Key Smart City applications such as traffic management and public security rely heavily on the intelligent processing of video and image data, often in the form of visual retrieval tasks, such as person Re-IDentification (ReID) and vehicle re-identification. For these tasks, Deep Neural Networks (DNNs) have been the dominant solution for the past decade, for their remarkable ability in learning discriminative features from images to boost retrieval performance. However, it is been discovered that DNNs are broadly vulnerable to maliciously constructed adversarial examples. By adding small perturbations to a query image, the returned retrieval results will be completely dissimilar from the query image. This poses serious challenges to vital systems in Smart City applications that depend on the DNN-based visual retrieval technology, as in the physical world, simple camouflage can be added on the subject (a few patches on the body or car), and turn the subject completely untrackable by person or vehicle Re-ID systems. To demonstrate the potential of such threats, this paper proposes a novel adversarial patch generative adversarial network (AP-GAN) to generate adversarial patches instead of modifying the entire image, which also causes the DNNs-based image retrieval models to return incorrect results. AP-GAN is trained in an unsupervised way that requires only a small amount of unlabeled data for training. Once trained, it produces query-specific perturbations for query images to form adversarial queries. Extensive experiments show that the AP-GAN achieves excellent attacking performance with various application scenarios that are based on deep features, including image retrieval, person ReID and vehicle ReID. The results of this study provide a warning that when deploying a DNNs-based image retrieval system, its security and robustness needs to be thoroughly considered.

诸如交通管理和公共安全之类的关键智能城市应用严重依赖视频和图像数据的智能处理，通常以视觉检索任务的形式进行，例如人员重新识别（ReID）和车辆重新识别。对于这些任务，过去十年来，深度神经网络（DNN）一直是主要的解决方案，因为它们具有从图像中学习区分特征以提高检索性能的出色能力。但是，已发现DNN容易受到恶意构造的对抗示例的攻击。通过向查询图像添加较小的扰动，返回的检索结果将与查询图像完全不同。这给依赖基于DNN的视觉检索技术的智慧城市应用中的重要系统带来了严峻的挑战，就像在现实世界中一样，可以在对象上添加简单的伪装（身体或汽车上的一些补丁），并使人员或车辆Re-ID系统完全无法跟踪对象。为了证明这种威胁的潜在可能性，本文提出了一种新颖的对抗补丁生成对抗网络（AP-GAN）来生成对抗补丁，而不是修改整个图像，这也导致基于DNN的图像检索模型返回错误的结果。AP-GAN的培训是无监督的，只需要少量未标记的数据即可进行培训。训练后，它将为查询图像生成特定于查询的扰动，以形成对抗性查询。大量实验表明，基于深层功能的各种应用场景中，AP-GAN均具有出色的攻击性能，包括图像检索，人员ReID和车辆ReID。这项研究的结果提供了一个警告，即在部署基于DNN的图像检索系统时，需要充分考虑其安全性和鲁棒性。