BadSR: Stealthy Label Backdoor Attacks on Image Super-Resolution

TL;DR

BadSR presents a stealthy label backdoor attack for image super-resolution that embeds a predefined target image into poisoned HR outputs while preserving normal SR for clean inputs. The method poisons LR via a pixel-level adversarial trigger and aligns poisoned HR with the target in feature space under strict perceptual constraints, then uses a genetic algorithm to select the most impactful poisoned samples. Empirical results show high attack success rates across diverse SR models and datasets with minimal disruption to normal SR quality, and demonstrated adverse effects on downstream classification and detection tasks. The work highlights a significant security risk in SR pipelines and offers a robust framework for evaluating and strengthening defenses against stealthy backdoor attacks.

Abstract

With the widespread application of super-resolution (SR) in various fields, researchers have begun to investigate its security. Previous studies have demonstrated that SR models can also be subjected to backdoor attacks through data poisoning, affecting downstream tasks. A backdoor SR model generates an attacker-predefined target image when given a triggered image while producing a normal high-resolution (HR) output for clean images. However, prior backdoor attacks on SR models have primarily focused on the stealthiness of poisoned low-resolution (LR) images while ignoring the stealthiness of poisoned HR images, making it easy for users to detect anomalous data. To address this problem, we propose BadSR, which improves the stealthiness of poisoned HR images. The key idea of BadSR is to approximate the clean HR image and the pre-defined target image in the feature space while ensuring that modifications to the clean HR image remain within a constrained range. The poisoned HR images generated by BadSR can be integrated with existing triggers. To further improve the effectiveness of BadSR, we design an adversarially optimized trigger and a backdoor gradient-driven poisoned sample selection method based on a genetic algorithm. The experimental results show that BadSR achieves a high attack success rate in various models and data sets, significantly affecting downstream tasks.

Figures (21)

• Figure 1: Comparison of the stealthiness among I2I backdoor I2I, BadRefSR BadRefSR, and BadSR. The I2I backdoor and BadRefSR focuses only on the stealthiness of the triggered images and ignores the stealthiness of the poisoned HR images. In contrast, BadSR ensures that both poisoned LR and poisoned HR images remain stealthy.
• Figure 2: Pipeline of a backdoor SR model for downstream tasks.
• Figure 3: Overview of the BadSR method. Poisoned LR images are generated by optimizing triggers added to the original LR images to maximize the reconstruction loss of a substitute SR model. Poisoned HR images are then generated by optimizing perturbations through feature alignment between the original HR and poisoned target HR images. Finally, a genetic algorithm is employed to select poisoned data that maximizes the backdoor gradient, determining the final poisoned samples.
• Figure 4: Visualization results of different triggered LR images used as inputs for the backdoor ESRGAN.
• Figure 5: Visualization results of different methods for clean LR image as input for SwinIR.