Backdoor Attacks Against Deep Image Compression via Adaptive Frequency Trigger

Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model.

[1]  B. Wen,et al.  Raw Image Reconstruction with Learned Compact Metadata , 2023, ArXiv.

[2]  B. Wen,et al.  ShadowFormer: Global Context Helps Image Shadow Removal , 2023, AAAI.

[3]  Y. Liu,et al.  M3FAS: An Accurate and Robust MultiModal Mobile Face Anti-Spoofing System , 2023, ArXiv.

[4]  Chen Kong,et al.  Digital and Physical Face Attacks: Reviewing and One Step Further , 2022, APSIPA Transactions on Signal and Information Processing.

[5]  H. Pfister,et al.  ShadowDiffusion: When Degradation Prior Meets Diffusion Model for Shadow Removal , 2022, 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[6]  Ruigang Liang,et al.  Invisible Backdoor Attacks Using Data Poisoning in the Frequency Domain , 2022, ArXiv.

[7]  Yap-Peng Tan,et al.  Towards Robust Rain Removal Against Adversarial Attacks: A Comprehensive Benchmark Analysis and Beyond , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[8]  Yong Xia,et al.  FIBA: Frequency-Injection based Backdoor Attack in Medical Image Analysis , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[9]  Lap-Pui Chau,et al.  Low-Light Image Enhancement with Normalizing Flow , 2021, AAAI.

[10]  Yong Jiang,et al.  Backdoor Learning: A Survey , 2020, IEEE transactions on neural networks and learning systems.

[11]  Chen Kong,et al.  Beyond the Pixel World: A Novel Acoustic-Based Face Anti-Spoofing System for Smartphones , 2022, IEEE Transactions on Information Forensics and Security.

[12]  Hanghang Tong,et al.  Backdoor Attack through Frequency Domain , 2021, ArXiv.

[13]  Yap-Peng Tan,et al.  Benchmarking the Robustness of Spatial-Temporal Models Against Corruptions , 2021, NeurIPS Datasets and Benchmarks.

[14]  Khoa D Doan,et al.  LIRA: Learnable, Imperceptible and Robust Backdoor Attacks , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[15]  George Kesidis,et al.  A Backdoor Attack against 3D Point Cloud Classifiers , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[16]  R. Jia,et al.  Rethinking the Backdoor Attacks’ Triggers: A Frequency Perspective , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[17]  Joey Tianyi Zhou,et al.  PointBA: Towards Backdoor Attacks in 3D Point Cloud , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[18]  Shutao Xia,et al.  Hidden Backdoor Attack against Semantic Segmentation Models , 2021, ArXiv.

[19]  A. Tran,et al.  WaNet - Imperceptible Warping-based Backdoor Attack , 2021, ICLR.

[20]  Siwei Lyu,et al.  Invisible Backdoor Attack with Sample-Specific Triggers , 2020, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[21]  Zhan Ma,et al.  End-to-End Learnt Image Compression via Non-Local Attention Optimization and Improved Context Modeling , 2019, IEEE Transactions on Image Processing.

[22]  Minhui Xue,et al.  Invisible Backdoor Attacks on Deep Neural Networks Via Steganography and Regularization , 2019, IEEE Transactions on Dependable and Secure Computing.

[23]  Bernard Ghanem,et al.  Check Your Other Door! Establishing Backdoor Attacks in the Frequency Domain , 2021, ArXiv.

[24]  Anh Tran,et al.  Input-Aware Dynamic Backdoor Attack , 2020, NeurIPS.

[25]  Yunfei Liu,et al.  Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks , 2020, ECCV.

[26]  Fan Yang,et al.  An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks , 2020, KDD.

[27]  Michael Backes,et al.  BadNL: Backdoor Attacks Against NLP Models , 2020, ArXiv.

[28]  Wenhan Yang,et al.  Coarse-to-Fine Hyper-Prior Modeling for Learned Image Compression , 2020, AAAI.

[29]  Kilian Q. Weinberger,et al.  TrojanNet: Embedding Hidden Trojan Horse Models in Neural Networks , 2020, ArXiv.

[30]  Masaru Takeuchi,et al.  Learned Image Compression With Discretized Gaussian Mixture Likelihoods and Attention Modules , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[31]  Deliang Fan,et al.  TBT: Targeted Neural Network Attack With Bit Trojan , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[32]  Walter J. Scheirer,et al.  Backdooring Convolutional Neural Networks via Targeted Weight Perturbations , 2018, 2020 IEEE International Joint Conference on Biometrics (IJCB).

[33]  Timo Aila,et al.  A Style-Based Generator Architecture for Generative Adversarial Networks , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[34]  Shawn D. Newsam,et al.  Improving Semantic Segmentation via Video Propagation and Label Relaxation , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[35]  Jooyoung Lee,et al.  Context-adaptive Entropy Model for End-to-end Optimized Image Compression , 2018, ICLR.

[36]  David Minnen,et al.  Joint Autoregressive and Hierarchical Priors for Learned Image Compression , 2018, NeurIPS.

[37]  Logan Engstrom,et al.  Black-box Adversarial Attacks with Limited Queries and Information , 2018, ICML.

[38]  George Papandreou,et al.  Encoder-Decoder with Atrous Separable Convolution for Semantic Image Segmentation , 2018, ECCV.

[39]  David Minnen,et al.  Variational image compression with a scale hyperprior , 2018, ICLR.

[40]  W. Freeman,et al.  Video Enhancement with Task-Oriented Flow , 2017, International Journal of Computer Vision.

[41]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[42]  Dawn Xiaodong Song,et al.  Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning , 2017, ArXiv.

[43]  Brendan Dolan-Gavitt,et al.  BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain , 2017, ArXiv.

[44]  Percy Liang,et al.  Certified Defenses for Data Poisoning Attacks , 2017, NIPS.

[45]  Nikos Komodakis,et al.  Wide Residual Networks , 2016, BMVC.

[46]  Sebastian Ramos,et al.  The Cityscapes Dataset for Semantic Urban Scene Understanding , 2016, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[47]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[48]  David Minnen,et al.  Variable Rate Image Compression with Recurrent Neural Networks , 2015, ICLR.

[49]  Valero Laparra,et al.  Density Modeling of Images using a Generalized Normalization Transformation , 2015, ICLR.

[50]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[51]  Gary J. Sullivan,et al.  Overview of the High Efficiency Video Coding (HEVC) Standard , 2012, IEEE Transactions on Circuits and Systems for Video Technology.

[52]  Fei-Fei Li,et al.  ImageNet: A large-scale hierarchical image database , 2009, 2009 IEEE Conference on Computer Vision and Pattern Recognition.

[53]  Daniel T. Lee JPEG 2000: Retrospective and New Developments , 2005, Proceedings of the IEEE.

[54]  Gregory K. Wallace,et al.  The JPEG still picture compression standard , 1991, CACM.