Abstract
Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model.
Abstract (translated)
最近,基于深度学习的压缩方法已经实现了比传统方法更好的性能。然而,深度学习模型已经证明是受后门攻击的弱点,其中某些特定的触发模式添加到输入可以导致模型的恶意行为。在本文中,我们提出了一种基于多个触发器的多个后门攻击,针对学习的图像压缩模型。鉴于现有的压缩系统和规范中广泛应用的离散余弦变换(DCT),我们提出了一种基于频率的触发注入模型,在DCT域中添加触发器。特别是,我们为各种攻击场景设计了几个攻击目标,包括:1)攻击比特率和重建质量的压缩质量;2)攻击任务驱动措施,如后续面部识别和语义分割。此外,我们设计了一种新的简单动态损失,旨在自适应地平衡不同损失 terms的影响,帮助实现更高效的训练。广泛的实验表明,结合我们训练的触发注入模型和简单的编码器参数修改(压缩模型),这种攻击可以在单个图像压缩模型中成功注入与相应的触发器的几个后门。
URL
https://arxiv.org/abs/2302.14677