The Double-Edged Sword of Data-Driven Super-Resolution: Adversarial Super-Resolution Models

TL;DR

AdvSR exposes a model-level vulnerability in data-driven super-resolution pipelines by embedding a targeted adversarial objective directly into SR weights, obviating test-time input manipulation. The method optimizes a combined objective $\mathcal{L}_\phi = \mathcal{L}_{AdvCE} + \lambda \mathcal{L}_{SR}$, where the adversarial term $\mathcal{L}_{AdvCE}$ uses modified labels to misclassify a source class $s$ as a target class $t$ while preserving others, and $\lambda$ is balanced via $\lambda = r \cdot \frac{\mathcal{L}_{AdvCE}^{(0)}}{\mathcal{L}_{SR}^{(0)}}$. Experiments on SRCNN, EDSR, and SwinIR with a YOLOv11 downstream classifier show that AdvSR can achieve high Targeted-ASR (up to ~82%) with minimal degradation in PSNR/SSIM and high non-source accuracy, especially for high-capacity SR models like SwinIR. This work highlights a new supply-chain and model-robustness threat in safety-critical imaging pipelines and motivates defenses and broader evaluations across architectures and data distributions.

Abstract

Data-driven super-resolution (SR) methods are often integrated into imaging pipelines as preprocessing steps to improve downstream tasks such as classification and detection. However, these SR models introduce a previously unexplored attack surface into imaging pipelines. In this paper, we present AdvSR, a framework demonstrating that adversarial behavior can be embedded directly into SR model weights during training, requiring no access to inputs at inference time. Unlike prior attacks that perturb inputs or rely on backdoor triggers, AdvSR operates entirely at the model level. By jointly optimizing for reconstruction quality and targeted adversarial outcomes, AdvSR produces models that appear benign under standard image quality metrics while inducing downstream misclassification. We evaluate AdvSR on three SR architectures (SRCNN, EDSR, SwinIR) paired with a YOLOv11 classifier and demonstrate that AdvSR models can achieve high attack success rates with minimal quality degradation. These findings highlight a new model-level threat for imaging pipelines, with implications for how practitioners source and validate models in safety-critical applications.

Figures (4)

• Figure 1: Comparison of adversarial attack paradigms for SR models. Input and backdoor attacks both require test-time access to manipulate inputs. Our proposed model attack embeds adversarial behavior during training, requiring no intervention at inference.
• Figure 2: Effect of ratio $r$ on attack success (left) and image fidelity (right) for YOLO-5. Smaller $r$ increases Targeted-ASR (orange) but may degrade NSA (blue), PSNR (purple), and SSIM (red). Based on these trade-offs, we select $r=0.5$ for SRCNN and $r=0.05$ for EDSR and SwinIR.
• Figure 3: Qualitative comparison of clean and AdvSR models targeting YOLO-5 for a (a) source-class image and (b) non-source-class image. Top rows show clean SR outputs that faithfully reconstruct details. Bottom rows show AdvSR outputs that maintain visual quality but cause the source-class image to be misclassified as the target class while leaving the non-source-class image correctly classified.
• Figure 4: Qualitative comparison of clean and AdvSR models targeting YOLO-20 for a (a) source-class image and (b) non-source-class image. AdvSR outputs show more visible artifacts than YOLO-5 (Figure \ref{['fig:qual_results_yolo5']}), corresponding to increased image quality degradation. The attack still suppresses correct recognition of the source class while preserving non-source classification.