MALICE: Manipulation Attacks on Learned Image ComprEssion

TL;DR

This paper investigates the vulnerability of learned image compression systems to adversarial attacks, demonstrating their fragility and proposing a new architecture that improves robustness while maintaining compression quality.

Contribution

It is the first to analyze adversarial robustness in learned image compression and introduces a new architecture that enhances robustness against such attacks.

Findings

White-box attack increases bitrate by up to 56.3x

Black-box attack increases bitrate by up to 1.95x

Proposed factorAtn architecture improves robustness and rate-distortion trade-off

Abstract

Deep learning techniques have shown promising results in image compression, with competitive bitrate and image reconstruction quality from compressed latent. However, while image compression has progressed towards a higher peak signal-to-noise ratio (PSNR) and fewer bits per pixel (bpp), their robustness to adversarial images has never received deliberation. In this work, we, for the first time, investigate the robustness of image compression systems where imperceptible perturbation of input images can precipitate a significant increase in the bitrate of their compressed latent. To characterize the robustness of state-of-the-art learned image compression, we mount white-box and black-box attacks. Our white-box attack employs fast gradient sign method on the entropy estimation of the bitstream as its bitrate approximation. We propose DCT-Net simulating JPEG compression with architectural simplicity and lightweight training as the substitute in the black-box attack and enable fast adversarial transferability. Our results on six image compression models, each with six different bitrate qualities (thirty-six models in total), show that they are surprisingly fragile, where the white-box attack achieves up to 56.326x and black-box 1.947x bpp change. To improve robustness, we propose a novel compression architecture factorAtn which incorporates attention modules and a basic factorized entropy model, resulting in a promising trade-off between the rate-distortion performance and robustness to adversarial attacks that surpasses existing learned image compressors.