The Effects of JPEG and JPEG2000 Compression on Attacks using Adversarial Examples

TL;DR

This paper compares JPEG and JPEG2000 compression techniques for mitigating adversarial noise in images, finding JPEG2000 more effective due to higher compression efficiency and fewer artifacts, thereby improving classifier robustness.

Contribution

It introduces JPEG2000 as a superior pre-processing method to reduce adversarial noise compared to JPEG, with systematic evaluation at various compression levels.

Findings

JPEG2000 achieves higher compression with less distortion.

JPEG2000 reduces adversarial noise more effectively.

JPEG2000 avoids blocking artifacts common in JPEG.

Abstract

Adversarial examples are known to have a negative effect on the performance of classifiers which have otherwise good performance on undisturbed images. These examples are generated by adding non-random noise to the testing samples in order to make classifier misclassify the given data. Adversarial attacks use these intentionally generated examples and they pose a security risk to the machine learning based systems. To be immune to such attacks, it is desirable to have a pre-processing mechanism which removes these effects causing misclassification while keeping the content of the image. JPEG and JPEG2000 are well-known image compression techniques which suppress the high-frequency content taking the human visual system into account. JPEG has been also shown to be an effective method for reducing adversarial noise. In this paper, we propose applying JPEG2000 compression as an alternative and systematically compare the classification performance of adversarial images compressed using JPEG and JPEG2000 at different target PSNR values and maximum compression levels. Our experiments show that JPEG2000 is more effective in reducing adversarial noise as it allows higher compression rates with less distortion and it does not introduce blocking artifacts.