Query-UAP: Query-Efficient Universal Adversarial Perturbation for Large-Scale Person Re-Identification Attack

Abstract

AbstractThe performance of person re-identification (ReID) has improved significantly with the development of deep learning. And we find that even the state-of-the-art ReID models are vulnerable to universal adversarial perturbation (UAP) attack under white-box attack. However, the white-box setting that the adversary has full access to model is not suitable for practical application. This situation inspires us to explore the UAP attack in more realistic black-box setting. In this paper, we propose a novel query-based black-box UAP attack algorithm for large-scale ReID attacking, which adopts the coordinate-wise gradient estimation method combined with importance sampling for gradient estimation. In particular, the UAP attack can be more easily applied to large-scale attacks, compared with the commonly used image-specific attack in the literature. What’s more, in order to speed up the convergence of attack, we propose a coordinate-wise MI-FGSM with spatial momentum prior to update UAP. Meanwhile, our UAP updating method avoids the undesirable spread of inaccurate gradient estimation in iterations. Extensive experiments show that, at a very low average number of queries per image, the attack success rate and visual quality of the adversarial samples generated by our attack algorithm are very close to white-box attack. For example, when attacking AP-Net, one of the best ReID models at present, only an average of 297 queries per image can significantly reduce the mAP from 0.89 to 0.03 under Market1501. The code is available at https://github.com/HWliiu/QueryUAPReidAttack.KeywordsUniversal adversarial perturbation (UAP)Query-efficient attackBlack-box attackPerson re-identificatio (ReID)