Keep It Real: Challenges in Attacking Compression-Based Adversarial Purification
This work identifies a critical challenge for adversarial attacks in security evaluation, highlighting the importance of realism in compression models for robustness, but it is incremental as it builds on prior defense suggestions.
The paper tackled the problem of evaluating attacks on compression-based adversarial purification methods, finding that compression models producing realistic, high-fidelity reconstructions are substantially more resistant to attacks, with low-realism models being breakable.
Previous work has suggested that preprocessing images through lossy compression can defend against adversarial perturbations, but comprehensive attack evaluations have been lacking. In this paper, we construct strong white-box and adaptive attacks against various compression models and identify a critical challenge for attackers: high realism in reconstructed images significantly increases attack difficulty. Through rigorous evaluation across multiple attack scenarios, we demonstrate that compression models capable of producing realistic, high-fidelity reconstructions are substantially more resistant to our attacks. In contrast, low-realism compression models can be broken. Our analysis reveals that this is not due to gradient masking. Rather, realistic reconstructions maintaining distributional alignment with natural images seem to offer inherent robustness. This work highlights a significant obstacle for future adversarial attacks and suggests that developing more effective techniques to overcome realism represents an essential challenge for comprehensive security evaluation.