BadSR: Stealthy Label Backdoor Attacks on Image Super-Resolution

TL;DR

BadSR introduces a stealthy backdoor attack on image super-resolution models, effectively manipulating outputs with minimal detectability by approximating target images in feature space and optimizing triggers.

Contribution

The paper presents BadSR, a novel backdoor attack method that enhances stealthiness of poisoned high-resolution images in SR models, improving attack success rate and impact.

Findings

High attack success rate across various models and datasets

Significant influence on downstream tasks

Enhanced stealthiness of poisoned HR images

Abstract

With the widespread application of super-resolution (SR) in various fields, researchers have begun to investigate its security. Previous studies have demonstrated that SR models can also be subjected to backdoor attacks through data poisoning, affecting downstream tasks. A backdoor SR model generates an attacker-predefined target image when given a triggered image while producing a normal high-resolution (HR) output for clean images. However, prior backdoor attacks on SR models have primarily focused on the stealthiness of poisoned low-resolution (LR) images while ignoring the stealthiness of poisoned HR images, making it easy for users to detect anomalous data. To address this problem, we propose BadSR, which improves the stealthiness of poisoned HR images. The key idea of BadSR is to approximate the clean HR image and the pre-defined target image in the feature space while ensuring that modifications to the clean HR image remain within a constrained range. The poisoned HR images generated by BadSR can be integrated with existing triggers. To further improve the effectiveness of BadSR, we design an adversarially optimized trigger and a backdoor gradient-driven poisoned sample selection method based on a genetic algorithm. The experimental results show that BadSR achieves a high attack success rate in various models and data sets, significantly affecting downstream tasks.