Debiased Dual-Invariant Defense for Adversarially Robust Person Re-Identification

TL;DR

This paper introduces a novel debiased dual-invariant defense framework for person re-identification that enhances robustness against adversarial attacks by addressing model bias and generalization challenges.

Contribution

It proposes a diffusion-model-based data resampling and a bi-adversarial self-meta training approach tailored for adversarially robust person ReID, addressing unique challenges in the field.

Findings

Significantly outperforms existing defenses in experiments.

Effectively mitigates model bias and improves generalization.

Enhances robustness against unseen identities and attack types.

Abstract

Person re-identification (ReID) is a fundamental task in many real-world applications such as pedestrian trajectory tracking. However, advanced deep learning-based ReID models are highly susceptible to adversarial attacks, where imperceptible perturbations to pedestrian images can cause entirely incorrect predictions, posing significant security threats. Although numerous adversarial defense strategies have been proposed for classification tasks, their extension to metric learning tasks such as person ReID remains relatively unexplored. Moreover, the several existing defenses for person ReID fail to address the inherent unique challenges of adversarially robust ReID. In this paper, we systematically identify the challenges of adversarial defense in person ReID into two key issues: model bias and composite generalization requirements. To address them, we propose a debiased dual-invariant defense framework composed of two main phases. In the data balancing phase, we mitigate model bias using a diffusion-model-based data resampling strategy that promotes fairness and diversity in training data. In the bi-adversarial self-meta defense phase, we introduce a novel metric adversarial training approach incorporating farthest negative extension softening to overcome the robustness degradation caused by the absence of classifier. Additionally, we introduce an adversarially-enhanced self-meta mechanism to achieve dual-generalization for both unseen identities and unseen attack types. Experiments demonstrate that our method significantly outperforms existing state-of-the-art defenses.