Resolution Attack: Exploiting Image Compression to Deceive Deep Neural Networks
Authors: Wangjia Yu, Xiaomeng Fu, Qiao Li, Jizhong Han, Xiaodan Zhang
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | The experimental results exhibit high attack success rate, which not only validates the effectiveness of our proposed framework but also reveals the vulnerability of current classifiers towards different resolutions. We employ the proposed framework to create images with dual representations for the purpose of resolution attack. The experimental results reveal that current classifiers are vulnerable to the resolution attack. Additionally, our framework, which incorporates features from two distinct objects, serves as a competitive tool for applications such as face swapping and facial camouflage. The code is available at https://github.com/ywj1/resolution-attack. 5 EXPERIMENT 5.1 EXPERIMENTAL SETUP Target Classifiers and Datasets. We select a range of widely utilized classifiers to evaluate the efficacy of our proposed resolution attack. |
| Researcher Affiliation | Academia | Wangjia Yu1,2, Xiaomeng Fu1,2, Qiao Li1,2, Jizhong Han1, Xiaodan Zhang1 1Institute of Information Engineering, Chinese Academy of Sciences 2School of Cyber Security, University of Chinese Academy of Sciences EMAIL |
| Pseudocode | No | The paper describes the methods using textual descriptions and mathematical formulations, but it does not include any explicitly labeled pseudocode or algorithm blocks with structured steps. |
| Open Source Code | Yes | The code is available at https://github.com/ywj1/resolution-attack. |
| Open Datasets | Yes | All these classifiers are trained on the Image Net (Russakovsky et al., 2015) dataset, which consists of over a million images across 1000 categories. We utilize the Stable Diffusion (Rombach et al., 2022) v1.5 as the denoising U-Net within the Dual-Stream Generative Denoising Module. This model is trained on the LAION-5B dataset (Schuhmann et al., 2022). |
| Dataset Splits | No | The paper mentions collecting a dataset of 100 frontal images of dogs as source images but does not specify any training/test/validation splits for this or any other dataset used to train their proposed method. For the evaluation, it states 'Each prompt combination generates 100 images, with a total of 1,000 images for the labeled attack and another 1,000 images for the unlabeled attack', which describes generated data for evaluation, not standard dataset splits for model training or validation. |
| Hardware Specification | No | The paper does not provide any specific details about the hardware (e.g., GPU models, CPU types, memory) used for running the experiments. |
| Software Dependencies | Yes | We utilize the Stable Diffusion (Rombach et al., 2022) v1.5 as the denoising U-Net within the Dual-Stream Generative Denoising Module. The image generation process in our experiments is handled by the Stable Diffusion (Rombach et al., 2022) v1.5 model... When computing accuracy, both high-resolution and low-resolution images are directly fed into the target classifiers. The classifiers preprocess these images using Py Torch s default pipeline1 to ensure alignment with the required input dimensions. |
| Experiment Setup | Yes | We iteratively generate the dual-representation images over 300 denoising steps, employing a time-dependent strategy where the first 20 steps utilize the CL, the last 20 steps utilize the CH and the 260 steps in between utilize both CL and CH. Gaussian Filters are employed as the low-frequency filter, while the high-frequency filter is constructed by substracting the low-frequency component extracted by the Gaussian Filters. For RAS, we utilize the ddim inversion of 200 steps to embed the source image into the latent noise space. In the experiment, we generate images at a fixed resolution of 512x512, using the DDIM (Song et al., 2021) sampling technique. The sampling process consists of 300 steps... During the generation process, we utilize classifierfree guidance (CFG) (Ho & Salimans, 2021) to control the fidelity and diversity of the images. Specifically, the CFG coefficient for the high-resolution prompt (PH) is set to 9, while for the low-resolution prompt (PL), the CFG coefficient is set to 7. Additionally, the generated images are downsampled by a factor of 3 (downsampling to 64 resolution) for the low-resolution attack evaluation. |