This AI document poses a little-studied privacy risk of people re-identification training data

Person re-identification (Re-ID) is an image retrieval task that identifies a specific person in different images or video sequences. However, leaking information from the Re-ID training suite can cause serious ethical and social security risks. Therefore, it is important to address the privacy risks associated with the training set of Re-ID models. Membership inference (MI) attacks can reveal whether a particular individual was present in the training data set used to train the Re-ID model. This can reveal sensitive information about the person’s whereabouts, movements, and activities. The main challenge of MI attacks for the Re-ID task is that traditional MI attack methods that are based on logits or losses are not applicable because the Re-ID task follows a different training and inference paradigm.

State-of-the-art Re-ID methods extract visual features from each pedestrian image and then perform recognition by retrieving images based on relative similarity between pairs of images. Common use logits or loss for MI attack in classification are not available in the Re-ID task. Furthermore, the Re-ID task is a more challenging fine-grained recognition task, leading to a more complex and less discriminatory feature distribution for MI attacks.

Recently, a Chinese research team submitted a paper introducing a new MI attack method called the Similarity Distribution Based MI attack (SDMI attack) designed specifically for the Re-ID task. The proposed method uses the intersample similarity distribution between different images to infer the membership of a target image in the training set. It uses a set of anchor images selected by an attention-based neural module to represent the conditional similarity distribution on the target image. Target image membership is inferred based on its similarity to anchors within the reference set using a neural network. The contributions of this work are:

1) raise awareness about the privacy risk of the training set in the Re-ID task.

2) propose the first IM attack algorithm on people reidentification.

3) demonstrate that the proposed method outperforms existing MI attack approaches in Re-ID models.

Specifically, the SDMI attack is performed in two stages: Obtaining the similarity distribution: Given a target image, the method obtains a feature vector that represents the conditional distribution of similarity between the target images and other images in the data distribution. . This is done by sampling a set of anchor images from the Re-ID data distribution and calculating the Euclidean distance between the target image and each anchor image. Membership inference: In the second stage, the membership of the target image is inferred based on the similarity distribution with a new neural network structure. The similarity distribution vector is fed to a neural network that predicts the membership of the target sample.

To evaluate the performance of the novel approach, a multi-baseline experimental study was conducted on two data sets (Market1501 and DukeMTMC) using three different Re-ID models with different backbones (ResNet50, MobileNetV2 and Xception). The authors use the attack success rate as the evaluation metric and show that their proposed method outperforms existing methods. They also performed an ablation study to show the influence of different components and hyperparameters on the performance of the proposed method. Furthermore, they show that their new technique can be applied to other tasks such as classification, and report the results as well.

In summary, this article introduces a new IM attack method designed specifically for the Re-ID task, which is a privacy-sensitive image retrieval task. The SDMI attack uses the intersample similarity distribution between different images to infer the membership of a target image in the training set. The authors state that this method outperforms existing MI attack algorithms in general Re-ID models and raises awareness of the training set privacy risk in the Re-ID task. They conducted experiments on two data sets and three Re-ID models and showed that their new approach has a higher attack success rate than existing methods.

review the Paper. All credit for this research goes to the researchers of this project. Also, don’t forget to join our 13k+ ML SubReddit, discord channel, and electronic newsletterwhere we share the latest AI research news, exciting AI projects, and more.