Human Aligned Compression for Robust Models
This work addresses the problem of adversarial robustness for image classification systems, offering a practical and computationally efficient defense, though it appears incremental as it builds on existing compression techniques.
The paper tackles adversarial attacks on image models by using human-aligned learned lossy compression as a defense, showing that learned methods outperform JPEG, especially for Vision Transformers, and sequential compression enhances defense efficacy while maintaining classification performance.
Adversarial attacks on image models threaten system robustness by introducing imperceptible perturbations that cause incorrect predictions. We investigate human-aligned learned lossy compression as a defense mechanism, comparing two learned models (HiFiC and ELIC) against traditional JPEG across various quality levels. Our experiments on ImageNet subsets demonstrate that learned compression methods outperform JPEG, particularly for Vision Transformer architectures, by preserving semantically meaningful content while removing adversarial noise. Even in white-box settings where attackers can access the defense, these methods maintain substantial effectiveness. We also show that sequential compression--applying rounds of compression/decompression--significantly enhances defense efficacy while maintaining classification performance. Our findings reveal that human-aligned compression provides an effective, computationally efficient defense that protects the image features most relevant to human and machine understanding. It offers a practical approach to improving model robustness against adversarial threats.