Preprocessors Matter! Realistic Decision-Based Attacks on Machine Learning Systems

We denote an unperturbed input image in the original space as $x_{o}\in\mathcal{X}_{o}\coloneqq[0,1]^{s_{o}\times s_{o}}$ and a processed image in the model space as $x_{m}\in\mathcal{X}_{m}\subseteq[0,1]^{s_{m}\times s_{m}}$. The original size $s_{o}$ can be the same or different from the target size $s_{m}$. A preprocessor $t:\mathcal{X}_{o}\to\mathcal{X}_{m}$ maps $x_{o}$ to $x_{m}\coloneqq t(x_{o})$. For instance, a resizing preprocessor that maps an image of size $256\times 256$ pixels to $224\times 224$ pixels means that $s_{o}=256$, $s_{m}=224$, and $\mathcal{X}_{m}=[0,1]^{224\times 224}$. As another example, an 8-bit quantization restricts $\mathcal{X}_{m}$ to a discrete space of $\{0,1/255,2/255,\dots,1\}^{s_{m}\times s_{m}}$ and $s_{o}=s_{m}$. The classifier, excluding the preprocessor, is represented by $f:\mathcal{X}_{m}\to\mathcal{Y}$ where $\mathcal{Y}$ is the hard label space. Finally, the entire classification pipeline is denoted by $f\circ t:\mathcal{X}_{o}\to\mathcal{Y}$.

The key distinguishing factor between previous works and ours is that we consider a preprocessing pipeline as part of the victim system. In other words, the adversary cannot simply run an attack algorithm on the model input space. We thus follow in the direction of Pierazzi et al. (2020) and Gao et al. (2022) who develop attacks that work end-to-end, as opposed to just attacking a standalone model. To do this, we develop strategies to “bypass” the preprocessors (Section 4) and to reverse-engineer which preprocessors are being used (Section 6). Our threat model is:

• •

  The adversary has black-box, query-based access to the victim model and can query the model on any input and observe the output label $y\in\mathcal{Y}$. The adversary has a limited query budget per input. The adversary knows nothing else about the system.

• •

  The adversary wants to misclassify as many perturbed inputs as possible (either targeted and untargeted), while minimizing the perturbation size—measured by Euclidean distance in the original input space $\mathcal{X}_{o}$.

• •

  The victim system accepts inputs of any dimension, and the desired model input size is obtained by cropping and/or resizing as part of an image preprocessing pipeline.

Our Bypassing Attack in Algorithm 1 avoids these invariances by circumventing the preprocessor entirely. Figure 1 illustrates our attack with a resizing preprocesssor (e.g., $1024\to 224$). To allow the Bypassing Attack to query the model directly, we first map the input image ($x_{o}\in\mathcal{X}_{o}$) to the preprocessed space ($t(x_{o})\in\mathcal{X}_{m}$). Then, in the Attack Phase, we execute an off-the-shelf decision-based attack directly on this preprocessed image ($x_{m}^{\mathrm{adv}}\in\mathcal{X}_{m}$).

Finally, after completing the attack, we recover the adversarial image in the original space ($x_{o}^{\mathrm{adv}}\in\mathcal{X}_{o}$) from $x_{m}^{\mathrm{adv}}$. We call this step the Recovery Phase. It finds an adversarial example with minimal perturbation in the original space, by solving the following optimization problem:

We now turn our attention to more general preprocessors that cannot be bypassed without modifying the search space—for example quantization, discretizes a continuous space. Quantization is one of the most common preprocessors an adversary has to overcome since all common image formats (e.g., PNG or JPEG) discretize the pixel values to 8 bits. However, prior black-box attacks ignore this fact and operate in the continuous domain.

We thus propose the Biased-Gradient Attack in Algorithm 2. Unlike the Bypassing Attack, this attack operates in the original space. Instead of applying a black-box attack as is, the Biased-Gradient Attack modifies the base attack in order to bias queries toward directions that the preprocessor is more sensitive to. The intuition is that while it is hard to completely avoid the invariance of the preprocessor, we can encourage the attack to explore directions that result in large changes in the output space of the preprocessing function.

Our Biased-Gradient Attack also consists of an attack and recovery phase. The attack phase makes two modifications to an underlying gradient approximation attack (e.g., HSJA, QEBA) which we explain below. The recovery phase simply solves Equation 1 with a gradient-based method, by relaxing the constraint using a Lagrange multiplier (since closed-formed solutions do not exist in general). For this, we defer the details to Appendix C. Figure 2 illustrates the Biased-Gradient Attack for a quantization preprocessor.

Model. Similarly to previous works (Brendel et al., 2018a), we evaluate our attacks on a ResNet-18 (He et al., 2016) trained on the ImageNet dataset (Deng et al., 2009). The model is publicly available in the popular timm package (Wightman, 2019).

Off-the-shelf attacks. We consider four different attacks, Boundary Attack (Brendel et al., 2018a), Sign-OPT (Cheng et al., 2020a), HopSkipJump Attack (HJSA) (Chen et al., 2020), and QEBA (Li et al., 2020). The first three attacks have both targeted and untargeted versions while QEBA is only used as a targeted attack. We also compare our attacks to the baseline preprocessor-aware attack, SNS (Gao et al., 2022). As this attack only considers resizing, we adapt it to the other preprocessors we consider.

Attack hyperpameters. As we discuss in Section 7.2 and Section E.2, a change in preprocessor has a large impact on the optimal choice of hyperparameters for each attack. We thus sweep hyperparameters for all attacks and report results for the best choice.

Metrics. We report the average perturbation size ($\ell_{2}$-norm) of adversarial examples found by each attack—referred to as the “adversarial distance” in short. Smaller adversarial distance means a stronger attack.

Appendix A contains full detail of all our experiments.

Cropping. We consider a common operation that center crops an image of size $256\times 256$ pixels down to $224\times 224$ pixels, i.e., $s_{o}=256,s_{m}=224$. In Table 1, our Bypassing approach improves all of the baseline preprocessor-unaware attacks. The adversarial distance found by the baseline is about 8–16% higher than that of the Bypassing Attack counterpart across all settings. This difference is very close to the portion of the border pixels that are cropped out ($\sqrt{256^{2}/224^{2}}-1\approx 0.14$), suggesting that the cropping-unaware attacks do waste perturbation on these invariant pixels. Our Bypassing Attack also recovers about the same mean adversarial distance as the case where there is no preprocessor (first row of Table 1).

Resizing. We study the three most common interpolation or resampling techniques, i.e., nearest, bilinear, and bicubic. For an input size of $1024\times 1024$ (see Table 1), a reasonable image size captured by digital or phone cameras, our attack reduces the mean adversarial distance by up to $\bm{4.6\times}$ compared to the preprocessor-oblivious counterpart. For all image sizes we experiment with, including 256 and 512 pixels in Table 7, Bypassing Attack is always preferable to the resizing-oblivious attack both with and without hyperparameter tuning.

The improvement from the Bypassing Attack is proportional to the original input dimension. The benefit diminishes with a smaller original size because the base attack of the Bypassing Attack operates in the model space. Hence, it minimizes the adversarial distance in that space, i.e., the distance between $x_{m}^{\mathrm{adv}}$ and $x_{m}=t(x_{o})$. This distance is likely correlated but not necessarily the same as the true objective distance measured in the original space, i.e., the distance between $x_{o}^{\mathrm{adv}}$ and $x_{o}$. In these cases, it may be preferable to use the Biased-Gradient Attack instead. The results are shown in Table 2 and Section 5.3.

We evaluate the Biased-Gradient Attack on a broad range of preprocessors; in addition to resize and crop, we include 8/6/4-bit quantization as well as JPEG compression with quality values of 60, 80, and 100. Moreover, we experiment with neural-network-based compression methods from Ballé et al. (2018) and Cheng et al. (2020b) as well as SwinIR, a transformer-based denoiser (Liang et al., 2021). We select these methods as representatives of the recent image restoration/compression models which improve upon the traditional computer vision techniques (Zhang et al., 2021; Zamir et al., 2022). Importantly, these methods violate our idempotent assumption so they serve an extra purpose of evaluating our attack when the assumption does not hold.

Here, we consider untargeted/targeted HSJA and targeted QEBA as they are consistently the strongest, and the other two do not involve gradient approximation. From Table 2, Biased-Gradient Attack outperforms the preprocessor-unaware counterpart as well as SNS in almost all settings. A few highlights are: Biased-Gradient Attack reduces the mean adversarial distance to only $\bm{\frac{1}{3}}$ and $\bm{\frac{1}{6}}$ of the distance found by the attack without it for 4-bit quantization and JPEG with a quality of 60, respectively. The Biased-Gradient Attack also outperforms the baselines on neural compression under varying models and compression levels as well as on the SwinIR denoiser (Table 3). We observe a recurring trend where the benefit of Biased-Gradient Attack increases with stronger preprocessors, e.g., fewer quantization bits or lower compression quality.

The first step of our attack generates an “unstable pair”. This is a pair of samples $u_{0},u_{1}$ with two properties: (i) $f(t(u_{0}))\neq f(t(u_{1}))$, and (ii) with high probability $p$, $f(t(z(u_{0})))=f(t(z(u_{1})))$ for some random perturbation $z:\mathcal{X}_{o}\to\mathcal{X}_{o}$. Figure 3 depicts an unstable pair: the points $x_{0}\coloneqq t(u_{0})$ and $x_{1}\coloneqq t(u_{1})$ have opposite labels, but a small random perturbation $z$ is likely to push both points to the same side of the boundary. As the perturbation made by $z$ (i.e., $z(u)-u$) grows, $p$ should also increase.

Given two images $x_{0}$, $x_{1}$ such that $f(t(x_{0}))\neq f(t(x_{1}))$, we construct an unstable pair $(u_{0},u_{1})$ by performing two binary searches. The first finds a new pair of images $(x^{\prime}_{0},x^{\prime}_{1})$ with $\left\lVert x^{\prime}_{0}-x^{\prime}_{1}\right\rVert_{0}=1$. Starting from $(x^{\prime}_{0},x^{\prime}_{1})$, the second binary search finds the unstable pair $(u_{0},u_{1})$ where $\left\lVert u_{0}-u_{1}\right\rVert_{\infty}=1$. This gives us a pair of images that differ by one pixel, and by $1/255$ at that pixel, while also being predicted as different classes. This process uses only about 40 queries, depending on the input size. In the interest of space, we provide the detail in Section D.1. The rest of the attack uses only the unstable pair; $x_{i}$ are no longer used.

Suppose we hypothesize that the preprocessor applied to an image is some function $\tilde{t}$ (this is our “guess” piece of our guess-and-check attack). Then, given this unstable example pair $(u_{0},u_{1})$, we can now implement the “check” piece. For clarity, we denote the actually deployed preprocessor by $t^{*}$.

We begin by constructing a pre-image $u_{0}^{\prime}\neq u_{0}$ so that $\tilde{t}(u_{0})=\tilde{t}(u_{0}^{\prime})$ and analogously for $u_{1}$ and $u_{1}^{\prime}$. Now if our guess is indeed correct, then it is guaranteed that $\forall i\in\{0,1\}~{}F(u^{\prime}_{i})=F(u_{i})$ since $\tilde{t}(u_{0}^{\prime})=\tilde{t}(u_{0})=t^{*}(u_{0})$. On the other hand, if our guess is wrong, then we have $\exists i\in\{0,1\}~{}F(u_{i}^{\prime})\neq F(u_{i})$ with at least some probability $p$.

Let the null hypothesis be $\tilde{t}\neq t^{*}$. When we observe that the predictions of the pre-images do not change, we reject the null hypothesis if $1-p\leq\alpha$ for some threshold $\alpha$ (we choose 0.01). To increase $p$, we can do two things: (i) simply repeat multiple trials by randomly generating and testing more pre-images and only reject the null hypothesis when none of the predictions change, or (ii) increase the size of the perturbation $u_{i}^{\prime}-u_{i}$. This increases $p$ by definition of the unstable pair.

We use this attack to extract preprocessors for a wide range of models publicly hosted on HuggingFace Hub through their API (https://huggingface.co/docs/api-inference). We choose HuggingFace as the preprocessing metadata is available on most models for us to verify our extracted results. For each experiment, we randomly sample 10 models trained to predict ImageNet-1k classes. Table 4 summarizes the results.

Because our procedure is inherently guess-and-check, we first define the space of all possible preprocessors. The exact space here depends on the possible knowledge an adversary might have. In the worst case, an adversary has to enumerate over all possible image sizes ranging from the smallest size used for any image classifier (200px) to the largest size used for any image classifier (800px). This incurs a cost of 632 queries on average to extract one resizing operator (i.e., both output size and interpolation method). However, some preprocessors might be more typical than others. We call a preprocessor pipeline “typical” if it is used by at least two different models. For example, ResNet classifiers almost always first resize images to 256 $\times$ 256, and then center-crop the resulting image down to 224 $\times$ 224. Our set of typical sizes includes 224, 248, 256, 288, 299, 384, and 512 pixels, with bilinear and bicubic interpolations. With this prior knowledge, the adversary reduces the query cost by over 10 times, down to only $\sim$50 queries

Resize extraction is particularly efficient ($\sim$50 queries) as we can use a binary search to find the crop size, instead of an exhaustive search. Any wrong guessed crop size larger than the actual size will not change the prediction of the pre-images. This allows us to run a binary search where the guessed crop size shrinks when the predictions do not change and grows otherwise.

Figure 4 plots the mean adversarial distance as a function of the number of queries for QEBA. Notice that the adversarial distance plateaus after around 10,000 queries, and the distance found by preprocessor-unaware attacks never reaches that of our preprocessor-aware attacks. This suggests that our attacks do not only improve the efficiency of the algorithms but also allow them to find closer adversarial examples that would have been completely missed otherwise. See Section E.3 for more details.

Hyperparameter choice is important to the effectiveness of the attacks. In many cases, using the right hyperparameters benefits more than using stronger attack algorithms. Choosing the right hyperparameter usually improves the distance found by $\sim$1.5$\times$ and up to 15$\times$ in one case, depending on the attack algorithm. The knowledge of the preprocessor deployed helps in quickly narrowing down the range of good hyperparameters. In practice, an adversary would benefit from spending some queries to learn the preprocessors as well as to tune the hyperparameters if one plans to generate many adversarial examples. For detailed numerical results and discussion, see Section E.2.

We have used the public pre-trained ResNet-18 model as the target model in our experiments, but the conclusion also holds for other models. We pick two models, EfficientNetV2-Tiny (Tan & Le, 2021) and DEIT3-Small (Touvron et al., 2022), with different architectures from ResNet-18, and run the attacks with the resizing (nearest, 1024 $\to$ 288) and JPEG (quality 60) preprocessors, respectively. The mean adversarial distance for EfficientNetV2-Tiny/DEIT3-Small are 134.2/95.9, 117.7/76.6, 32.3/48.1 with unaware, SNS, and our Biased-Gradient attacks (+ targeted QEBA), respectively. This corresponds to about 4$\times$ and 2$\times$ improvement over the unaware attack on the two models.

Preprocessor-aware attacks. In practice, multiple preprocessors are used sequentially. In the case that all the preprocessors can be bypassed, e.g., resizing and cropping, we can bypass the entire pipeline by querying with an appropriate size and padding. The recovery phase can then be done in the reverse order that the preprocessors are applied. When at least one preprocessor is not bypassable, we can treat the entire pipeline as one preprocessor and apply the Biased-Gradient Attack. Table 5 shows attack results for three common combinations of preprocessors.

Extracting multiple preprocessors. With the above attack, it becomes trivial to extract multiple preprocessors by extracting each in turn. Suppose there are two preprocessors $t_{1}$ and $t_{2}$, we can first extract $t_{1}$ by subsuming $t_{2}$ as part of $f$, i.e., $f^{\prime}\circ t_{1}\coloneqq f\circ t_{2}\circ t_{1}$, and then we move on to guess $t_{2}$ using the now revealed $t_{1}$ to construct the pre-images. In practice, it is actually even easier: the most common two transformations, resizing and cropping, are almost commutative (i.e., $\texttt{Crop}(\texttt{Resize}(x))\approx\texttt{Resize}(\texttt{Crop}(x))$ albeit with different crop and resize parameters). This means that one could either extract cropping or resizing first and still end up with an equivalent overall preprocessor pipeline.

The authors would like to thank David Wagner for helping with the presentation of the paper, Matthew Jagielski for wonderful discussion on the problem, and Alex Kurakin for comments on early draft of this paper.

A majority of this research was conducted when Chawin was at Google as a student researcher. For the remaining time at UC Berkeley, Chawin was supported by the Hewlett Foundation through the Center for Long-Term Cybersecurity (CLTC), by the Berkeley Deep Drive project, and by generous gifts from Open Philanthropy.