Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model.
翻译:与传统方法相比,最近以深层次学习为基础的压缩方法取得了优异的绩效。然而,深层次学习模式已证明很容易受到后门攻击,因为输入中添加了某些特定的触发模式,可能导致模型的恶意行为。在本文中,我们展示了一种新的后门攻击,对学习的图像压缩模型有多重触发。受现有压缩系统和标准中广泛使用的离散连线转换(DCT)的驱动,我们提出了一种基于频率的触发注射模式,在DCT域中添加触发器。特别是,我们为各种攻击情景设计了几种攻击目标,包括:1) 以比特率和重建质量攻击压缩质量;2) 攻击任务驱动措施,如下流面识别和语义分解。此外,新颖的简单动态损失旨在平衡不同损失术语的适应性影响,这有助于实现更有效的培训。广泛的实验表明,通过我们训练的触发注射模型和对(压缩模型)编码参数的简单修改,拟议攻击可以成功地用单一图像压缩模型中的相应触发器输入几个后门。</s>
相关内容
微信扫码咨询专知VIP会员