Attack and Defense Analysis of Learned Image Compression

TL;DR

This paper analyzes the vulnerability of learned image compression models to adversarial attacks and proposes adversarial training to enhance their robustness, demonstrating significant improvements in model resilience against such attacks.

Contribution

It provides a comprehensive analysis of LIC model vulnerabilities to white-box attacks and introduces adversarial training as an effective defense strategy.

Findings

PGD attack causes up to 61.55% PSNR decrease

Adversarial training reduces R-D cost by 95.52%

H.266 shows improved robustness against attacks

Abstract

Learned image compression (LIC) is becoming more and more popular these years with its high efficiency and outstanding compression quality. Still, the practicality against modified inputs added with specific noise could not be ignored. White-box attacks such as FGSM and PGD use only gradient to compute adversarial images that mislead LIC models to output unexpected results. Our experiments compare the effects of different dimensions such as attack methods, models, qualities, and targets, concluding that in the worst case, there is a 61.55% decrease in PSNR or a 19.15 times increase in bpp under the PGD attack. To improve their robustness, we conduct adversarial training by adding adversarial images into the training datasets, which obtains a 95.52% decrease in the R-D cost of the most vulnerable LIC model. We further test the robustness of H.266, whose better performance on reconstruction quality extends its possibility to defend one-step or iterative adversarial attacks.