The Double-Edged Sword of Data-Driven Super-Resolution: Adversarial Super-Resolution Models

TL;DR

This paper introduces AdvSR, a novel framework for embedding adversarial behavior directly into super-resolution models during training, posing a new threat to imaging pipelines without affecting image quality metrics.

Contribution

The paper presents AdvSR, a method to create adversarial super-resolution models that induce misclassification while maintaining high image quality, revealing a new model-level attack surface.

Findings

AdvSR achieves high attack success rates on multiple SR architectures.

Models remain visually indistinguishable from benign models under standard metrics.

The attack impacts downstream tasks like object detection without input perturbations.

Abstract

Data-driven super-resolution (SR) methods are often integrated into imaging pipelines as preprocessing steps to improve downstream tasks such as classification and detection. However, these SR models introduce a previously unexplored attack surface into imaging pipelines. In this paper, we present AdvSR, a framework demonstrating that adversarial behavior can be embedded directly into SR model weights during training, requiring no access to inputs at inference time. Unlike prior attacks that perturb inputs or rely on backdoor triggers, AdvSR operates entirely at the model level. By jointly optimizing for reconstruction quality and targeted adversarial outcomes, AdvSR produces models that appear benign under standard image quality metrics while inducing downstream misclassification. We evaluate AdvSR on three SR architectures (SRCNN, EDSR, SwinIR) paired with a YOLOv11 classifier and demonstrate that AdvSR models can achieve high attack success rates with minimal quality degradation. These findings highlight a new model-level threat for imaging pipelines, with implications for how practitioners source and validate models in safety-critical applications.