Skip to main content
Nubint
QUICK REVIEW

[论文解读] Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

Qian Li, Yunuo Chen|arXiv (Cornell University)|Mar 14, 2026
Digital Media Forensic Detection被引用 0
一句话总结

该论文表明有损图像压缩可能破坏不可见的后门触发,并提出基于区域的策略——通用攻击激活用于 LICs 和压缩自适应攻击(CAA)——以通过压缩保留触发。

ABSTRACT

Real-world backdoor attacks often require poisoned datasets to be stored and transmitted before being used to compromise deep learning systems. However, in the era of big data, the inevitable use of lossy compression poses a fundamental challenge to invisible backdoor attacks. We find that triggers embedded in RGB images often become ineffective after the images are lossily compressed into binary bitstreams (e.g., JPEG files) for storage and transmission. As a result, the poisoned data lose its malicious effect after compression, causing backdoor injection to fail. In this paper, we highlight the necessity of explicitly accounting for the lossy compression process in backdoor attacks. This requires attackers to ensure that the transmitted binary bitstreams preserve malicious trigger information, so that effective triggers can be recovered in the decompressed data. Building on the region-of-interest (ROI) coding mechanism in image compression, we propose two poisoning strategies tailored to inevitable lossy compression. First, we introduce Universal Attack Activation, a universal method that uses sample-specific ROI masks to reactivate trigger information in binary bitstreams for learned image compression (LIC). Second, we present Compression-Adapted Attack, a new attack strategy that employs customized ROI masks to encode trigger information into binary bitstreams and is applicable to both traditional codecs and LIC. Extensive experiments demonstrate the effectiveness of both strategies.

研究动机与目标

  • 突出有损压缩对后门攻击的影响,以及在攻击设计中需要考虑压缩
  • 提出两种基于 ROI 的后门策略以在有损压缩中存活:面向学习图像压缩(LIC)的通用攻击激活与压缩自适应攻击(CAA)
  • 通过广泛实验在多个数据集、 backbone 和编解码器上,证明所提出方法的有效性

提出的方法

  • 将后门中毒建模为一个压缩流水线,其中数据被编码、以二进制比特流传输,并在训练时解码
  • 使用感兴趣区域(ROI)功能在压缩期间控制每个区域的比特率和失真,以实现触发的保留
  • 对于 LIC:设计一个样本特定的 ROI 掩码 M_res 或一个基于频率的掩码 M_freq,以在压缩过程中重新激活或保护触发信息
  • 对于传统编解码器:设计一个有压缩友好的 ROI 掩码 M*,将高频分布的触发印入传输的比特流,并搭配一个 benign 样本的统一 ROI 掩码
  • 提出两种主要策略:(i) 面向 LICs 的通用攻击激活(Universal Attack Activation),将比特率重新分配到高频/重要区域以恢复触发;(ii) 压缩自适应攻击(CAA),通过调整 ROI 以通过高频分布差异创造全局、不可见的触发
  • 可选整合指导:空间特征变换(SFT)可将 ROI 纳入 LIC 编码器,而 ROI 直接用于传统编解码器
Figure 1 : Ineffectiveness of Backdoor Attacks. Left: Higher compression rates intensify image distortion, hindering backdoor injection. It suggests that compression severely damages invisible triggers. Right: Removing high-frequency components from poisoned test samples via Fast Fourier transform s
Figure 1 : Ineffectiveness of Backdoor Attacks. Left: Higher compression rates intensify image distortion, hindering backdoor injection. It suggests that compression severely damages invisible triggers. Right: Removing high-frequency components from poisoned test samples via Fast Fourier transform s

实验结果

研究问题

  • RQ1有损压缩如何影响现有后门触发的有效性和隐蔽性?
  • RQ2基于 ROI 的策略是否能在 LIC 和传统编解码器中保留或重新激活压缩数据中的触发?
  • RQ3是否存在在现实压缩流水线下保持高攻击成功率同时保持不可见性的压缩感知后门技术?
  • RQ4所提出的方法是否在多个数据集、骨干模型和编解码器上具有泛化性?

主要发现

  • 有损压缩常常降低现有的不可见后门的效果,因此需要压缩感知的攻击
  • 面向 LICs 的基于 ROI 的通用攻击激活方法能够在保持不可见性的同时重新激活先前降级的触发
  • 压缩自适应攻击(CAA)在不同编解码器和模型中实现高攻击成功率且对良性准确率的影响很小
  • CAA 在全到一和全到全的攻击设置中表现出强大的性能,并对若干防御和重新压缩具有鲁棒性
Figure 2 : Overview. Red borders indicate poisoned samples, While green borders indicate benign samples. The first column outlines the process of data poisoning, which contains the inevitable compression process. The second column describes that the previously invisible method fails in real-world sc
Figure 2 : Overview. Red borders indicate poisoned samples, While green borders indicate benign samples. The first column outlines the process of data poisoning, which contains the inevitable compression process. The second column describes that the previously invisible method fails in real-world sc

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。