Compression as an Adversarial Amplifier Through Decision Space Reduction
This addresses a security vulnerability in image classification systems that use compression, such as social media platforms, by highlighting an incremental but previously unexplored adversarial setting.
The paper tackles the problem of how image compression affects adversarial robustness by studying attacks applied directly in compressed representations, showing that compression can act as an adversarial amplifier, making attacks more effective under identical perturbation budgets, with experiments across benchmarks and architectures revealing a critical vulnerability.
Image compression is a ubiquitous component of modern visual pipelines, routinely applied by social media platforms and resource-constrained systems prior to inference. Despite its prevalence, the impact of compression on adversarial robustness remains poorly understood. We study a previously unexplored adversarial setting in which attacks are applied directly in compressed representations, and show that compression can act as an adversarial amplifier for deep image classifiers. Under identical nominal perturbation budgets, compression-aware attacks are substantially more effective than their pixel-space counterparts. We attribute this effect to decision space reduction, whereby compression induces a non-invertible, information-losing transformation that contracts classification margins and increases sensitivity to perturbations. Extensive experiments across standard benchmarks and architectures support our analysis and reveal a critical vulnerability in compression-in-the-loop deployment settings. Code will be released.