Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Tong Chen,Zhan Ma

DOI: https://doi.org/10.1109/TCSVT.2023.3276442

2023-06-08

Abstract:Deep neural network-based image compression has been extensively studied. However, the model robustness which is crucial to practical application is largely overlooked. We propose to examine the robustness of prevailing learned image compression models by injecting negligible adversarial perturbation into the original source image. Severe distortion in decoded reconstruction reveals the general vulnerability in existing methods regardless of their settings (e.g., network architecture, loss function, quality scale). A variety of defense strategies including geometric self-ensemble based pre-processing, and adversarial training, are investigated against the adversarial attack to improve the model's robustness. Later the defense efficiency is further exemplified in real-life image recompression case studies. Overall, our methodology is simple, effective, and generalizable, making it attractive for developing robust learned image compression solutions. All materials are made publicly accessible at <a class="link-external link-https" href="https://njuvision.github.io/RobustNIC" rel="external noopener nofollow">this https URL</a> for reproducible research.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing

Tong Chen,Zhan Ma

DOI: https://doi.org/10.1109/TCSVT.2023.3276442

IF: 5.859

2023-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep neural network-based image compression has been extensively studied. However, the model robustness which is crucial to practical application is largely overlooked. We propose to examine the robustness of prevailing learned image compression models by injecting negligible adversarial perturbation into the original source image. Severe distortion in decoded reconstruction reveals the general vulnerability in existing methods regardless of their settings (e.g., network architecture, loss function, quality scale). A variety of defense strategies including geometric self-ensemble based pre-processing, and adversarial training, are investigated against the adversarial attack to improve the model's robustness. Later the defense efficiency is further exemplified in real-life image recompression case studies. Overall, our methodology is simple, effective, and generalizable, making it attractive for developing robust learned image compression solutions. All materials are made publicly accessible at https://njuvision.github.io/RobustNIC for reproducible research.

Jingui Ma,Ronggang Wang

DOI: https://doi.org/10.1109/dcc58796.2024.00090

2024-01-01

Abstract:Learned image compression has achieved better performance than traditional coding methods in terms of rate-distortion performance. However, the robustness of compression models themselves is rarely paid attention to by coding community. In this work, we explore the potential threats of image compression model, and design an imperceptible adversarial perturbation generation method based on gradient optimization. The image with our generated adversarial perturbation will lead to serious distortion on decoder side when the image is reconstructed. Specifically, we use a similar method based on Fast Gradient Sign Method (FGSM) to optimize a noise and generate an adversarial perturbation against image reconstruction. Furthermore, in order to improve the imperceptibility of our attack, we restrict the optimized noise to the high frequency region of the chrominance components of a YUV image, inspired by the characteristics of human vision system (HVS). See Figure 1 for more details. Experiments on four types of popular image compression models show that our adversarial attack can cause serious distortion on decoder side of the model while keeping the perturbation undetectable to human eyes. We hope that our work could arouse the concern of coding community to the robustness and security of AI intelligent coding technology.

Mingde Wang,Zhijing Liu

DOI: https://doi.org/10.3390/app14198636

2024-01-01

Abstract:Machine learning systems, particularly in the domain of image recognition, are susceptible to adversarial perturbations applied to input data. These perturbations, while imperceptible to humans, have the capacity to easily deceive deep learning classifiers. Current defense methods for image recognition focus on using diffusion models and their variants. Due to the depth of diffusion models and the large amount of computations generated during each inference process, the GPU and storage performance of the device are extremely high. To address this problem, we propose a new defense-based non-overlapping image compression filter for image recognition classifiers against adversarial attacks. This method inserts a non-overlapping image compression filter before the classifier to make the results of the classifier invariant under subtle changes in images. This method does not weaken the adversarial robustness of the model and can reduce the computational cost during the training process of the image classification model. In addition, our method can be easily integrated with existing image classification training frameworks with only some minor adjustments. We validate our results by performing a series of experiments under three different convolutional neural network architectures (VGG16, ResNet34, and Inception-ResNet-v2) and on different datasets (CIFAR10 and CIFAR100). The experimental results show that under the Inception-ResNet-v2 architecture, our method achieves an average accuracy of up to 81.15% on the CIFAR10 dataset, fully demonstrating its effectiveness in mitigating adversarial attacks. In addition, under the WRN-28-10 architecture, our method achieves not only 91.28% standard accuracy on the CIFAR10 dataset but also 76.46% average robust accuracy. The test experiment on the model training time consumption shows that our defense method has an advantage in time cost, proving that our defense method is a lightweight and efficient defense strategy.

Kang Liu,Di Wu,Yiru Wang,Dan Feng,Benjamin Tan,Siddharth Garg

DOI: https://doi.org/10.48550/arXiv.2205.13253

2022-08-23

Abstract:Deep learning techniques have shown promising results in image compression, with competitive bitrate and image reconstruction quality from compressed latent. However, while image compression has progressed towards a higher peak signal-to-noise ratio (PSNR) and fewer bits per pixel (bpp), their robustness to adversarial images has never received deliberation. In this work, we, for the first time, investigate the robustness of image compression systems where imperceptible perturbation of input images can precipitate a significant increase in the bitrate of their compressed latent. To characterize the robustness of state-of-the-art learned image compression, we mount white-box and black-box attacks. Our white-box attack employs fast gradient sign method on the entropy estimation of the bitstream as its bitrate approximation. We propose DCT-Net simulating JPEG compression with architectural simplicity and lightweight training as the substitute in the black-box attack and enable fast adversarial transferability. Our results on six image compression models, each with six different bitrate qualities (thirty-six models in total), show that they are surprisingly fragile, where the white-box attack achieves up to 56.326x and black-box 1.947x bpp change. To improve robustness, we propose a novel compression architecture factorAtn which incorporates attention modules and a basic factorized entropy model, resulting in a promising trade-off between the rate-distortion performance and robustness to adversarial attacks that surpasses existing learned image compressors.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Tianyu Zhu,Heming Sun,Xiankui Xiong,Xuanpeng Zhu,Yong Gong,Minge jing,Yibo Fan

2024-03-27

Abstract:Learned image compression (LIC) is becoming more and more popular these years with its high efficiency and outstanding compression quality. Still, the practicality against modified inputs added with specific noise could not be ignored. White-box attacks such as FGSM and PGD use only gradient to compute adversarial images that mislead LIC models to output unexpected results. Our experiments compare the effects of different dimensions such as attack methods, models, qualities, and targets, concluding that in the worst case, there is a 61.55% decrease in PSNR or a 19.15 times increase in bpp under the PGD attack. To improve their robustness, we conduct adversarial training by adding adversarial images into the training datasets, which obtains a 95.52% decrease in the R-D cost of the most vulnerable LIC model. We further test the robustness of H.266, whose better performance on reconstruction quality extends its possibility to defend one-step or iterative adversarial attacks.

Image and Video Processing

Yang Sui,Zhuohang Li,Ding Ding,Xiang Pan,Xiaozhong Xu,Shan Liu,Zhenzhong Chen

2024-01-06

Abstract:Adversarial attacks can readily disrupt the image classification system, revealing the vulnerability of DNN-based recognition tasks. While existing adversarial perturbations are primarily applied to uncompressed images or compressed images by the traditional image compression method, i.e., JPEG, limited studies have investigated the robustness of models for image classification in the context of DNN-based image compression. With the rapid evolution of advanced image compression, DNN-based learned image compression has emerged as the promising approach for transmitting images in many security-critical applications, such as cloud-based face recognition and autonomous driving, due to its superior performance over traditional compression. Therefore, there is a pressing need to fully investigate the robustness of a classification system post-processed by learned image compression. To bridge this research gap, we explore the adversarial attack on a new pipeline that targets image classification models that utilize learned image compressors as pre-processing modules. Furthermore, to enhance the transferability of perturbations across various quality levels and architectures of learned image compression models, we introduce a saliency score-based sampling method to enable the fast generation of transferable perturbation. Extensive experiments with popular attack methods demonstrate the enhanced transferability of our proposed method when attacking images that have been post-processed with different learned image compression models.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing

Chenhao Wu,Qingbo Wu,Haoran Wei,Shuai Chen,Lei Wang,King Ngi Ngan,Fanman Meng,Hongliang Li

2024-07-04

Abstract:Despite demonstrating superior rate-distortion (RD) performance, learning-based image compression (LIC) algorithms have been found to be vulnerable to malicious perturbations in recent studies. However, the adversarial attacks considered in existing literature remain divergent from real-world scenarios, both in terms of the attack direction and bitrate. Additionally, existing methods focus solely on empirical observations of the model vulnerability, neglecting to identify the origin of it. These limitations hinder the comprehensive investigation and in-depth understanding of the adversarial robustness of LIC algorithms. To address the aforementioned issues, this paper considers the arbitrary nature of the attack direction and the uncontrollable compression ratio faced by adversaries, and presents two practical rate-distortion attack paradigms, i.e., Specific-ratio Rate-Distortion Attack (SRDA) and Agnostic-ratio Rate-Distortion Attack (ARDA). Using the performance variations as indicators, we evaluate the adversarial robustness of eight predominant LIC algorithms against diverse attacks. Furthermore, we propose two novel analytical tools for in-depth analysis, i.e., Entropy Causal Intervention and Layer-wise Distance Magnify Ratio, and reveal that hyperprior significantly increases the bitrate and Inverse Generalized Divisive Normalization (IGDN) significantly amplifies input perturbations when under attack. Lastly, we examine the efficacy of adversarial training and introduce the use of online updating for defense. By comparing their advantages and disadvantages, we provide a reference for constructing more robust LIC algorithms against the rate-distortion attacks.

Image and Video Processing

Xiaofei He,Ming Ji,Hujun Bao

DOI: https://doi.org/10.1109/cvpr.2009.5206835

2009-01-01

Abstract:We consider the problem of lossy image compression from machine learning perspective. Typical image compression algorithms first transform the image from its spatial domain representation to frequency domain representation using some transform technique, such as discrete cosine transform and discrete wavelet transform, and then code the transformed values. Recently, instead of performing a frequency transformation, machine learning based approach has been proposed which uses the color information from a few representative pixels to learn a model which predicts color on the rest of the pixels. Selecting the most representative pixels is essentially an active learning problem, while colorization is a semi-supervised learning problem. In this paper, we propose a novel active learning algorithm, called graph regularized experimental design (GRED), which shares the same principle of the semi-supervised learning algorithm used for colorization. This way, active and semi-supervised learning is unified into a single framework for pixel selection and colorization. Our experimental results suggest that the proposed approach achieves higher compression ratio and image quality, while the compression time is significantly reduced.

Jiayu Yang,Chunhui Yang,Yi Ma,Shiyi Liu,Ronggang Wang

DOI: https://doi.org/10.1109/cvprw50498.2020.00078

2020-01-01

Abstract:Adversarial mechanism is introduced to learned image compression system in this paper. Our motivation is that the number of quantization levels is limited with the constraint of low bit-rate, resulting in severe distortion in details after reconstruction. The adversarial training manner enhances the ability of Decoder/Generator to enrich textures and details in the reconstructed image. Channel-spatial attention mechanism is used to refine the intermediate features implicitly to boost the representation power of CNNs. As for entropy model, we jointly take hyperpriors and autoregressive priors for accurate probability estimation. Moreover, an EDSR-like post-processing subnetwork is concatenated after Decoder for further quality enhancement. The proposed approach demonstrates competitive performance when evaluated with multi-scale structural similarity (MSSSIM) and favorably visual quality at low bit-rate.

Zhi Cao,Youneng Bao,Fanyang Meng,Chao Li,Wen Tan,Genhong Wang,Yongsheng Liang

2024-03-16

Abstract:Deep neural network-based image compression (NIC) has achieved excellent performance, but NIC method models have been shown to be susceptible to backdoor attacks. Adversarial training has been validated in image compression models as a common method to enhance model robustness. However, the improvement effect of adversarial training on model robustness is limited. In this paper, we propose a prior knowledge-guided adversarial training framework for image compression models. Specifically, first, we propose a gradient regularization constraint for training robust teacher models. Subsequently, we design a knowledge distillation based strategy to generate a priori knowledge from the teacher model to the student model for guiding adversarial training. Experimental results show that our method improves the reconstruction quality by about 9dB when the Kodak dataset is elected as the backdoor attack object for psnr attack. Compared with Ma2023, our method has a 5dB higher PSNR output at high bitrate points.

Image and Video Processing

Yi Yu,Yufei Wang,Wenhan Yang,Lanqing Guo,Shijian Lu,Ling-Yu Duan,Yap-Peng Tan,Alex C. Kot

2024-12-02

Abstract:Recent advancements in deep learning-based compression techniques have surpassed traditional methods. However, deep neural networks remain vulnerable to backdoor attacks, where pre-defined triggers induce malicious behaviors. This paper introduces a novel frequency-based trigger injection model for launching backdoor attacks with multiple triggers on learned image compression models. Inspired by the widely used DCT in compression codecs, triggers are embedded in the DCT domain. We design attack objectives tailored to diverse scenarios, including: 1) degrading compression quality in terms of bit-rate and reconstruction accuracy; 2) targeting task-driven measures like face recognition and semantic segmentation. To improve training efficiency, we propose a dynamic loss function that balances loss terms with fewer hyper-parameters, optimizing attack objectives effectively. For advanced scenarios, we evaluate the attack's resistance to defensive preprocessing and propose a two-stage training schedule with robust frequency selection to enhance resilience. To improve cross-model and cross-domain transferability for downstream tasks, we adjust the classification boundary in the attack loss during training. Experiments show that our trigger injection models, combined with minor modifications to encoder parameters, successfully inject multiple backdoors and their triggers into a single compression model, demonstrating strong performance and versatility. (*Due to the notification of arXiv "The Abstract field cannot be longer than 1,920 characters", the appeared Abstract is shortened. For the full Abstract, please download the Article.)

Computer Vision and Pattern Recognition,Cryptography and Security

Yichong Xia,Bin Chen,Yan Feng,Tianshuo Ge,Yujun Huang,Haoqian Wang,Yaowei Wang

DOI: https://doi.org/10.1016/j.patcog.2023.110242

IF: 8

2024-01-01

Pattern Recognition

Abstract:Exact likelihood estimation on entropy coding makes flow-based models appealing for lossless image compression. However, the high fidelity storage cost is affected by the lossless compression ratio. The trade-off between efficiency and robustness of flow-based deep lossless compression models has not been fully explored. This paper characterizes the trade-off theoretically and empirically, revealing that flow-based models are susceptible to adversarial examples resulting in a significant change in compression ratio. The fragile robustness of flow-based models is due to their intrinsic multi-scale architectures lacking the Lipschitz property. Based on this insight, a stronger white-box attack, Auto-Weighted Projected Gradient Descent (AW-PGD), is developed to generate more universal adversarial examples. Additionally, a novel flow-based lossless compression model, Robust Integer Discrete Flow (R-IDF), is proposed to achieve comparable robustness to adversarial training without sacrificing compression efficiency. Experiments demonstrate that the PGD algorithm falls into local extreme values when attacking the compression model, but the proposed attack and defense methods effectively improve the invulnerability of the flow-based compression model.

Yunfei Du,Nan Zhao,Yiping Duan,Chaoyi Han

DOI: https://doi.org/10.1109/iccchina.2019.8855819

2019-01-01

Abstract:Image compression based on region of interest (ROI) can maintain high quality on specific areas and behaves well in terms of subjective quality. However, existing methods lead to a severe loss of background information as well as block effects when the bitrate goes down. In this paper, we take advantage of the generative models and develop the generative compression scheme for ROI-based image compression. The proposed method adopts different compression objectives for interested areas and background. For a target bitrate, our method tends to preserve more details for interested areas while generating the background using a perceptual metric. The generative model works on the whole image to erase the unnatural block effects. Experiments show that our method could produce visually pleasing images at very low bitrates and is superior to existing compression methods.

Felipe Codevilla,Jean Gabriel Simard,Ross Goroshin,Chris Pal

DOI: https://doi.org/10.48550/arXiv.2111.02249

2021-11-03

Abstract:Recent work has shown that learned image compression strategies can outperform standard hand-crafted compression algorithms that have been developed over decades of intensive research on the rate-distortion trade-off. With growing applications of computer vision, high quality image reconstruction from a compressible representation is often a secondary objective. Compression that ensures high accuracy on computer vision tasks such as image segmentation, classification, and detection therefore has the potential for significant impact across a wide variety of settings. In this work, we develop a framework that produces a compression format suitable for both human perception and machine perception. We show that representations can be learned that simultaneously optimize for compression and performance on core vision tasks. Our approach allows models to be trained directly from compressed representations, and this approach yields increased performance on new tasks and in low-shot learning settings. We present results that improve upon segmentation and detection performance compared to standard high quality JPGs, but with representations that are four to ten times smaller in terms of bits per pixel. Further, unlike naive compression methods, at a level ten times smaller than standard JEPGs, segmentation and detection models trained from our format suffer only minor degradation in performance.

Image and Video Processing,Computer Vision and Pattern Recognition

Maungmaung Aprilpyone,Hitoshi Kiya

DOI: https://doi.org/10.1109/tifs.2021.3062977

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we propose a novel defensive transformation that enables us to maintain a high classification accuracy under the use of both clean images and adversarial examples for adversarially robust defense. The proposed transformation is a block-wise preprocessing technique with a secret key to input images. The proposed defense obfuscates gradients in the absence of the secret key unlike previously defeated obfuscating defenses. We developed three algorithms to realize the proposed transformation: Pixel Shuffling, Bit Flipping, and FFX Encryption. Experiments were carried out on the CIFAR-10 and ImageNet datasets by using both black-box and white-box attacks with various metrics including adaptive ones. The results show that the proposed defense achieves high accuracy close to that of using clean images even under adaptive attacks for the first time. In the best-case scenario, a model trained by using images transformed by FFX Encryption (block size of 4) yielded an accuracy of 92.30% on clean images and 91.48% under PGD attack with a noise distance of 8/255, which is close to the non-robust accuracy (95.45%) for the CIFAR-10 dataset, and it yielded an accuracy of 72.18% on clean images and 71.43% under the same attack, which is also close to the standard accuracy (73.70%) for the ImageNet dataset. Overall, all three proposed algorithms are demonstrated to outperform state-of-the-art defenses including adversarial training whether or not a model is under attack.

computer science, theory & methods,engineering, electrical & electronic

Nilaksh Das,Madhuri Shanbhogue,Shang-Tse Chen,Fred Hohman,Siwei Li,Li Chen,Michael E. Kounavis,Duen Horng Chau

DOI: https://doi.org/10.48550/arXiv.1802.06816

2018-02-19

Computer Vision and Pattern Recognition

Abstract:The rapidly growing body of research in adversarial machine learning has demonstrated that deep neural networks (DNNs) are highly vulnerable to adversarially generated images. This underscores the urgent need for practical defense that can be readily deployed to combat attacks in real-time. Observing that many attack strategies aim to perturb image pixels in ways that are visually imperceptible, we place JPEG compression at the core of our proposed Shield defense framework, utilizing its capability to effectively "compress away" such pixel manipulation. To immunize a DNN model from artifacts introduced by compression, Shield "vaccinates" a model by re-training it with compressed images, where different compression levels are applied to generate multiple vaccinated models that are ultimately used together in an ensemble defense. On top of that, Shield adds an additional layer of protection by employing randomization at test time that compresses different regions of an image using random compression levels, making it harder for an adversary to estimate the transformation performed. This novel combination of vaccination, ensembling, and randomization makes Shield a fortified multi-pronged protection. We conducted extensive, large-scale experiments using the ImageNet dataset, and show that our approaches eliminate up to 94% of black-box attacks and 98% of gray-box attacks delivered by the recent, strongest attacks, such as Carlini-Wagner's L2 and DeepFool. Our approaches are fast and work without requiring knowledge about the model.

Vijay Veerabadran,Reza Pourreza,Amirhossein Habibian,Taco Cohen

DOI: https://doi.org/10.48550/arXiv.2004.09508

2021-06-19

Abstract:In this paper, we present a novel adversarial lossy video compression model. At extremely low bit-rates, standard video coding schemes suffer from unpleasant reconstruction artifacts such as blocking, ringing etc. Existing learned neural approaches to video compression have achieved reasonable success on reducing the bit-rate for efficient transmission and reduce the impact of artifacts to an extent. However, they still tend to produce blurred results under extreme compression. In this paper, we present a deep adversarial learned video compression model that minimizes an auxiliary adversarial distortion objective. We find this adversarial objective to correlate better with human perceptual quality judgement relative to traditional quality metrics such as MS-SSIM and PSNR. Our experiments using a state-of-the-art learned video compression system demonstrate a reduction of perceptual artifacts and reconstruction of detail lost especially under extremely high compression.

Image and Video Processing,Computer Vision and Pattern Recognition,Machine Learning

Shupeng Gui,Haotao Wang,Chen Yu,Haichuan Yang,Zhangyang Wang,Ji Liu

DOI: https://doi.org/10.48550/arXiv.1902.03538

2019-12-29

Abstract:Deep model compression has been extensively studied, and state-of-the-art methods can now achieve high compression ratios with minimal accuracy loss. This paper studies model compression through a different lens: could we compress models without hurting their robustness to adversarial attacks, in addition to maintaining accuracy? Previous literature suggested that the goals of robustness and compactness might sometimes contradict. We propose a novel Adversarially Trained Model Compression (ATMC) framework. ATMC constructs a unified constrained optimization formulation, where existing compression means (pruning, factorization, quantization) are all integrated into the constraints. An efficient algorithm is then developed. An extensive group of experiments are presented, demonstrating that ATMC obtains remarkably more favorable trade-off among model size, accuracy and robustness, over currently available alternatives in various settings. The codes are publicly available at: <a class="link-external link-https" href="https://github.com/shupenggui/ATMC" rel="external noopener nofollow">this https URL</a>.

Machine Learning