TL;DR
This paper evaluates the robustness of compression-based image defenses against strong attacks, revealing that high-realism reconstructions significantly hinder attack success, highlighting a key challenge for future adversarial defenses.
Contribution
It provides a comprehensive attack evaluation on compression models, showing that realistic reconstructions inherently improve robustness without gradient masking effects.
Findings
High-realism reconstructions increase attack difficulty
Low-realism models are more vulnerable to attacks
Realistic images maintain natural distribution, offering robustness
Abstract
Previous work has suggested that preprocessing images through lossy compression can defend against adversarial perturbations, but comprehensive attack evaluations have been lacking. In this paper, we construct strong white-box and adaptive attacks against various compression models and identify a critical challenge for attackers: high realism in reconstructed images significantly increases attack difficulty. Through rigorous evaluation across multiple attack scenarios, we demonstrate that compression models capable of producing realistic, high-fidelity reconstructions are substantially more resistant to our attacks. In contrast, low-realism compression models can be broken. Our analysis reveals that this is not due to gradient masking. Rather, realistic reconstructions maintaining distributional alignment with natural images seem to offer inherent robustness. This work highlights a…
Peer Reviews
Decision·Submitted to ICLR 2026
The paper's primary contribution lies in its novel perspective, which shifts the focus of compression-based defenses from traditional distortion metrics to the dimension of realism for the task of image classification. This hypothesis is supported by a rigorous evaluation that employs a strong suite of attacks. The evidence from these targeted experiments helps to decouple the defensive benefits of realism from confounding factors like gradient masking artifacts, strengthening the paper's core c
1. The evaluation is confined to classification. The defense's "hallucination" mechanism may harm pixel-sensitive tasks (e.g., segmentation), limiting generalizability. 2. The paper fails to report or control for the bitrate (bpp) of the compression methods under comparison. Bitrate is a critical variable that directly impacts baseline classification accuracy and reconstruction quality. 3.The clarity of some figures is insufficient for readers unfamiliar with the sub-field. For example, the capt
Strengths 1. Comprehensive evaluation across architectures, defenses, and adaptive attack types, addressing the common critique of weak adversarial testing. 2. Novel insight: Identifies realism as a key determinant of robustness, offering a new conceptual lens beyond distortion or gradient obfuscation. 3. Well-written and reproducible: Clear methodology, detailed threat models, and code availability.
Questions for the Authors 1. Although high-realism models exhibit stronger robustness, do such realism-enhanced defense models require higher computational cost compared to low-realism ones when deployed in practice? 2. Does the realism–robustness relation hold for detection or segmentation tasks? 3. I am still curious about the underlying mechanism through which realism enhances robustness. As the paper mentions, compression models with higher realism produce reconstructions that are more co
1.The paper evaluates multiple adaptive attack settings, which provides a thorough empirical basis. 2.The paper provides some insights into the correlation between realism and robustness.
1.Although the paper convincingly demonstrates an empirical link between realism and robustness, it lacks a clear theoretical explanation of why realism leads to robustness. 2.The comparison with diffusion-based defenses is limited. The paper evaluates only under standard PGD without employing stronger adaptive attacks (such as U-Net BPDA or ARA) that could more rigorously test the claimed efficiency–robustness trade-off. 3.The discussion of realism metrics such as FID remains qualitative. The
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
