Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

Qian Li, Yunuo Chen, Yuntian Chen

Abstract

Real-world backdoor attacks often require poisoned datasets to be stored and transmitted before being used to compromise deep learning systems. However, in the era of big data, the inevitable use of lossy compression poses a fundamental challenge to invisible backdoor attacks. We find that triggers embedded in RGB images often become ineffective after the images are lossily compressed into binary bitstreams (e.g., JPEG files) for storage and transmission. As a result, the poisoned data lose its malicious effect after compression, causing backdoor injection to fail. In this paper, we highlight the necessity of explicitly accounting for the lossy compression process in backdoor attacks. This requires attackers to ensure that the transmitted binary bitstreams preserve malicious trigger information, so that effective triggers can be recovered in the decompressed data. Building on the region-of-interest (ROI) coding mechanism in image compression, we propose two poisoning strategies tailored to inevitable lossy compression. First, we introduce Universal Attack Activation, a universal method that uses sample-specific ROI masks to reactivate trigger information in binary bitstreams for learned image compression (LIC). Second, we present Compression-Adapted Attack, a new attack strategy that employs customized ROI masks to encode trigger information into binary bitstreams and is applicable to both traditional codecs and LIC. Extensive experiments demonstrate the effectiveness of both strategies.

Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

Abstract

Real-world backdoor attacks often require poisoned datasets to be stored and transmitted before being used to compromise deep learning systems. However, in the era of big data, the inevitable use of lossy compression poses a fundamental challenge to invisible backdoor attacks. We find that triggers embedded in RGB images often become ineffective after the images are lossily compressed into binary bitstreams (e.g., JPEG files) for storage and transmission. As a result, the poisoned data lose its malicious effect after compression, causing backdoor injection to fail. In this paper, we highlight the necessity of explicitly accounting for the lossy compression process in backdoor attacks. This requires attackers to ensure that the transmitted binary bitstreams preserve malicious trigger information, so that effective triggers can be recovered in the decompressed data. Building on the region-of-interest (ROI) coding mechanism in image compression, we propose two poisoning strategies tailored to inevitable lossy compression. First, we introduce Universal Attack Activation, a universal method that uses sample-specific ROI masks to reactivate trigger information in binary bitstreams for learned image compression (LIC). Second, we present Compression-Adapted Attack, a new attack strategy that employs customized ROI masks to encode trigger information into binary bitstreams and is applicable to both traditional codecs and LIC. Extensive experiments demonstrate the effectiveness of both strategies.
Paper Structure (13 sections, 7 equations, 6 figures, 9 tables)

This paper contains 13 sections, 7 equations, 6 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Invisible Backdoor Attack
  4. Lossy Image Compression
  5. Backdoor Attacks under Lossy Compression
  6. Codecs with ROI support
  7. Reactivating Invisible Backdoor Attacks
  8. Compression-Adapted Attack (CAA)
  9. Experiments
  10. Experimental Setting
  11. Reactivating Ineffective Attacks
  12. Compression-Adapted Attack (CAA)
  13. Conclusion and Future Work

Figures (6)

  • Figure 1: Ineffectiveness of Backdoor Attacks.Left: Higher compression rates intensify image distortion, hindering backdoor injection. It suggests that compression severely damages invisible triggers. Right: Removing high-frequency components from poisoned test samples via Fast Fourier transform significantly lowers the ASR, highlighting their crucial role in invisible triggers.
  • Figure 2: Overview. Red borders indicate poisoned samples, While green borders indicate benign samples. The first column outlines the process of data poisoning, which contains the inevitable compression process. The second column describes that the previously invisible method fails in real-world scenarios. We propose two methods described in the third and fourth columns: 1. Universal Attack Activation Method: It is a general method that reactivates methods previously ineffective under lossy compression. This method is particularly suitable for LICs and a few traditional codecs that support pixel-level ROI functionality. 2. Compression-Adapted Attack: It is a novel compression-adapted attack method that is applicable to most codecs.
  • Figure 3: Two options for ROI masks.
  • Figure 4: Visualization of the Reactivation Method. Left: We provide the original images (without compression), decompressed images of three attack methods, their corresponding reactivated images, as well as the ROI mask.
  • Figure 5: Resilient to Fine-Pruning fine
  • ...and 1 more figures