Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

TL;DR

This paper investigates how lossy compression affects backdoor attacks in deep learning, proposing new strategies to embed triggers into compressed images to maintain attack effectiveness.

Contribution

It introduces two novel poisoning strategies that ensure malicious triggers survive lossy compression, addressing a key challenge in real-world backdoor attacks.

Findings

Lossy compression often destroys backdoor triggers in images.

Proposed strategies successfully embed triggers into compressed images.

Experiments confirm the effectiveness of the new poisoning methods.

Abstract

Real-world backdoor attacks often require poisoned datasets to be stored and transmitted before being used to compromise deep learning systems. However, in the era of big data, the inevitable use of lossy compression poses a fundamental challenge to invisible backdoor attacks. We find that triggers embedded in RGB images often become ineffective after the images are lossily compressed into binary bitstreams (e.g., JPEG files) for storage and transmission. As a result, the poisoned data lose its malicious effect after compression, causing backdoor injection to fail. In this paper, we highlight the necessity of explicitly accounting for the lossy compression process in backdoor attacks. This requires attackers to ensure that the transmitted binary bitstreams preserve malicious trigger information, so that effective triggers can be recovered in the decompressed data. Building on the region-of-interest (ROI) coding mechanism in image compression, we propose two poisoning strategies tailored to inevitable lossy compression. First, we introduce Universal Attack Activation, a universal method that uses sample-specific ROI masks to reactivate trigger information in binary bitstreams for learned image compression (LIC). Second, we present Compression-Adapted Attack, a new attack strategy that employs customized ROI masks to encode trigger information into binary bitstreams and is applicable to both traditional codecs and LIC. Extensive experiments demonstrate the effectiveness of both strategies.