advPattern: Physical-World Attacks on Deep Person Re-Identification via Adversarially Transformable Patterns

TL;DR

This paper introduces advPattern, a novel physical-world adversarial attack method that creates transformable clothing patterns to deceive deep person re-identification systems, significantly reducing their accuracy and enabling impersonation.

Contribution

The paper presents the first robust physical-world attack on deep re-ID using adversarial clothing patterns that learn to manipulate feature similarities across camera views.

Findings

Adversarial patterns reduce re-ID accuracy from 87.9% to 27.1%.

Adversaries can impersonate targets with 47.1% rank-1 accuracy.

Physical attacks demonstrate vulnerability of deep re-ID systems.

Abstract

Person re-identification (re-ID) is the task of matching person images across camera views, which plays an important role in surveillance and security applications. Inspired by great progress of deep learning, deep re-ID models began to be popular and gained state-of-the-art performance. However, recent works found that deep neural networks (DNNs) are vulnerable to adversarial examples, posing potential threats to DNNs based applications. This phenomenon throws a serious question about whether deep re-ID based systems are vulnerable to adversarial attacks. In this paper, we take the first attempt to implement robust physical-world attacks against deep re-ID. We propose a novel attack algorithm, called advPattern, for generating adversarial patterns on clothes, which learns the variations of image pairs across cameras to pull closer the image features from the same camera, while pushing features from different cameras farther. By wearing our crafted "invisible cloak", an adversary can evade person search, or impersonate a target person to fool deep re-ID models in physical world. We evaluate the effectiveness of our transformable patterns on adversaries'clothes with Market1501 and our established PRCS dataset. The experimental results show that the rank-1 accuracy of re-ID models for matching the adversary decreases from 87.9% to 27.1% under Evading Attack. Furthermore, the adversary can impersonate a target person with 47.1% rank-1 accuracy and 67.9% mAP under Impersonation Attack. The results demonstrate that deep re-ID systems are vulnerable to our physical attacks.