Mang Ye,Wei Shen,Junwu Zhang,Yao Yang,Bo Du

DOI: https://doi.org/10.1109/tifs.2024.3356233

IF: 7.231

2024-02-06

IEEE Transactions on Information Forensics and Security

Abstract:Anonymization methods have gained widespread use in safeguarding privacy. However, conventional anonymization solutions inevitably lead to the loss of semantic information, resulting in limited data utility. Besides, existing deep learning-based anonymization strategies inadvertently alter the identities of pedestrians, rendering them unsuitable for re-identification (Re-ID) tasks. Beyond these limitations, we propose a joint learning reversible anonymization framework that can reversibly generate full-body anonymized images with little performance drop on Re-ID tasks. Despite these advancements, we reveal that the anonymization methods are vulnerable to model attacks, where attackers can utilize the anonymization model and public data to perform recovery and Re-ID tasks on anonymized images. To defend against the potential attack, we introduce the identity-specific encrypt-decrypt (ISED) architecture for enhanced security, where the anonymized images are encrypted using the specific key for each identity. It renders the images computationally inaccessible to attackers while allowing for seamless reversal without loss using the corresponding keys. Extensive experiments demonstrate that the anonymization framework can guarantee Re-ID performance while protecting pedestrian privacy. In addition, we provide both empirical and theoretical evidence to demonstrate the feasibility of model attacks and the effectiveness of our ISED strategy. Code is available at https://github.com/shentt67/SecureReID.

computer science, theory & methods,engineering, electrical & electronic

Hamza Rami,Jhony H. Giraldo,Nicolas Winckler,Stéphane Lathuilière

2024-07-17

Abstract:Re-Identification systems (Re-ID) are crucial for public safety but face the challenge of having to adapt to environments that differ from their training distribution. Furthermore, rigorous privacy protocols in public places are being enforced as apprehensions regarding individual freedom rise, adding layers of complexity to the deployment of accurate Re-ID systems in new environments. For example, in the European Union, the principles of ``Data Minimization'' and ``Purpose Limitation'' restrict the retention and processing of images to what is strictly necessary. These regulations pose a challenge to the conventional Re-ID training schemes that rely on centralizing data on servers. In this work, we present a novel setting for privacy-preserving Distributed Unsupervised Domain Adaptation for person Re-ID (DUDA-Rid) to address the problem of domain shift without requiring any image transfer outside the camera devices. To address this setting, we introduce Fed-Protoid, a novel solution that adapts person Re-ID models directly within the edge devices. Our proposed solution employs prototypes derived from the source domain to align feature statistics within edge devices. Those source prototypes are distributed across the edge devices to minimize a distributed Maximum Mean Discrepancy (MMD) loss tailored for the DUDA-Rid setting. Our experiments provide compelling evidence that Fed-Protoid outperforms all evaluated methods in terms of both accuracy and communication efficiency, all while maintaining data privacy.

Computer Vision and Pattern Recognition

Mengran Gou,Ziyan Wu,Angels Rates-Borras,Octavia Camps,Richard J. Radke,Srikrishna Karanam

DOI: https://doi.org/10.1109/tpami.2018.2807450

IF: 23.6

2019-03-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Person re-identification (re-id) is a critical problem in video analytics applications such as security and surveillance. The public release of several datasets and code for vision algorithms has facilitated rapid progress in this area over the last few years. However, directly comparing re-id algorithms reported in the literature has become difficult since a wide variety of features, experimental protocols, and evaluation metrics are employed. In order to address this need, we present an extensive review and performance evaluation of single- and multi-shot re-id algorithms. The experimental protocol incorporates the most recent advances in both feature extraction and metric learning. To ensure a fair comparison, all of the approaches were implemented using a unified code library that includes 11 feature extraction algorithms and 22 metric learning and ranking techniques. All approaches were evaluated using a new large-scale dataset that closely mimics a real-world problem setting, in addition to 16 other publicly available datasets: VIPeR, GRID, CAVIAR, DukeMTMC4ReID, 3DPeS, PRID, V47, WARD, SAIVT-SoftBio, CUHK01, CHUK02, CUHK03, RAiD, iLIDSVID, HDA+, and Market1501. The evaluation codebase and results will be made publicly available for community use.

computer science, artificial intelligence,engineering, electrical & electronic

Eduardo de O. Andrade,Igor Garcia Ballhausen Sampaio,Joris Guérin,José Viterbo

DOI: https://doi.org/10.5220/0011623800003417

2023-09-25

Abstract:The field of Person Re-Identification (Re-ID) has received much attention recently, driven by the progress of deep neural networks, especially for image classification. The problem of Re-ID consists in identifying individuals through images captured by surveillance cameras in different scenarios. Governments and companies are investing a lot of time and money in Re-ID systems for use in public safety and identifying missing persons. However, several challenges remain for successfully implementing Re-ID, such as occlusions and light reflections in people's images. In this work, we focus on adversarial attacks on Re-ID systems, which can be a critical threat to the performance of these systems. In particular, we explore the combination of adversarial attacks against Re-ID models, trying to strengthen the decrease in the classification results. We conduct our experiments on three datasets: DukeMTMC-ReID, Market-1501, and CUHK03. We combine the use of two types of adversarial attacks, P-FGSM and Deep Mis-Ranking, applied to two popular Re-ID models: IDE (ResNet-50) and AlignedReID. The best result demonstrates a decrease of 3.36% in the Rank-10 metric for AlignedReID applied to CUHK03. We also try to use Dropout during the inference as a defense method.

Computer Vision and Pattern Recognition

Shuguang Dou,Xinyang Jiang,Qingsong Zhao,Dongsheng Li,Cairong Zhao

DOI: https://doi.org/10.48550/arXiv.2207.07311

2022-07-15

Computer Vision and Pattern Recognition

Abstract:Recently privacy concerns of person re-identification (ReID) raise more and more attention and preserving the privacy of the pedestrian images used by ReID methods become essential. De-identification (DeID) methods alleviate privacy issues by removing the identity-related of the ReID data. However, most of the existing DeID methods tend to remove all personal identity-related information and compromise the usability of de-identified data on the ReID task. In this paper, we aim to develop a technique that can achieve a good trade-off between privacy protection and data usability for person ReID. To achieve this, we propose a novel de-identification method designed explicitly for person ReID, named Person Identify Shift (PIS). PIS removes the absolute identity in a pedestrian image while preserving the identity relationship between image pairs. By exploiting the interpolation property of variational auto-encoder, PIS shifts each pedestrian image from the current identity to another with a new identity, resulting in images still preserving the relative identities. Experimental results show that our method has a better trade-off between privacy-preserving and model performance than existing de-identification methods and can defend against human and model attacks for data privacy.

Junyao Gao,Xinyang Jiang,Shuguang Dou,Dongsheng Li,Duoqian Miao,Cairong Zhao

DOI: https://doi.org/10.1007/s11263-024-02115-6

IF: 13.369

2024-05-24

International Journal of Computer Vision

Abstract:Person re-identification (Re-ID) has rapidly advanced due to its widespread real-world applications. It poses a significant risk of exposing private data from its training dataset. This paper aims to quantify this risk by conducting a membership inference (MI) attack. Most existing MI attack methods focus on classification models, while Re-ID follows a distinct paradigm for training and inference. Re-ID is a fine-grained recognition task that involves complex feature embedding, and the model outputs commonly used by existing MI algorithms, such as logits and losses, are inaccessible during inference. Since Re-ID models the relative relationship between image pairs rather than individual semantics, we conduct a formal and empirical analysis that demonstrates that the distribution shift of the inter-sample similarity between the training and test sets is a crucial factor for membership inference and exists in most Re-ID datasets and models. Thus, we propose a novel MI attack method based on the distribution of inter-sample similarity, which involves sampling a set of anchor images to represent the similarity distribution that is conditioned on a target image. Next, we consider two attack scenarios based on information that the attacker has. In the "one-to-one" scenario, where the attacker has access to the target Re-ID model and dataset, we propose an anchor selector module to select anchors accurately representing the similarity distribution. Conversely, in the "one-to-any" scenario, which resembles real-world applications where the attacker has no access to the target Re-ID model and dataset, leading to the domain-shift problem, we propose two alignment strategies. Moreover, we introduce the patch-attention module as a replacement for the anchor selector. Experimental evaluations demonstrate the effectiveness of our proposed approaches in Re-ID tasks in both attack scenarios.

computer science, artificial intelligence

Long Wei,Zhenyong Wei,Zhongming Jin,Qianxiao Wei,Jianqiang Huang,Xian-Sheng Hua,Deng Cai,Xiaofei He

DOI: https://doi.org/10.1016/j.neucom.2019.11.093

IF: 6

2019-01-01

Neurocomputing

Abstract:The Person Re-identification (ReID) task aims to match persons across cameras in a surveillance system. In the past few years, many researches are devoted to ReID and its performance has gained significant improvement. ReID models are usually trained as a joint framework comprising a person feature extractor and a classifier. However, there exists co-adaptation between the feature extractor and the classifier, which prevents the feature extractor from making effective and sufficient optimization and results in inferior retrieval performance. In this paper, we propose a very simple and effective training method, called DeAda, to decouple this co-adaptation. Our main motivation is to construct a series of weak classifiers during training by randomization of parameters, so that optimization on the feature extractor could be strengthened in the training stage. DeAda is easy, effective, and efficient, and could serve as a plug-and-play optimization tool for ReID models, without additional memory and time cost. We also analyze the theoretical property of DeAda and show that it could produce identical features for the same person under some simple assumptions. We demonstrate its effectiveness on three public ReID datasets: Market1501, DukeMTMC-reID and CUHK03 over different ReID models. With DeAda optimization, we finally obtain state-of-the-art results on all the three datasets.

Minghui Chen,Zhiqiang Wang,Feng Zheng

DOI: https://doi.org/10.48550/arXiv.2111.00880

2022-04-25

Abstract:When deploying person re-identification (ReID) model in safety-critical applications, it is pivotal to understanding the robustness of the model against a diverse array of image corruptions. However, current evaluations of person ReID only consider the performance on clean datasets and ignore images in various corrupted scenarios. In this work, we comprehensively establish six ReID benchmarks for learning corruption invariant representation. In the field of ReID, we are the first to conduct an exhaustive study on corruption invariant learning in single- and cross-modality datasets, including Market-1501, CUHK03, MSMT17, RegDB, SYSU-MM01. After reproducing and examining the robustness performance of 21 recent ReID methods, we have some observations: 1) transformer-based models are more robust towards corrupted images, compared with CNN-based models, 2) increasing the probability of random erasing (a commonly used augmentation method) hurts model corruption robustness, 3) cross-dataset generalization improves with corruption robustness increases. By analyzing the above observations, we propose a strong baseline on both single- and cross-modality ReID datasets which achieves improved robustness against diverse corruptions. Our codes are available on <a class="link-external link-https" href="https://github.com/MinghuiChen43/CIL-ReID" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Qiwei Meng,Te Li,Shanshan Ji,Shiqiang Zhu,Jianjun Gu

DOI: https://doi.org/10.1007/978-3-030-86380-7_24

2021-01-01

Abstract:Partial person ReID tasks have become a research focus recently for it is challenging but significant in practical applications. The major difficulty within partial person ReID is that only incomplete and even noisy person features are available for extraction and matching, which puts forward higher requirement to model robustness. To settle down this problem, our paper proposes a novel IRRFE-ReID model, which includes two major innovations, the interesting receptive region selection module and the feature excitation module. The former module can adaptively select the region of interest from original image while the latter one is applied to distinguish representative person features and weight them during matching. Proven by ablation analysis, these two modules are embeddable and considerably conducive for partial person ReID tasks. Additionally, our IRRFE-ReID model achieves the state-of-the-art performance in two mainstream partial person datasets, PartialReID and PartialiLids, with its Rank1 reaching 85.7% and 74.8% respectively.

Vikram Shree,Wei-Lun Chao,Mark Campbell

DOI: https://doi.org/10.1109/RO-MAN46459.2019.8956459

2020-01-26

Abstract:Person re-identification aims to identify a person from an image collection, given one image of that person as the query. There is, however, a plethora of real-life scenarios where we may not have a priori library of query images and therefore must rely on information from other modalities. In this paper, an attribute-based approach is proposed where the person of interest (POI) is described by a set of visual attributes, which are used to perform the search. We compare multiple algorithms and analyze how the quality of attributes impacts the performance. While prior work mostly relies on high precision attributes annotated by experts, we conduct a human-subject study and reveal that certain visual attributes could not be consistently described by human observers, making them less reliable in real applications. A key conclusion is that the performance achieved by non-expert attributes, instead of expert-annotated ones, is a more faithful indicator of the status quo of attribute-based approaches for person re-identification.

Computer Vision and Pattern Recognition,Robotics

Wenli Sun,Xinyang Jiang,Shuguang Dou,Dongsheng Li,Duoqian Miao,Cheng Deng,Cairong Zhao

DOI: https://doi.org/10.1109/tifs.2023.3322659

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In recent years, person Re-IDentification (ReID) has rapidly progressed with wide real-world applications but is also susceptible to various forms of attack, including proven vulnerability to adversarial attacks. In this paper, we focus on the backdoor attack on deep ReID models. Existing backdoor attack methods follow an all-to-one or all-to-all attack scenario, where all the target classes in the test set have already been seen in the training set. However, ReID is a much more complex fine-grained open-set recognition problem, where the identities in the test set are not contained in the training set. Thus, previous backdoor attack methods for classification are not applicable to ReID. To ameliorate this issue, we propose a novel backdoor attack on deep ReID under a new all-to-unknown scenario, called Dynamic Triggers Invisible Backdoor Attack (DT-IBA). Instead of learning fixed triggers for the target classes from the training set, DT-IBA can dynamically generate new triggers for any unknown identities. Specifically, an identity hashing network is proposed to first extract target identity information from a reference image, which is then injected into the benign images by image steganography. We extensively validate the effectiveness and stealthiness of the proposed attack on benchmark datasets and evaluate the effectiveness of several defense methods against our attack.

Jieru Jia,Qiuqi Ruan,Timothy M. Hospedales

DOI: https://doi.org/10.48550/arXiv.1905.03422

2019-05-09

Computer Vision and Pattern Recognition

Abstract:Contemporary person re-identification (\reid) methods usually require access to data from the deployment camera network during training in order to perform well. This is because contemporary \reid{} models trained on one dataset do not generalise to other camera networks due to the domain-shift between datasets. This requirement is often the bottleneck for deploying \reid{} systems in practical security or commercial applications, as it may be impossible to collect this data in advance or prohibitively costly to annotate it. This paper alleviates this issue by proposing a simple baseline for domain generalizable~(DG) person re-identification. That is, to learn a \reid{} model from a set of source domains that is suitable for application to unseen datasets out-of-the-box, without any model updating. Specifically, we observe that the domain discrepancy in \reid{} is due to style and content variance across datasets and demonstrate appropriate Instance and Feature Normalization alleviates much of the resulting domain-shift in Deep \reid{} models. Instance Normalization~(IN) in early layers filters out style statistic variations and Feature Normalization~(FN) in deep layers is able to further eliminate disparity in content statistics. Compared to contemporary alternatives, this approach is extremely simple to implement, while being faster to train and test, thus making it an extremely valuable baseline for implementing \reid{} in practice. With a few lines of code, it increases the rank 1 \reid{} accuracy by {11.8\%, 33.2\%, 12.8\% and 8.5\%} on the VIPeR, PRID, GRID, and i-LIDS benchmarks respectively. Source codes are available at \url{https://github.com/BJTUJia/person_reID_DualNorm}.

Weihua Ding,Xing Wei,Xiaopeng Hong,Rongrong Ji,Yi Gong

2019-01-01

Abstract:Person re-identification (re-ID) has made great progress and achieved high performance in recent years with the development of deep learning. However, as an application related to security issues, there are few researches considering the safety of person re-ID systems. In this paper, we attempt to explore the robustness of current person re-ID models against adversarial samples. Specifically, we attack the re-ID models using universal adversarial perturbations (UAPs), which are especially dangerous to the surveillance systems because it could fool most pedestrian images with a little overhead. Existing methods for UAPs mainly consider classification models, while the tasks in open set scenarios like re-ID are rarely explored. Re-ID attack is different from classification ones in the sense that the former discards decision boundary during test and cares more about the ranking list. Therefore, we propose an effective method to train UAPs against person re-ID models from the global list-wise perspective. Furthermore, to increase the impact of attack to different models and datasets, we propose a novel UAPs learning method based on total variation minimization. Extensive experiments validate the effectiveness of our proposed method.

Xinshao Wang,Elyor Kodirov,Yang Hua,Neil M. Robertson

DOI: https://doi.org/10.48550/arXiv.1911.09143

2019-11-21

Abstract:Set-based person re-identification (SReID) is a matching problem that aims to verify whether two sets are of the same identity (ID). Existing SReID models typically generate a feature representation per image and aggregate them to represent the set as a single embedding. However, they can easily be perturbed by noises--perceptually/semantically low quality images--which are inevitable due to imperfect tracking/detection systems, or overfit to trivial images. In this work, we present a novel and simple solution to this problem based on ID-aware quality that measures the perceptual and semantic quality of images guided by their ID information. Specifically, we propose an ID-aware Embedding that consists of two key components: (1) Feature learning attention that aims to learn robust image embeddings by focusing on 'medium' hard images. This way it can prevent overfitting to trivial images, and alleviate the influence of outliers. (2) Feature fusion attention is to fuse image embeddings in the set to obtain the set-level embedding. It ignores noisy information and pays more attention to discriminative images to aggregate more discriminative information. Experimental results on four datasets show that our method outperforms state-of-the-art approaches despite the simplicity of our approach.

Computer Vision and Pattern Recognition,Machine Learning,Image and Video Processing

Shafiq Ahmad,Pietro Morerio,Alessio Del Bue

2023-08-18

Abstract:Wide-scale use of visual surveillance in public spaces puts individual privacy at stake while increasing resource consumption (energy, bandwidth, and computation). Neuromorphic vision sensors (event-cameras) have been recently considered a valid solution to the privacy issue because they do not capture detailed RGB visual information of the subjects in the scene. However, recent deep learning architectures have been able to reconstruct images from event cameras with high fidelity, reintroducing a potential threat to privacy for event-based vision applications. In this paper, we aim to anonymize event-streams to protect the identity of human subjects against such image reconstruction attacks. To achieve this, we propose an end-to-end network architecture jointly optimized for the twofold objective of preserving privacy and performing a downstream task such as person ReId. Our network learns to scramble events, enforcing the degradation of images recovered from the privacy attacker. In this work, we also bring to the community the first ever event-based person ReId dataset gathered to evaluate the performance of our approach. We validate our approach with extensive experiments and report results on the synthetic event data simulated from the publicly available SoftBio dataset and our proposed Event-ReId dataset.

Computer Vision and Pattern Recognition

Jose Huaman,Felix O. Sumari,Luigy Machaca,Esteban Clua,Joris Guerin

DOI: https://doi.org/10.48550/arXiv.2212.09981

2022-12-20

Abstract:Recently, Person Re-Identification (Re-ID) has received a lot of attention. Large datasets containing labeled images of various individuals have been released, allowing researchers to develop and test many successful approaches. However, when such Re-ID models are deployed in new cities or environments, the task of searching for people within a network of security cameras is likely to face an important domain shift, thus resulting in decreased performance. Indeed, while most public datasets were collected in a limited geographic area, images from a new city present different features (e.g., people's ethnicity and clothing style, weather, architecture, etc.). In addition, the whole frames of the video streams must be converted into cropped images of people using pedestrian detection models, which behave differently from the human annotators who created the dataset used for training. To better understand the extent of this issue, this paper introduces a complete methodology to evaluate Re-ID approaches and training datasets with respect to their suitability for unsupervised deployment for live operations. This method is used to benchmark four Re-ID approaches on three datasets, providing insight and guidelines that can help to design better Re-ID pipelines in the future.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Jingyi Cao,Xiangyi Chen,Bo Liu,Ming Ding,Rong Xie,Li Song,Zhu Li,Wenjun Zhang

2024-11-15

Abstract:The widespread use of image acquisition technologies, along with advances in facial recognition, has raised serious privacy concerns. Face de-identification usually refers to the process of concealing or replacing personal identifiers, which is regarded as an effective means to protect the privacy of facial images. A significant number of methods for face de-identification have been proposed in recent years. In this survey, we provide a comprehensive review of state-of-the-art face de-identification methods, categorized into three levels: pixel-level, representation-level, and semantic-level techniques. We systematically evaluate these methods based on two key criteria, the effectiveness of privacy protection and preservation of image utility, highlighting their advantages and limitations. Our analysis includes qualitative and quantitative comparisons of the main algorithms, demonstrating that deep learning-based approaches, particularly those using Generative Adversarial Networks (GANs) and diffusion models, have achieved significant advancements in balancing privacy and utility. Experimental results reveal that while recent methods demonstrate strong privacy protection, trade-offs remain in visual fidelity and computational complexity. This survey not only summarizes the current landscape but also identifies key challenges and future research directions in face de-identification.

Computer Vision and Pattern Recognition,Cryptography and Security

Xi Yang,Huanling Liu,Nannan Wang,Xinbo Gao

DOI: https://doi.org/10.1109/tip.2024.3456000

IF: 10.6

2024-09-20

IEEE Transactions on Image Processing

Abstract:The potential vulnerability of deep neural networks and the complexity of pedestrian images, greatly limits the application of person re-identification techniques in the field of smart security. Current attack methods often focus on generating carefully crafted adversarial samples or only disrupting the metric distances between targets and similar pedestrians. However, both aspects are crucial for evaluating the security of methods adapted for person re-identification tasks. For this reason, we propose an image-level adaptive adversarial ranking method that comprehensively considers two aspects to adapt to changes in pedestrians in the real world and effectively evaluate the robustness of models in adversarial environments. To generate more refined adversarial samples, our image representation enhancement module leverages channel-wise information entropy, assigning varying weights to different channels to produce images with richer information content, along with a generative adversarial network to create adversarial samples. Subsequently, for adaptive perturbation of ranking, the adaptive weight confusion ranking loss is presented to calculate the weights of distances between positive or negative samples and query samples. It endeavors to push positive samples away from query samples and bring negative samples closer, thereby interfering with the ranking of system. Notably, this method requires no additional hyperparameter tuning or extra data training, making it an adaptive attack strategy. Experimental results on large-scale datasets such as Market1501, CUHK03, and DukeMTMC demonstrate the effectiveness of our method in attacking ReID systems.

computer science, artificial intelligence,engineering, electrical & electronic

Bingyu Hu,Jiawei Liu,Yufei Zheng,Kecheng Zheng,Zheng-Jun Zha

DOI: https://doi.org/10.1007/s11263-024-02124-5

IF: 13.369

2024-06-04

International Journal of Computer Vision

Abstract:Person re-identification (ReID), aiming at retrieving persons of the same identity across non-overlapping cameras, holds immense practical significance for security and surveillance applications. In pursuit of a more general and practical solution, recent research attention has gradually shifted from the traditional single-domain ReID to the domain generalizable person re-identification (DG-ReID). However, the DG-ReID landscape lacks a meticulously designed and all-encompassing benchmark to provide a common ground for competing approaches. To this end, in this paper, we first delve into the intricate challenges of DG-ReID and introduce a comprehensive and large-scale benchmark with enhanced distributional variety and shifts to facilitate the research progress. Furthermore, in response to the highlighted challenges, a novel DG-ReID framework based on diverse feature space learning with domain factorization is proposed to effectively learn rich domain-adaptive discriminative features through the two designed blocks with fairly limited additional cost in both memory and computation. Firstly, the feature diversification block promotes a diverse feature space capable of learning domain-specific characteristics under the rich distributional variety. Secondly, the domain-adaptive shielding block applies channel-wise shielding operations based on subspace-based domain factorization in order to prevent the model from prediction bias caused by distributional shifts. Our extensive experiments demonstrate the effectiveness of the proposed framework, surpassing the performance of current state-of-the-art methods under various evaluation protocols.

computer science, artificial intelligence

Song Bai,Yingwei Li,Yuyin Zhou,Qizhu Li,Philip H.S. Torr

DOI: https://doi.org/10.1109/tpami.2020.3031625

IF: 23.6

2021-06-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Person re-identification (re-ID) has attracted much attention recently due to its great importance in video surveillance. In general, distance metrics used to identify two person images are expected to be robust under various appearance changes. However, our work observes the extreme vulnerability of existing distance metrics to adversarial examples, generated by simply adding human-imperceptible perturbations to person images. Hence, the security danger is dramatically increased when deploying commercial re-ID systems in video surveillance. Although adversarial examples have been extensively applied for classification analysis, it is rarely studied in metric analysis like person re-identification. The most likely reason is the natural gap between the training and testing of re-ID networks, that is, the predictions of a re-ID network cannot be directly used during testing without an effective metric. In this work, we bridge the gap by proposing Adversarial Metric Attack, a parallel methodology to adversarial classification attacks. Comprehensive experiments clearly reveal the adversarial effects in re-ID systems. Meanwhile, we also present an early attempt of training a metric-preserving network, thereby defending the metric against adversarial attacks. At last, by benchmarking various adversarial settings, we expect that our work can facilitate the development of adversarial attack and defense in metric-based applications.

computer science, artificial intelligence,engineering, electrical & electronic