A study of the effect of JPG compression on adversarial images

TL;DR

This paper investigates how JPEG compression impacts the classification accuracy of adversarial images in neural networks, finding that compression can sometimes reverse adversarial effects, especially with small perturbations.

Contribution

It provides an empirical analysis of JPEG compression as a potential defense mechanism against adversarial images in neural network classifiers.

Findings

JPEG compression can reverse adversarial effects for small perturbations

Recompression is less effective as perturbation magnitude increases

JPEG compression's impact varies depending on the perturbation size

Abstract

Neural network image classifiers are known to be vulnerable to adversarial images, i.e., natural images which have been modified by an adversarial perturbation specifically designed to be imperceptible to humans yet fool the classifier. Not only can adversarial images be generated easily, but these images will often be adversarial for networks trained on disjoint subsets of data or with different architectures. Adversarial images represent a potential security risk as well as a serious machine learning challenge---it is clear that vulnerable neural networks perceive images very differently from humans. Noting that virtually every image classification data set is composed of JPG images, we evaluate the effect of JPG compression on the classification of adversarial images. For Fast-Gradient-Sign perturbations of small magnitude, we found that JPG compression often reverses the drop in classification accuracy to a large extent, but not always. As the magnitude of the perturbations increases, JPG recompression alone is insufficient to reverse the effect.