Pedestrian re-identification (ReID) suffers from severe adversarial vulnerability, and existing defense methods struggle to simultaneously preserve metric learning properties and ensure generalizable robustness against unseen attacks or identities. This paper proposes a debiased dual-invariance defense framework. First, it systematically uncovers a compound generalization challenge in ReID arising from the coupling of data distribution bias and metric structure. Second, it introduces a diffusion-model-driven balanced resampling strategy and classifier-free soft expansion of far-negative samples to achieve invariance in both feature and metric spaces. Third, it integrates metric-aware adversarial training with self-supervised meta-learning enhanced by adversarial augmentation. Evaluated on multiple benchmarks, the method significantly outperforms state-of-the-art defenses, demonstrating superior robustness and generalization under unknown attack types and unseen identities.

Person re-identification (ReID) is a fundamental task in many real-world applications such as pedestrian trajectory tracking. However, advanced deep learning-based ReID models are highly susceptible to adversarial attacks, where imperceptible perturbations to pedestrian images can cause entirely incorrect predictions, posing significant security threats. Although numerous adversarial defense strategies have been proposed for classification tasks, their extension to metric learning tasks such as person ReID remains relatively unexplored. Moreover, the several existing defenses for person ReID fail to address the inherent unique challenges of adversarially robust ReID. In this paper, we systematically identify the challenges of adversarial defense in person ReID into two key issues: model bias and composite generalization requirements. To address them, we propose a debiased dual-invariant defense framework composed of two main phases. In the data balancing phase, we mitigate model bias using a diffusion-model-based data resampling strategy that promotes fairness and diversity in training data. In the bi-adversarial self-meta defense phase, we introduce a novel metric adversarial training approach incorporating farthest negative extension softening to overcome the robustness degradation caused by the absence of classifier. Additionally, we introduce an adversarially-enhanced self-meta mechanism to achieve dual-generalization for both unseen identities and unseen attack types. Experiments demonstrate that our method significantly outperforms existing state-of-the-art defenses.