read more9/9/2024
0
Generalizable Metric Network for Cross-domain Person Re-identification
Lei Qi, Ziang Liu, Yinghuan Shi, Xin Geng
Person Re-identification (Re-ID) is a crucial technique for public security and has made significant progress in supervised settings. However, the cross-domain (i.e., domain generalization) scene presents a challenge in Re-ID tasks due to unseen test domains and domain-shift between the training and test sets. To tackle this challenge, most existing methods aim to learn domain-invariant or robust features for all domains. In this paper, we observe that the data-distribution gap between the training and test sets is smaller in the sample-pair space than in the sample-instance space. Based on this observation, we propose a Generalizable Metric Network (GMN) to further explore sample similarity in the sample-pair space. Specifically, we add a Metric Network (M-Net) after the main network and train it on positive and negative sample-pair features, which is then employed during the test stage. Additionally, we introduce the Dropout-based Perturbation (DP) module to enhance the generalization capability of the metric network by enriching the sample-pair diversity. Moreover, we develop a Pair-Identity Center (PIC) loss to enhance the model's discrimination by ensuring that sample-pair features with the same pair-identity are consistent. We validate the effectiveness of our proposed method through a lot of experiments on multiple benchmark datasets and confirm the value of each module in our GMN.
Read more4/30/2024
0
Enhancing Transferability of Adversarial Attacks with GE-AdvGAN+: A Comprehensive Framework for Gradient Editing
Zhibo Jin, Jiayu Zhang, Zhiyu Zhu, Yuchen Zhang, Jiahao Huang, Jianlong Zhou, Fang Chen
Transferable adversarial attacks pose significant threats to deep neural networks, particularly in black-box scenarios where internal model information is inaccessible. Studying adversarial attack methods helps advance the performance of defense mechanisms and explore model vulnerabilities. These methods can uncover and exploit weaknesses in models, promoting the development of more robust architectures. However, current methods for transferable attacks often come with substantial computational costs, limiting their deployment and application, especially in edge computing scenarios. Adversarial generative models, such as Generative Adversarial Networks (GANs), are characterized by their ability to generate samples without the need for retraining after an initial training phase. GE-AdvGAN, a recent method for transferable adversarial attacks, is based on this principle. In this paper, we propose a novel general framework for gradient editing-based transferable attacks, named GE-AdvGAN+, which integrates nearly all mainstream attack methods to enhance transferability while significantly reducing computational resource consumption. Our experiments demonstrate the compatibility and effectiveness of our framework. Compared to the baseline AdvGAN, our best-performing method, GE-AdvGAN++, achieves an average ASR improvement of 47.8. Additionally, it surpasses the latest competing algorithm, GE-AdvGAN, with an average ASR increase of 5.9. The framework also exhibits enhanced computational efficiency, achieving 2217.7 FPS, outperforming traditional methods such as BIM and MI-FGSM. The implementation code for our GE-AdvGAN+ framework is available at https://github.com/GEAdvGANP
Read more9/4/2024
🤷
0
Domain Adaptive Attention Learning for Unsupervised Person Re-Identification
Yangru Huang, Peixi Peng, Yi Jin, Yidong Li, Junliang Xing, Shiming Ge
Person re-identification (Re-ID) across multiple datasets is a challenging task due to two main reasons: the presence of large cross-dataset distinctions and the absence of annotated target instances. To address these two issues, this paper proposes a domain adaptive attention learning approach to reliably transfer discriminative representation from the labeled source domain to the unlabeled target domain. In this approach, a domain adaptive attention model is learned to separate the feature map into domain-shared part and domain-specific part. In this manner, the domain-shared part is used to capture transferable cues that can compensate cross-dataset distinctions and give positive contributions to the target task, while the domain-specific part aims to model the noisy information to avoid the negative transfer caused by domain diversity. A soft label loss is further employed to take full use of unlabeled target data by estimating pseudo labels. Extensive experiments on the Market-1501, DukeMTMC-reID and MSMT17 benchmarks demonstrate the proposed approach outperforms the state-of-the-arts.
Read more6/18/2024