T-MLA: A Targeted Multiscale Log--Exponential Attack Framework for Neural Image Compression

TL;DR

This work identifies security vulnerabilities in neural image compression by exploiting the multiscale frequency structure via a wavelet-domain attack. The authors introduce T-MLA, a targeted multiscale log--exp adversarial framework that injects nonlinear perturbations across wavelet subbands with adaptive budgets to maximize post-codec distortion while preserving input perceptual quality. Through experiments on Kodak, CLIC, and DIV2K with multiple NIC architectures, T-MLA achieves substantial reconstruction degradation under tight stealth constraints and reveals a entropy-dependent vulnerability pattern, prompting calls for wavelet-aware defenses. The findings highlight critical security considerations for generative compression pipelines and motivate future work on robustness, black-box and universal attacks, and defense strategies across broader codecs and modalities.

Abstract

Neural image compression (NIC) has become the state-of-the-art for rate-distortion performance, yet its security vulnerabilities remain significantly less understood than those of classifiers. Existing adversarial attacks on NICs are often naive adaptations of pixel-space methods, overlooking the unique, structured nature of the compression pipeline. In this work, we propose a more advanced class of vulnerabilities by introducing T-MLA, the first targeted multiscale log--exponential attack framework. Our approach crafts adversarial perturbations in the wavelet domain by directly targeting the quality of the attacked and reconstructed images. This allows for a principled, offline attack where perturbations are strategically confined to specific wavelet subbands, maximizing distortion while ensuring perceptual stealth. Extensive evaluation across multiple state-of-the-art NIC architectures on standard image compression benchmarks reveals a large drop in reconstruction quality while the perturbations remain visually imperceptible. Our findings reveal a critical security flaw at the core of generative and content delivery pipelines.

Figures (14)

• Figure 1: Wavelet-aware adversarial perturbations. (a) PGD-based attack with small-magnitude noise, visually clean yet disruptive after compression. (b) Proposed wavelet-aware attack is also imperceptible but more stealthy. (c) Wavelet coefficients of (a) reveal widespread noise in flat regions. (d) Coefficients of (b) closely resemble the clean input, indicating reduced detectability.
• Figure 2: Overview of the proposed T-MLA attack pipeline. The input image after DWT splits into multiple scales, where each scale contains a low-frequency approximation $\mathbf{L}_S$ and detail components. For visualization, we show the combined magnitude of detail coefficients $|\mathbf{H}_S| = |\mathbf{LH}_S| + |\mathbf{HL}_S| + |\mathbf{HH}_S|$. The attack iteratively injects nonlinear noise into all subbands, followed by inverse DWT and neural compression to optimize the perturbations that maximize distortion after compression while maintaining visual quality between the original and adversarial images.
• Figure 3: Stealth vs. degradation tradeoff for T-MLA across NIC models and datasets. Each point represents an model-image pair and the corresponding attack performance. The axes are $\mathrm{PSNR}(x_{\mathrm{adv}}, x) \uparrow$ vs. $\mathrm{PSNR}(x_{\mathrm{adv}}, f(x_{\mathrm{adv}})) \downarrow$ (targets: 50/55 dB and 25 dB).
• Figure 4: Entropy-dependent robustness (relative VIF drop) for two models.
• Figure 5: Comprehensive visual comparison of adversarial attacks against LIC-TCM model for Kodak image 23. Top row (a-d): Original image and perturbed images using Additive (PGD), Pixel-LogExp, and T-MLA attacks. Middle row (e-h): Corresponding wavelet-domain representations showing original coefficients and attack-induced perturbations. Bottom row (i-l): Original reconstructed image and reconstructed images after compression under each attack method. The T-MLA approach demonstrates targeted frequency-domain perturbations while achieving severe reconstruction degradation.