Robust and Transferable Backdoor Attacks Against Deep Image Compression With Selective Frequency Prior

TL;DR

This paper presents a novel frequency-based backdoor attack method on deep image compression models, embedding triggers in the DCT domain to degrade quality or manipulate downstream tasks, with improved transferability and robustness.

Contribution

Introduces a frequency-based trigger injection model for backdoor attacks on image compression models, with a dynamic loss function and strategies for enhanced transferability and resistance to defenses.

Findings

Successfully injects multiple backdoors into compression models

Demonstrates robustness against defensive preprocessing

Achieves high transferability across models and domains

Abstract

Recent advancements in deep learning-based compression techniques have surpassed traditional methods. However, deep neural networks remain vulnerable to backdoor attacks, where pre-defined triggers induce malicious behaviors. This paper introduces a novel frequency-based trigger injection model for launching backdoor attacks with multiple triggers on learned image compression models. Inspired by the widely used DCT in compression codecs, triggers are embedded in the DCT domain. We design attack objectives tailored to diverse scenarios, including: 1) degrading compression quality in terms of bit-rate and reconstruction accuracy; 2) targeting task-driven measures like face recognition and semantic segmentation. To improve training efficiency, we propose a dynamic loss function that balances loss terms with fewer hyper-parameters, optimizing attack objectives effectively. For advanced scenarios, we evaluate the attack's resistance to defensive preprocessing and propose a two-stage training schedule with robust frequency selection to enhance resilience. To improve cross-model and cross-domain transferability for downstream tasks, we adjust the classification boundary in the attack loss during training. Experiments show that our trigger injection models, combined with minor modifications to encoder parameters, successfully inject multiple backdoors and their triggers into a single compression model, demonstrating strong performance and versatility. (*Due to the notification of arXiv "The Abstract field cannot be longer than 1,920 characters", the appeared Abstract is shortened. For the full Abstract, please download the Article.)