Recent deep-learning-based compression methods have achieved superior performance compared with traditional approaches. However, deep learning models have proven to be vulnerable to backdoor attacks, where some specific trigger patterns added to the input can lead to malicious behavior of the models. In this paper, we present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model that adds triggers in the DCT domain. In particular, we design several attack objectives for various attacking scenarios, including: 1) attacking compression quality in terms of bit-rate and reconstruction quality; 2) attacking task-driven measures, such as down-stream face recognition and semantic segmentation. Moreover, a novel simple dynamic loss is designed to balance the influence of different loss terms adaptively, which helps achieve more efficient training. Extensive experiments show that with our trained trigger injection models and simple modification of encoder parameters (of the compression model), the proposed attack can successfully inject several backdoors with corresponding triggers in a single image compression model.

翻译：近年来，基于深度学习的压缩方法相比传统方法展现出了更优越的性能。然而，深度学习模型已被证明容易受到后门攻击的影响——在输入中添加特定触发模式会导致模型产生恶意行为。本文针对学习型图像压缩模型提出了一种新颖的多触发器后门攻击方法。受现有压缩系统和标准中广泛使用的离散余弦变换（DCT）启发，我们提出了一种在DCT域中注入触发器的频率触发注入模型。具体而言，针对不同攻击场景设计了多种攻击目标，包括：1）在比特率和重构质量方面攻击压缩性能；2）攻击任务驱动指标，如下游人脸识别和语义分割任务。此外，我们设计了一种新颖的简单动态损失函数，能够自适应地平衡不同损失项的影响，从而提升训练效率。大量实验表明，通过训练好的触发器注入模型以及对压缩模型编码器参数的简单修改，本方法可在单个图像压缩模型中成功注入多个对应触发器的后门。