DiffPhysBA: Diffusion-based Physical Backdoor Attack against Person Re-Identification in Real-World

TL;DR

This paper introduces DiffPhysBA, a diffusion-based physical backdoor attack method for person re-identification systems, achieving high success rates in real-world scenarios by generating realistic accessories as triggers.

Contribution

The paper proposes a novel diffusion-guided, training-free approach to create realistic physical backdoor triggers for person ReID models, improving attack success and stealth.

Findings

Achieves over 90% success rate in digital and physical domains.

Enhances physical trigger resemblance with a similarity-guided sampling process.

Outperforms direct paste methods with a 25.6% higher attack success rate.

Abstract

Person Re-Identification (ReID) systems pose a significant security risk from backdoor attacks, allowing adversaries to evade tracking or impersonate others. Beyond recognizing this issue, we investigate how backdoor attacks can be deployed in real-world scenarios, where a ReID model is typically trained on data collected in the digital domain and then deployed in a physical environment. This attack scenario requires an attack flow that embeds backdoor triggers in the digital domain realistically enough to also activate the buried backdoor in person ReID models in the physical domain. This paper realizes this attack flow by leveraging a diffusion model to generate realistic accessories on pedestrian images (e.g., bags, hats, etc.) as backdoor triggers. However, the noticeable domain gap between the triggers generated by the off-the-shelf diffusion model and their physical counterparts results in a low attack success rate. Therefore, we introduce a novel diffusion-based physical backdoor attack (DiffPhysBA) method that adopts a training-free similarity-guided sampling process to enhance the resemblance between generated and physical triggers. Consequently, DiffPhysBA can generate realistic attributes as semantic-level triggers in the digital domain and provides higher physical ASR compared to the direct paste method by 25.6% on the real-world test set. Through evaluations on newly proposed real-world and synthetic ReID test sets, DiffPhysBA demonstrates an impressive success rate exceeding 90% in both the digital and physical domains. Notably, it excels in digital stealth metrics and can effectively evade state-of-the-art defense methods.