On the Detection of Image-Scaling Attacks in Machine Learning

TL;DR

This work addresses the vulnerability of image preprocessing to image-scaling attacks by proposing two detection paradigms: frequency analysis and spatial analysis. It derives novel detectors—based on predicted frequency peaks and on adversarial/clean-signal signals in the spatial domain—and shows they outperform prior heuristics across diverse scaling algorithms and libraries. A comprehensive evaluation across global and local attack scenarios, static and adaptive adversaries, and multiple backdoor configurations demonstrates that frequency-based methods achieve near-perfect detection in global modifications, while spatial methods provide robustness against adaptive attacks; combining both provides strong, robust protection. The authors also release public code to encourage further research and practical deployment as a protective layer complementing prevention defenses.

Abstract

Image scaling is an integral part of machine learning and computer vision systems. Unfortunately, this preprocessing step is vulnerable to so-called image-scaling attacks where an attacker makes unnoticeable changes to an image so that it becomes a new image after scaling. This opens up new ways for attackers to control the prediction or to improve poisoning and backdoor attacks. While effective techniques exist to prevent scaling attacks, their detection has not been rigorously studied yet. Consequently, it is currently not possible to reliably spot these attacks in practice. This paper presents the first in-depth systematization and analysis of detection methods for image-scaling attacks. We identify two general detection paradigms and derive novel methods from them that are simple in design yet significantly outperform previous work. We demonstrate the efficacy of these methods in a comprehensive evaluation with all major learning platforms and scaling algorithms. First, we show that image-scaling attacks modifying the entire scaled image can be reliably detected even under an adaptive adversary. Second, we find that our methods provide strong detection performance even if only minor parts of the image are manipulated. As a result, we can introduce a novel protection layer against image-scaling attacks.

Figures (11)

• Figure 1: Image-scaling attacks: global modification (top) and local modification (bottom). Note the small box (backdoor) on the lower left that appears. Both attacks can be detected by using a frequency or spatial analysis.
• Figure 2: Principle of image-scaling attacks: The adversary finds a minimal modification $\Delta$ of $S$ such that the modified image $A\xspace = (S\xspace + \Delta\xspace)$ still looks like $S$, but downscales to $T$.
• Figure 3: Simplified illustration of the root cause of image-scaling attacks: The scaling algorithm considers only a few pixels in an input $S$ (visualized by a thicker box). The adversary has to change only these pixels to control the downscaling output. This added noise is not noticeable.
• Figure 4: Frequency analysis of the example in \ref{['fig:scaling_attack_example']}. Plot (a) and (b) show the frequency spectrum of the source image and attack image, respectively. Plot (c) shows the marked peaks with \ref{['eq:peak-function-centered']}.
• Figure 5: Frequency-based detection approaches. Plot (a): Windows around expected peaks are extracted and their frequencies are compared in relation to the overall spectrum. Plot (b): Spectrum is divided into excerpts and the distance between expected and maximum peak for each excerpt is computed.