Backdoor attacks against deep image compression via adaptive frequency trigger
Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Language: | English |
| Published: |
2023
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/168045 https://cvpr2023.thecvf.com/Conferences/2023 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-168045 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1680452023-08-29T00:54:03Z Backdoor attacks against deep image compression via adaptive frequency trigger Yu, Yi Wang, Yufei Yang, Wenhan Lu, Shijian Tan, Yap Peng Kot, Alex Chichung Interdisciplinary Graduate School (IGS) IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023) Rapid-Rich Object Search (ROSE) Lab Engineering::Computer science and engineering Image Compression Signal Processing Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model. Nanyang Technological University Submitted/Accepted version This work was done at Rapid-Rich Object Search (ROSE) Lab, Nanyang Technological University. This research is supported in part by the NTU- PKU Joint Research Institute (a collaboration between the Nanyang Technological University and Peking University that is sponsored by a donation from the Ng Teng Fong Charitable Foundation). This research work is also partially supported by the Basic and Frontier Research Project of PCL and the Major Key Project of PCL. 2023-08-22T08:48:33Z 2023-08-22T08:48:33Z 2023 Conference Paper Yu, Y., Wang, Y., Yang, W., Lu, S., Tan, Y. P. & Kot, A. C. (2023). Backdoor attacks against deep image compression via adaptive frequency trigger. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023). https://dx.doi.org/10.1109/CVPR52729.2023.01179 https://hdl.handle.net/10356/168045 10.1109/CVPR52729.2023.01179 https://cvpr2023.thecvf.com/Conferences/2023 en © 2023 The Author(s). Published by Computer Vision Foundation. This is an open-access article distributed under the terms of the Creative Commons Attribution License. The final published version of the proceedings is available on IEEE Xplore. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering Image Compression Signal Processing |
| spellingShingle |
Engineering::Computer science and engineering Image Compression Signal Processing Yu, Yi Wang, Yufei Yang, Wenhan Lu, Shijian Tan, Yap Peng Kot, Alex Chichung Backdoor attacks against deep image compression via adaptive frequency trigger |
| description |
Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model. |
| author2 |
Interdisciplinary Graduate School (IGS) |
| author_facet |
Interdisciplinary Graduate School (IGS) Yu, Yi Wang, Yufei Yang, Wenhan Lu, Shijian Tan, Yap Peng Kot, Alex Chichung |
| format |
Conference or Workshop Item |
| author |
Yu, Yi Wang, Yufei Yang, Wenhan Lu, Shijian Tan, Yap Peng Kot, Alex Chichung |
| author_sort |
Yu, Yi |
| title |
Backdoor attacks against deep image compression via adaptive frequency trigger |
| title_short |
Backdoor attacks against deep image compression via adaptive frequency trigger |
| title_full |
Backdoor attacks against deep image compression via adaptive frequency trigger |
| title_fullStr |
Backdoor attacks against deep image compression via adaptive frequency trigger |
| title_full_unstemmed |
Backdoor attacks against deep image compression via adaptive frequency trigger |
| title_sort |
backdoor attacks against deep image compression via adaptive frequency trigger |
| publishDate |
2023 |
| url |
https://hdl.handle.net/10356/168045 https://cvpr2023.thecvf.com/Conferences/2023 |
| _version_ |
1779156412243378176 |