The Person Re-identification (ReID) system based on metric learning has been proved to inherit the vulnerability of deep neural networks (DNNs), which are easy to be fooled by adversarail metric attacks. Existing work mainly relies on adversarial training for metric defense, and more methods have not been fully studied. By exploring the impact of attacks on the underlying features, we propose targeted methods for metric attacks and defence methods. In terms of metric attack, we use the local color deviation to construct the intra-class variation of the input to attack color features. In terms of metric defenses, we propose a joint defense method which includes two parts of proactive defense and passive defense. Proactive defense helps to enhance the robustness of the model to color variations and the learning of structure relations across multiple modalities by constructing different inputs from multimodal images, and passive defense exploits the invariance of structural features in a changing pixel space by circuitous scaling to preserve structural features while eliminating some of the adversarial noise. Extensive experiments demonstrate that the proposed joint defense compared with the existing adversarial metric defense methods which not only against multiple attacks at the same time but also has not significantly reduced the generalization capacity of the model. The code is available at https://github.com/finger-monkey/multi-modal_joint_defence.
翻译:以标准化学习为基础的个人再识别(ReID)系统已被证明继承了深神经网络的脆弱性,这些网络很容易被反光度攻击所愚弄。现有工作主要依靠对准防御的对抗性培训,而且没有全面研究更多的方法。通过探索攻击对基本特征的影响,我们提出了对准攻击和防御方法的定向方法。在对准攻击方面,我们使用当地颜色偏差来构建攻击颜色特征的投入的等级内部差异。在矩阵防御方面,我们建议采用一种联合防御方法,其中包括主动防御和被动防御的两个部分。主动防御有助于增强模型的稳健性,通过从多式图像中构建不同的投入和被动防御利用不断变化的像素空间的结构特征的不稳定性来保持结构特征,同时消除一些对抗性噪音。广泛的实验表明,拟议联合防御与现有的对立性防御方法相比,不仅同时针对多次攻击,而且还没有大幅度降低现有多式防御的防御模式/多式防御能力。