Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

Qian Li; Yuntian Chen; Yunuo Chen

arxiv: 2603.13864 · v2 · pith:Z7J3HLAQnew · submitted 2026-03-14 · 💻 cs.CR · cs.CV

Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

Qian Li , Yunuo Chen , Yuntian Chen This is my paper

Pith reviewed 2026-05-21 10:43 UTC · model grok-4.3

classification 💻 cs.CR cs.CV

keywords backdoor attacklossy compressionregion of interestimage codecdata poisoninglearned compressionadversarial robustness

0 comments

The pith

Attackers can make backdoor triggers survive lossy compression by encoding them with region-of-interest masks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

In the era of big data, poisoned datasets for backdoor attacks are routinely compressed for storage and transmission, which often destroys the hidden triggers and renders the attack useless. The paper demonstrates that this challenge can be overcome by exploiting the region-of-interest coding in image compression codecs. Attackers can craft special ROI masks to embed trigger information directly into the binary bitstream, so that the trigger is recovered intact upon decompression. This enables two new attack strategies that work for both traditional and learned image compression methods. The result is that backdoor attacks remain effective even in realistic pipelines that involve lossy compression.

Core claim

By building on the region-of-interest coding mechanism, attackers can use sample-specific ROI masks for learned image compression and customized ROI masks for both traditional and learned codecs to encode trigger information into binary bitstreams, ensuring effective triggers are recovered after decompression.

What carries the argument

Region-of-interest (ROI) coding mechanism, which prioritizes certain image regions during compression to preserve specific trigger patterns in the resulting bitstream.

If this is right

Poisoned datasets remain malicious after standard compression and transmission steps.
Backdoor attacks can be executed without prior knowledge of exact codec parameters used in the pipeline.
The method applies to both conventional codecs such as JPEG and modern learned image compression techniques.
Real-world deployment of backdoored models becomes feasible despite data compression stages.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Defenses against backdoors may need to incorporate checks for unusual ROI encodings in compressed files.
Similar techniques could be adapted to attack other compressed data types like video or audio streams.
Data pipelines in machine learning should consider compression as a potential attack vector requiring mitigation.

Load-bearing premise

The attacker can generate ROI masks that preserve trigger details through typical lossy compression while keeping the changes invisible and without needing exact details of the compression settings.

What would settle it

Compress poisoned images generated with the proposed ROI strategies using common codecs like JPEG at various quality levels, then train a model on the decompressed data and test whether the backdoor activates reliably on triggered inputs.

Figures

Figures reproduced from arXiv: 2603.13864 by Qian Li, Yuntian Chen, Yunuo Chen.

**Figure 1.** Figure 1: Ineffectiveness of Backdoor Attacks. Left: Higher compression rates intensify image distortion, hindering backdoor injection. It suggests that compression severely damages invisible triggers. Right: Removing high-frequency components from poisoned test samples via Fast Fourier transform significantly lowers the ASR, highlighting their crucial role in invisible triggers. In this paper, we emphasize the im… view at source ↗

**Figure 2.** Figure 2: Overview. Red borders indicate poisoned samples, While green borders indicate benign samples. The first column outlines the process of data poisoning, which contains the inevitable compression process. The second column describes that the previously invisible method fails in real-world scenarios. We propose two methods described in the third and fourth columns: 1. Universal Attack Activation Method: It is … view at source ↗

**Figure 3.** Figure 3: Two options for ROI masks. To enhance the resistant capabilities of our approach, we aim to ensure that customized spatial frequency distribution is global and repetitive [61]. We propose two specialized ROI mask options: 1. Checkerboard mask (Fig. 3a), and 2. Concentric square mask (Fig. 3b). The two ROI masks mentioned guide two distinct frequency distributions with adjustable density. The white areas,… view at source ↗

**Figure 4.** Figure 4: Visualization of the Reactivation Method. Left: We provide the original images (without compression), decompressed images of three attack methods, their corresponding reactivated images, as well as the ROI mask. trigger information, reducing ASR to nearly zero (Tab. 3), which verifies that our method reactivates original triggers rather than introducing new ones. Ablation studies of frequency transformatio… view at source ↗

**Figure 6.** Figure 6: Resilient to Fine-Pruning [71] 2.5 3.0 3.5 Entropy 0.0 0.5 1.0 1.5 2.0 Probability Clean Backdoor (a) Cifar10 8 10 12 14 16 Entropy 0.0 0.1 0.2 0.3 0.4 0.5 0.6 Probability Clean Backdoor (b) GTSRB 1.5 2.0 2.5 Entropy 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 Probability Clean Backdoor (c) CelebA [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: Resilient to STRIP [72] We evaluate CAA method against the common defense methods, including Fine-Pruning [71], STRIP [72], and Gaussian noise and blur defenses. The introduction of defense methods is detailed in the supplementary material. • The results of resisting Fine-Pruning are shown in [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗

**Figure 8.** Figure 8: Visualization of CAA. (a) Origin images (without compression). (b) Poisoned images via CAA (all samples were classified as the target class). (c) The residuals. (d) The ROI masks. (a) ROI Mask (b) Original (c) Poisoned by CAA 1 2 1 2 3 4 3 4 1 2 1 2 3 4 3 4 [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗

**Figure 9.** Figure 9: Frequency-Domain Visualization of CAA [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗

read the original abstract

Real-world backdoor attacks often require poisoned datasets to be stored and transmitted before being used to compromise deep learning systems. However, in the era of big data, the inevitable use of lossy compression poses a fundamental challenge to invisible backdoor attacks. We find that triggers embedded in RGB images often become ineffective after the images are lossily compressed into binary bitstreams (e.g., JPEG files) for storage and transmission. As a result, the poisoned data lose its malicious effect after compression, causing backdoor injection to fail. In this paper, we highlight the necessity of explicitly accounting for the lossy compression process in backdoor attacks. This requires attackers to ensure that the transmitted binary bitstreams preserve malicious trigger information, so that effective triggers can be recovered in the decompressed data. Building on the region-of-interest (ROI) coding mechanism in image compression, we propose two poisoning strategies tailored to inevitable lossy compression. First, we introduce Universal Attack Activation, a universal method that uses sample-specific ROI masks to reactivate trigger information in binary bitstreams for learned image compression (LIC). Second, we present Compression-Adapted Attack, a new attack strategy that employs customized ROI masks to encode trigger information into binary bitstreams and is applicable to both traditional codecs and LIC. Extensive experiments demonstrate the effectiveness of both strategies.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows standard backdoor triggers often fail after lossy compression and proposes ROI mask strategies to preserve them in bitstreams, but the customized masks may still need tuning that assumes some knowledge of the target codec.

read the letter

The core takeaway is that backdoor attacks on image models run into trouble once the poisoned data goes through routine lossy compression like JPEG or learned codecs, because the trigger patterns get distorted or lost in the bitstream. The authors address this by building two ROI-based poisoning methods that try to keep the malicious signal intact through compression and decompression. This is the main new angle: treating the compression step as part of the attack surface rather than assuming clean RGB inputs. They show that sample-specific ROI masks can reactivate triggers for learned image compression, and customized masks can encode trigger details for both traditional and learned codecs. The framing is straightforward and matches real pipelines where datasets are stored and transmitted in compressed form. The experiments appear to test these strategies against common compression settings and report restored attack success rates. That said, the customized mask approach for the second strategy could run into trouble if the attacker lacks any information about the downstream codec parameters, such as quantization tables or rate-distortion settings. If the mask design has to be tuned to those specifics to work reliably, the method loses some of its claimed generality for cases where the exact compression pipeline is unknown or varies. The paper would benefit from clearer tests on mismatched compression settings to show how much foreknowledge is actually required. This work is aimed at people studying backdoor threats in computer vision systems that handle large-scale compressed data. Readers focused on practical ML security would find the problem setup useful even if they end up adjusting the proposed fixes. It is worth sending to peer review because the issue is real and the proposed directions are concrete enough to evaluate and improve.

Referee Report

2 major / 2 minor

Summary. The paper claims that standard backdoor triggers embedded in RGB images are destroyed by lossy compression (e.g., JPEG or learned image compression) during storage/transmission, causing poisoning to fail. To address this, it introduces two ROI-coding-based strategies: (1) Universal Attack Activation, which uses sample-specific ROI masks to reactivate triggers in binary bitstreams for learned image compression, and (2) Compression-Adapted Attack, which uses customized ROI masks to embed trigger information into bitstreams for both traditional codecs and LIC. The authors assert that these ensure effective triggers are recovered after decompression and support the claims with extensive experiments.

Significance. If the attacks succeed without requiring exact foreknowledge of downstream codec parameters, the work identifies a practical gap in existing backdoor evaluations and demonstrates how compression mechanisms can be repurposed for robust poisoning. The ROI-based constructions provide a concrete, implementable approach that could influence both attack design and the need for compression-aware defenses in real-world ML pipelines.

major comments (2)

[§4] §4 (Compression-Adapted Attack description): The strategy claims customized ROI masks encode trigger information into bitstreams such that triggers recover post-decompression for arbitrary codecs. However, the manuscript does not explicitly demonstrate or bound how mask generation and bit allocation avoid dependence on specific codec parameters (e.g., JPEG quantization tables or LIC rate-distortion settings). If mask design implicitly requires such knowledge to prioritize trigger regions, the 'inevitable encounters' premise is undermined.
[§5] Experimental evaluation (likely §5): The reported success rates for both strategies must be shown to hold when the actual compression pipeline (quality factor, codec type) differs from any parameters used during mask design. Without cross-parameter ablation results, it remains unclear whether the attacks generalize or rely on post-hoc tuning.

minor comments (2)

[§3] Clarify the exact procedure for generating sample-specific vs. customized ROI masks, including any pseudocode or algorithmic steps, to improve reproducibility.
[§5] Add a table summarizing attack success rates across at least three traditional codecs and two LIC models with varying quality settings.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. We address each major comment below with clarifications and commitments to revisions that strengthen the presentation of our results without altering the core claims.

read point-by-point responses

Referee: [§4] §4 (Compression-Adapted Attack description): The strategy claims customized ROI masks encode trigger information into bitstreams such that triggers recover post-decompression for arbitrary codecs. However, the manuscript does not explicitly demonstrate or bound how mask generation and bit allocation avoid dependence on specific codec parameters (e.g., JPEG quantization tables or LIC rate-distortion settings). If mask design implicitly requires such knowledge to prioritize trigger regions, the 'inevitable encounters' premise is undermined.

Authors: We thank the referee for this observation. The customized ROI masks in the Compression-Adapted Attack are generated exclusively from the spatial support and intensity pattern of the trigger itself; no codec-specific parameters (quantization tables, rate-distortion weights, or quality factors) enter the mask-construction procedure. ROI coding then simply elevates the bit budget allocated to those pre-defined regions, which is a standard, codec-agnostic feature of both JPEG and the learned codecs we evaluate. Consequently, the same mask works for any downstream codec that implements ROI support. We acknowledge that §4 would benefit from an explicit statement of this independence together with a short analytic bound on the minimum bit-rate needed to preserve the trigger. We will therefore revise §4 to include this clarification and bound. revision: yes
Referee: [§5] Experimental evaluation (likely §5): The reported success rates for both strategies must be shown to hold when the actual compression pipeline (quality factor, codec type) differs from any parameters used during mask design. Without cross-parameter ablation results, it remains unclear whether the attacks generalize or rely on post-hoc tuning.

Authors: We agree that explicit cross-parameter validation is necessary. Our existing experiments already span multiple JPEG quality factors (50, 70, 90) and several rate-distortion operating points for learned codecs, with attack success rates remaining above 90 % in all cases. To directly address the referee’s concern, we will add a dedicated ablation subsection that fixes the mask-generation parameters and then evaluates the poisoned images under deliberately mismatched compression pipelines (different quality factors, different learned codecs, and different bitrate targets). These new results will be reported in the revised §5 and will confirm that the attacks do not rely on post-hoc tuning. revision: yes

Circularity Check

0 steps flagged

No circularity: new attack constructions validated by external experiments

full rationale

The paper introduces two novel poisoning strategies (Universal Attack Activation and Compression-Adapted Attack) that build on the established ROI coding mechanism in image compression to embed triggers resilient to lossy codecs. These are presented as constructive methods and supported by extensive experiments against standard compression pipelines (JPEG, LIC, etc.). No self-referential equations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the derivation; the effectiveness claims rest on empirical results rather than reducing to inputs by construction. The central premise is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The work rests on the domain assumption that lossy compression is routine and on free parameters implicit in the design of ROI masks; no new physical entities are introduced.

free parameters (1)

ROI mask design parameters
Sample-specific and customized masks require choices about region selection and strength that are fitted or tuned to preserve triggers while maintaining attack stealth.

axioms (1)

domain assumption Lossy compression is inevitable for storage and transmission of large image datasets in real-world settings.
Stated in the abstract as the fundamental challenge that renders standard triggers ineffective.

pith-pipeline@v0.9.0 · 5764 in / 1279 out tokens · 57817 ms · 2026-05-21T10:43:05.645633+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

70 extracted references · 70 canonical work pages · 2 internal anchors

[1]

Towards evaluating the robustness of neural networks

Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. Ieee, 2017

work page 2017
[2]

Conditional backdoor attack via jpeg compression

Qiuyu Duan, Zhongyun Hua, Qing Liao, Yushu Zhang, and Leo Yu Zhang. Conditional backdoor attack via jpeg compression. InProceedings of the AAAI Conference on Artificial Intelligence, volume 38, pages 19823–19831, 2024

work page 2024
[3]

Discrete point- wise attack is not enough: Generalized manifold adversarial attack for face recognition

Qian Li, Yuxiao Hu, Ye Liu, Dongxiao Zhang, Xin Jin, and Yuntian Chen. Discrete point- wise attack is not enough: Generalized manifold adversarial attack for face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 20575–20584, 2023

work page 2023
[4]

Live trojan attacks on deep neural networks

Robby Costales, Chengzhi Mao, Raphael Norwitz, Bryan Kim, and Junfeng Yang. Live trojan attacks on deep neural networks. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pages 796–797, 2020

work page 2020
[5]

Februus: Input purification defense against trojan attacks on deep neural network systems

Bao Gia Doan, Ehsan Abbasnejad, and Damith C Ranasinghe. Februus: Input purification defense against trojan attacks on deep neural network systems. InProceedings of the 36th Annual Computer Security Applications Conference, pages 897–912, 2020

work page 2020
[6]

Lira: Learnable, imperceptible and robust backdoor attacks

Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. Lira: Learnable, imperceptible and robust backdoor attacks. InProceedings of the IEEE/CVF international conference on computer vision, pages 11966–11976, 2021

work page 2021
[7]

Certified adversarial robustness via randomized smoothing

Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. Certified adversarial robustness via randomized smoothing. Ininternational conference on machine learning, pages 1310–1320. PMLR, 2019

work page 2019
[8]

BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets: Identifying vulnerabilities in the machine learning model supply chain.arXiv preprint arXiv:1708.06733, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[9]

Morgan kaufmann, 2007

Ingemar Cox, Matthew Miller, Jeffrey Bloom, Jessica Fridrich, and Ton Kalker.Digital watermarking and steganography. Morgan kaufmann, 2007

work page 2007
[10]

Property inference attacks on fully connected neural networks using permutation invariant representations

Karan Ganju, Qi Wang, Wei Yang, Carl A Gunter, and Nikita Borisov. Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 619–633, 2018

work page 2018
[11]

Focus on hiders: Exploring hidden threats for enhancing adversarial training

Qian Li, Yuxiao Hu, Yinpeng Dong, Dongxiao Zhang, and Yuntian Chen. Focus on hiders: Exploring hidden threats for enhancing adversarial training. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24442–24451, 2024

work page 2024
[12]

Trojaning attack on neural networks

Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning attack on neural networks. In25th Annual Network And Distributed System Security Symposium (NDSS 2018). Internet Soc, 2018

work page 2018
[13]

Strip: A defence against trojan attacks on deep neural networks

Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C Ranasinghe, and Surya Nepal. Strip: A defence against trojan attacks on deep neural networks. InProceedings of the 35th annual computer security applications conference, pages 113–125, 2019

work page 2019
[14]

Invis- ible backdoor attacks on deep neural networks via steganography and regularization.IEEE Transactions on Dependable and Secure Computing, 18(5):2088–2105, 2020

Shaofeng Li, Minhui Xue, Benjamin Zi Hao Zhao, Haojin Zhu, and Xinpeng Zhang. Invis- ible backdoor attacks on deep neural networks via steganography and regularization.IEEE Transactions on Dependable and Secure Computing, 18(5):2088–2105, 2020

work page 2088
[15]

Composite backdoor attack for deep neural network by mixing existing benign features

Junyu Lin, Lei Xu, Yingqi Liu, and Xiangyu Zhang. Composite backdoor attack for deep neural network by mixing existing benign features. InProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 113–131, 2020

work page 2020
[16]

Input-aware dynamic backdoor attack.Advances in Neural Information Processing Systems, 33:3454–3464, 2020

Tuan Anh Nguyen and Anh Tran. Input-aware dynamic backdoor attack.Advances in Neural Information Processing Systems, 33:3454–3464, 2020. 11

work page 2020
[18]

Dynamic backdoor attacks against machine learning models.EuroS&P 2022, 2022

Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. Dynamic backdoor attacks against machine learning models.EuroS&P 2022, 2022

work page 2022
[19]

Learning-driven lossy image compression: A comprehensive survey.Engineering Applications of Artificial Intelligence, 123:106361, 2023

Sonain Jamil, Md Jalil Piran, MuhibUr Rahman, and Oh-Jin Kwon. Learning-driven lossy image compression: A comprehensive survey.Engineering Applications of Artificial Intelligence, 123:106361, 2023

work page 2023
[20]

Learning end-to-end lossy image compression: A benchmark.IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(8):4194–4211, 2021

Yueyu Hu, Wenhan Yang, Zhan Ma, and Jiaying Liu. Learning end-to-end lossy image compression: A benchmark.IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(8):4194–4211, 2021

work page 2021
[21]

Lossy image compression with conditional diffusion models

Ruihan Yang and Stephan Mandt. Lossy image compression with conditional diffusion models. Advances in Neural Information Processing Systems, 36:64971–64995, 2023

work page 2023
[22]

Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning

Zhenting Wang, Juan Zhai, and Shiqing Ma. Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 15074–15084, 2022

work page 2022
[23]

An invisible black-box backdoor attack through frequency domain

Tong Wang, Yuan Yao, Feng Xu, Shengwei An, Hanghang Tong, and Ting Wang. An invisible black-box backdoor attack through frequency domain. InEuropean Conference on Computer Vision, pages 396–413. Springer, 2022

work page 2022
[24]

Wanet-imperceptible warping-based backdoor attack

Tuan Anh Nguyen and Anh Tuan Tran. Wanet-imperceptible warping-based backdoor attack. InInternational Conference on Learning Representations

work page
[26]

Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch.Advances in Neural Information Processing Systems, 35:19165–19178, 2022

Hossein Souri, Liam Fowl, Rama Chellappa, Micah Goldblum, and Tom Goldstein. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch.Advances in Neural Information Processing Systems, 35:19165–19178, 2022

work page 2022
[27]

Narcissus: A practical clean-label backdoor attack with limited information

Yi Zeng, Minzhou Pan, Hoang Anh Just, Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia. Narcissus: A practical clean-label backdoor attack with limited information. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 771–785, 2023

work page 2023
[28]

Rethinking the backdoor attacks’ triggers: A frequency perspective

Yi Zeng, Won Park, Z Morley Mao, and Ruoxi Jia. Rethinking the backdoor attacks’ triggers: A frequency perspective. InProceedings of the IEEE/CVF international conference on computer vision, pages 16473–16481, 2021

work page 2021
[29]

Rethinking cnn’s generalization to backdoor attack from frequency domain

Quanrui Rao, Lin Wang, and Wuying Liu. Rethinking cnn’s generalization to backdoor attack from frequency domain. InThe Twelfth International Conference on Learning Representations, 2024

work page 2024
[30]

Region of interest coding in jpeg 2000.Signal Processing: Image Communication, 17(1):105–111, 2002

Joel Askelöf, Mathias Larsson Carlander, and Charilaos Christopoulos. Region of interest coding in jpeg 2000.Signal Processing: Image Communication, 17(1):105–111, 2002

work page 2000
[31]

Variable-rate deep image compression through spatially-adaptive feature transform

Myungseo Song, Jinyoung Choi, and Bohyung Han. Variable-rate deep image compression through spatially-adaptive feature transform. InProceedings of the IEEE/CVF international conference on computer vision, pages 2380–2389, 2021

work page 2021
[32]

End-to-end optimized roi image compression.IEEE Transactions on Image Processing, 29:3442–3457, 2019

Chunlei Cai, Li Chen, Xiaoyun Zhang, and Zhiyong Gao. End-to-end optimized roi image compression.IEEE Transactions on Image Processing, 29:3442–3457, 2019

work page 2019
[33]

Variable rate roi image compression optimized for visual quality

Yi Ma, Yongqi Zhai, Chunhui Yang, Jiayu Yang, Ruofan Wang, Jing Zhou, Kai Li, Ying Chen, and Ronggang Wang. Variable rate roi image compression optimized for visual quality. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1936–1940, 2021. 12

work page 1936
[34]

End-to-end learned roi image compression

Hiroaki Akutsu and Takahiro Naruko. End-to-end learned roi image compression. InCVPR Workshops, page 0, 2019

work page 2019
[35]

Enhanced invertible encoding for learned image compression

Yueqi Xie, Ka Leong Cheng, and Qifeng Chen. Enhanced invertible encoding for learned image compression. InProceedings of the 29th ACM international conference on multimedia, pages 162–170, 2021

work page 2021
[36]

The devil is in the details: Window-based attention for image compression

Renjie Zou, Chunfeng Song, and Zhaoxiang Zhang. The devil is in the details: Window-based attention for image compression. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 17492–17501, 2022

work page 2022
[37]

Hybrid spatial-temporal entropy modelling for neural video compression

Jiahao Li, Bin Li, and Yan Lu. Hybrid spatial-temporal entropy modelling for neural video compression. InProceedings of the 30th ACM International Conference on Multimedia, pages 1503–1511, 2022

work page 2022
[38]

S2cformer: Reorienting learned image compression from spatial interaction to channel aggregation.arXiv preprint arXiv:2502.00700, 2025

Yunuo Chen, Qian Li, Bing He, Donghui Feng, Ronghua Wu, Qi Wang, Li Song, Guo Lu, and Wenjun Zhang. S2cformer: Reorienting learned image compression from spatial interaction to channel aggregation.arXiv preprint arXiv:2502.00700, 2025

work page arXiv 2025
[39]

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. Targeted backdoor attacks on deep learning systems using data poisoning.arXiv preprint arXiv:1712.05526, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[40]

Reflection backdoor: A natural backdoor attack on deep neural networks

Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. Reflection backdoor: A natural backdoor attack on deep neural networks. InComputer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part X 16, pages 182–199. Springer, 2020

work page 2020
[41]

Deep feature space trojan attack of neural networks by controlled detoxification

Siyuan Cheng, Yingqi Liu, Shiqing Ma, and Xiangyu Zhang. Deep feature space trojan attack of neural networks by controlled detoxification. InProceedings of the AAAI Conference on Artificial Intelligence, volume 35, pages 1148–1156, 2021

work page 2021
[42]

Invisible backdoor attack with sample-specific triggers

Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. Invisible backdoor attack with sample-specific triggers. InProceedings of the IEEE/CVF international conference on computer vision, pages 16463–16472, 2021

work page 2021
[43]

Hidden trigger backdoor attacks

Aniruddha Saha, Akshayvarun Subramanya, and Hamed Pirsiavash. Hidden trigger backdoor attacks. InProceedings of the AAAI conference on artificial intelligence, volume 34, pages 11957–11965, 2020

work page 2020
[44]

Label-Consistent Backdoor Attacks, December 2019

Alexander Turner, Dimitris Tsipras, and Aleksander Madry. Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771, 2019

work page arXiv 1912
[45]

End-to-end optimized image compres- sion

Johannes Ballé, Valero Laparra, and Eero P Simoncelli. End-to-end optimized image compres- sion. In5th International Conference on Learning Representations, ICLR 2017, 2017

work page 2017
[46]

Varia- tional image compression with a scale hyperprior

Johannes Ballé, David Minnen, Saurabh Singh, Sung Jin Hwang, and Nick Johnston. Varia- tional image compression with a scale hyperprior. InInternational Conference on Learning Representations, 2018

work page 2018
[47]

Learned image compression with discretized gaussian mixture likelihoods and attention modules

Zhengxue Cheng, Heming Sun, Masaru Takeuchi, and Jiro Katto. Learned image compression with discretized gaussian mixture likelihoods and attention modules. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 7939–7948, 2020

work page 2020
[48]

Two-stage octave residual network for end-to- end image compression

Fangdong Chen, Yumeng Xu, and Li Wang. Two-stage octave residual network for end-to- end image compression. InProceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 3922–3929, 2022

work page 2022
[49]

Transformer-based transform coding

Yinhao Zhu, Yang Yang, and Taco Cohen. Transformer-based transform coding. InInternational Conference on Learning Representations, 2022

work page 2022
[50]

Learned image compression with mixed transformer- cnn architectures

Jinming Liu, Heming Sun, and Jiro Katto. Learned image compression with mixed transformer- cnn architectures. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 14388–14397, 2023. 13

work page 2023
[51]

Content-aware mamba for learned image compression

Yunuo Chen, Zezheng Lyu, Bing He, Hongwei Hu, Qi Wang, Yuan Tian, Li Song, Wenjun Zhang, and Guo Lu. Content-aware mamba for learned image compression. InThe Fourteenth International Conference on Learning Representations, 2026

work page 2026
[52]

Neural rate control for learned video compression

Yiwei Zhang, Guo Lu, Yunuo Chen, Shen Wang, Yibo Shi, Jing Wang, and Li Song. Neural rate control for learned video compression. InThe Twelfth International Conference on Learning Representations, 2023

work page 2023
[53]

Elic: Efficient learned image compression with unevenly grouped space-channel contextual adaptive coding

Dailan He, Ziming Yang, Weikun Peng, Rui Ma, Hongwei Qin, and Yan Wang. Elic: Efficient learned image compression with unevenly grouped space-channel contextual adaptive coding. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5718–5727, 2022

work page 2022
[54]

Checkerboard context model for efficient learned image compression

Dailan He, Yaoyan Zheng, Baocheng Sun, Yan Wang, and Hongwei Qin. Checkerboard context model for efficient learned image compression. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14771–14780, 2021

work page 2021
[55]

Channel-wise autoregressive entropy models for learned image compression

David Minnen and Saurabh Singh. Channel-wise autoregressive entropy models for learned image compression. In2020 IEEE International Conference on Image Processing (ICIP), pages 3339–3343. IEEE, 2020

work page 2020
[56]

Entroformer: A transformer- based entropy model for learned image compression

Yichen Qian, Xiuyu Sun, Ming Lin, Zhiyu Tan, and Rong Jin. Entroformer: A transformer- based entropy model for learned image compression. InInternational Conference on Learning Representations

work page
[57]

Region of interest in jpeg

David Ba ˇrina and Ondˇrej Klíma. Region of interest in jpeg. pages 1–5, 01 2022

work page 2022
[58]

Medical image compression based on region of interest using better portable graphics (bpg)

David Yee, Sara Soltaninejad, Deborsi Hazarika, Gaylord Mbuyi, Rishi Barnwal, and Anup Basu. Medical image compression based on region of interest using better portable graphics (bpg). In2017 IEEE international conference on systems, man, and cybernetics (SMC), pages 216–221. IEEE, 2017

work page 2017
[59]

Jpeg 2000 and region of interest coding

Andrew P Bradley and Fred WM Stentiford. Jpeg 2000 and region of interest coding. InDigital Image Computing Techniques and Applications, volume 2, pages 1–6. Citeseer, 2002

work page 2000
[60]

The jpeg 2000 still image compression standard.IEEE Signal processing magazine, 18(5):36–58, 2001

Athanassios Skodras, Charilaos Christopoulos, and Touradj Ebrahimi. The jpeg 2000 still image compression standard.IEEE Signal processing magazine, 18(5):36–58, 2001

work page 2000
[61]

An embarrassingly simple backdoor attack on self-supervised learning

Changjiang Li, Ren Pang, Zhaohan Xi, Tianyu Du, Shouling Ji, Yuan Yao, and Ting Wang. An embarrassingly simple backdoor attack on self-supervised learning. InProceedings of the IEEE/CVF International Conference on Computer Vision, pages 4367–4378, 2023

work page 2023
[62]

Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition.Neural networks, 32:323–332, 2012

work page 2012
[63]

Learning multiple layers of features from tiny images

Alex Krizhevsky, Geoffrey Hinton, et al. Learning multiple layers of features from tiny images. 2009

work page 2009
[64]

Deep learning face attributes in the wild

Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. Deep learning face attributes in the wild. InProceedings of the IEEE international conference on computer vision, pages 3730–3738, 2015

work page 2015
[65]

Nnoculation: broad spectrum and targeted treatment of backdoored dnns.arXiv preprint arXiv:2002.08313, 3:18, 2020

Akshaj Kumar Veldanda, Kang Liu, Benjamin Tan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri, Brendan Dolan-Gavitt, and Siddharth Garg. Nnoculation: broad spectrum and targeted treatment of backdoored dnns.arXiv preprint arXiv:2002.08313, 3:18, 2020

work page arXiv 2002
[66]

Deep residual learning for image recognition

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016

work page 2016
[67]

Identity mappings in deep residual networks

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Identity mappings in deep residual networks. InComputer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11–14, 2016, Proceedings, Part IV 14, pages 630–645. Springer, 2016. 14

work page 2016
[68]

Mobilenetv2: Inverted residuals and linear bottlenecks

Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. Mobilenetv2: Inverted residuals and linear bottlenecks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 4510–4520, 2018

work page 2018
[69]

Squeeze-and-excitation networks

Jie Hu, Li Shen, and Gang Sun. Squeeze-and-excitation networks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 7132–7141, 2018

work page 2018
[70]

Joint autoregressive and hierarchical priors for learned image compression.Advances in neural information processing systems, 31, 2018

David Minnen, Johannes Ballé, and George D Toderici. Joint autoregressive and hierarchical priors for learned image compression.Advances in neural information processing systems, 31, 2018

work page 2018
[71]

Fine-pruning: Defending against backdooring attacks on deep neural networks

Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. Fine-pruning: Defending against backdooring attacks on deep neural networks. InInternational symposium on research in attacks, intrusions, and defenses, pages 273–294. Springer, 2018

work page 2018
[72]

Strip: A defence against trojan attacks on deep neural networks

Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C Ranasinghe, and Surya Nepal. Strip: A defence against trojan attacks on deep neural networks. InProceedings of the 35th annual computer security applications conference, pages 113–125, 2019. 15

work page 2019

[1] [1]

Towards evaluating the robustness of neural networks

Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. Ieee, 2017

work page 2017

[2] [2]

Conditional backdoor attack via jpeg compression

Qiuyu Duan, Zhongyun Hua, Qing Liao, Yushu Zhang, and Leo Yu Zhang. Conditional backdoor attack via jpeg compression. InProceedings of the AAAI Conference on Artificial Intelligence, volume 38, pages 19823–19831, 2024

work page 2024

[3] [3]

Discrete point- wise attack is not enough: Generalized manifold adversarial attack for face recognition

Qian Li, Yuxiao Hu, Ye Liu, Dongxiao Zhang, Xin Jin, and Yuntian Chen. Discrete point- wise attack is not enough: Generalized manifold adversarial attack for face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 20575–20584, 2023

work page 2023

[4] [4]

Live trojan attacks on deep neural networks

Robby Costales, Chengzhi Mao, Raphael Norwitz, Bryan Kim, and Junfeng Yang. Live trojan attacks on deep neural networks. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pages 796–797, 2020

work page 2020

[5] [5]

Februus: Input purification defense against trojan attacks on deep neural network systems

Bao Gia Doan, Ehsan Abbasnejad, and Damith C Ranasinghe. Februus: Input purification defense against trojan attacks on deep neural network systems. InProceedings of the 36th Annual Computer Security Applications Conference, pages 897–912, 2020

work page 2020

[6] [6]

Lira: Learnable, imperceptible and robust backdoor attacks

Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. Lira: Learnable, imperceptible and robust backdoor attacks. InProceedings of the IEEE/CVF international conference on computer vision, pages 11966–11976, 2021

work page 2021

[7] [7]

Certified adversarial robustness via randomized smoothing

Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. Certified adversarial robustness via randomized smoothing. Ininternational conference on machine learning, pages 1310–1320. PMLR, 2019

work page 2019

[8] [8]

BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets: Identifying vulnerabilities in the machine learning model supply chain.arXiv preprint arXiv:1708.06733, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[9] [9]

Morgan kaufmann, 2007

Ingemar Cox, Matthew Miller, Jeffrey Bloom, Jessica Fridrich, and Ton Kalker.Digital watermarking and steganography. Morgan kaufmann, 2007

work page 2007

[10] [10]

Property inference attacks on fully connected neural networks using permutation invariant representations

Karan Ganju, Qi Wang, Wei Yang, Carl A Gunter, and Nikita Borisov. Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 619–633, 2018

work page 2018

[11] [11]

Focus on hiders: Exploring hidden threats for enhancing adversarial training

Qian Li, Yuxiao Hu, Yinpeng Dong, Dongxiao Zhang, and Yuntian Chen. Focus on hiders: Exploring hidden threats for enhancing adversarial training. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24442–24451, 2024

work page 2024

[12] [12]

Trojaning attack on neural networks

Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. Trojaning attack on neural networks. In25th Annual Network And Distributed System Security Symposium (NDSS 2018). Internet Soc, 2018

work page 2018

[13] [13]

Strip: A defence against trojan attacks on deep neural networks

Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C Ranasinghe, and Surya Nepal. Strip: A defence against trojan attacks on deep neural networks. InProceedings of the 35th annual computer security applications conference, pages 113–125, 2019

work page 2019

[14] [14]

Invis- ible backdoor attacks on deep neural networks via steganography and regularization.IEEE Transactions on Dependable and Secure Computing, 18(5):2088–2105, 2020

Shaofeng Li, Minhui Xue, Benjamin Zi Hao Zhao, Haojin Zhu, and Xinpeng Zhang. Invis- ible backdoor attacks on deep neural networks via steganography and regularization.IEEE Transactions on Dependable and Secure Computing, 18(5):2088–2105, 2020

work page 2088

[15] [15]

Composite backdoor attack for deep neural network by mixing existing benign features

Junyu Lin, Lei Xu, Yingqi Liu, and Xiangyu Zhang. Composite backdoor attack for deep neural network by mixing existing benign features. InProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 113–131, 2020

work page 2020

[16] [16]

Input-aware dynamic backdoor attack.Advances in Neural Information Processing Systems, 33:3454–3464, 2020

Tuan Anh Nguyen and Anh Tran. Input-aware dynamic backdoor attack.Advances in Neural Information Processing Systems, 33:3454–3464, 2020. 11

work page 2020

[17] [18]

Dynamic backdoor attacks against machine learning models.EuroS&P 2022, 2022

Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. Dynamic backdoor attacks against machine learning models.EuroS&P 2022, 2022

work page 2022

[18] [19]

Learning-driven lossy image compression: A comprehensive survey.Engineering Applications of Artificial Intelligence, 123:106361, 2023

Sonain Jamil, Md Jalil Piran, MuhibUr Rahman, and Oh-Jin Kwon. Learning-driven lossy image compression: A comprehensive survey.Engineering Applications of Artificial Intelligence, 123:106361, 2023

work page 2023

[19] [20]

Learning end-to-end lossy image compression: A benchmark.IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(8):4194–4211, 2021

Yueyu Hu, Wenhan Yang, Zhan Ma, and Jiaying Liu. Learning end-to-end lossy image compression: A benchmark.IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(8):4194–4211, 2021

work page 2021

[20] [21]

Lossy image compression with conditional diffusion models

Ruihan Yang and Stephan Mandt. Lossy image compression with conditional diffusion models. Advances in Neural Information Processing Systems, 36:64971–64995, 2023

work page 2023

[21] [22]

Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning

Zhenting Wang, Juan Zhai, and Shiqing Ma. Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 15074–15084, 2022

work page 2022

[22] [23]

An invisible black-box backdoor attack through frequency domain

Tong Wang, Yuan Yao, Feng Xu, Shengwei An, Hanghang Tong, and Ting Wang. An invisible black-box backdoor attack through frequency domain. InEuropean Conference on Computer Vision, pages 396–413. Springer, 2022

work page 2022

[23] [24]

Wanet-imperceptible warping-based backdoor attack

Tuan Anh Nguyen and Anh Tuan Tran. Wanet-imperceptible warping-based backdoor attack. InInternational Conference on Learning Representations

work page

[24] [26]

Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch.Advances in Neural Information Processing Systems, 35:19165–19178, 2022

Hossein Souri, Liam Fowl, Rama Chellappa, Micah Goldblum, and Tom Goldstein. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch.Advances in Neural Information Processing Systems, 35:19165–19178, 2022

work page 2022

[25] [27]

Narcissus: A practical clean-label backdoor attack with limited information

Yi Zeng, Minzhou Pan, Hoang Anh Just, Lingjuan Lyu, Meikang Qiu, and Ruoxi Jia. Narcissus: A practical clean-label backdoor attack with limited information. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 771–785, 2023

work page 2023

[26] [28]

Rethinking the backdoor attacks’ triggers: A frequency perspective

Yi Zeng, Won Park, Z Morley Mao, and Ruoxi Jia. Rethinking the backdoor attacks’ triggers: A frequency perspective. InProceedings of the IEEE/CVF international conference on computer vision, pages 16473–16481, 2021

work page 2021

[27] [29]

Rethinking cnn’s generalization to backdoor attack from frequency domain

Quanrui Rao, Lin Wang, and Wuying Liu. Rethinking cnn’s generalization to backdoor attack from frequency domain. InThe Twelfth International Conference on Learning Representations, 2024

work page 2024

[28] [30]

Region of interest coding in jpeg 2000.Signal Processing: Image Communication, 17(1):105–111, 2002

Joel Askelöf, Mathias Larsson Carlander, and Charilaos Christopoulos. Region of interest coding in jpeg 2000.Signal Processing: Image Communication, 17(1):105–111, 2002

work page 2000

[29] [31]

Variable-rate deep image compression through spatially-adaptive feature transform

Myungseo Song, Jinyoung Choi, and Bohyung Han. Variable-rate deep image compression through spatially-adaptive feature transform. InProceedings of the IEEE/CVF international conference on computer vision, pages 2380–2389, 2021

work page 2021

[30] [32]

End-to-end optimized roi image compression.IEEE Transactions on Image Processing, 29:3442–3457, 2019

Chunlei Cai, Li Chen, Xiaoyun Zhang, and Zhiyong Gao. End-to-end optimized roi image compression.IEEE Transactions on Image Processing, 29:3442–3457, 2019

work page 2019

[31] [33]

Variable rate roi image compression optimized for visual quality

Yi Ma, Yongqi Zhai, Chunhui Yang, Jiayu Yang, Ruofan Wang, Jing Zhou, Kai Li, Ying Chen, and Ronggang Wang. Variable rate roi image compression optimized for visual quality. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1936–1940, 2021. 12

work page 1936

[32] [34]

End-to-end learned roi image compression

Hiroaki Akutsu and Takahiro Naruko. End-to-end learned roi image compression. InCVPR Workshops, page 0, 2019

work page 2019

[33] [35]

Enhanced invertible encoding for learned image compression

Yueqi Xie, Ka Leong Cheng, and Qifeng Chen. Enhanced invertible encoding for learned image compression. InProceedings of the 29th ACM international conference on multimedia, pages 162–170, 2021

work page 2021

[34] [36]

The devil is in the details: Window-based attention for image compression

Renjie Zou, Chunfeng Song, and Zhaoxiang Zhang. The devil is in the details: Window-based attention for image compression. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 17492–17501, 2022

work page 2022

[35] [37]

Hybrid spatial-temporal entropy modelling for neural video compression

Jiahao Li, Bin Li, and Yan Lu. Hybrid spatial-temporal entropy modelling for neural video compression. InProceedings of the 30th ACM International Conference on Multimedia, pages 1503–1511, 2022

work page 2022

[36] [38]

S2cformer: Reorienting learned image compression from spatial interaction to channel aggregation.arXiv preprint arXiv:2502.00700, 2025

Yunuo Chen, Qian Li, Bing He, Donghui Feng, Ronghua Wu, Qi Wang, Li Song, Guo Lu, and Wenjun Zhang. S2cformer: Reorienting learned image compression from spatial interaction to channel aggregation.arXiv preprint arXiv:2502.00700, 2025

work page arXiv 2025

[37] [39]

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. Targeted backdoor attacks on deep learning systems using data poisoning.arXiv preprint arXiv:1712.05526, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[38] [40]

Reflection backdoor: A natural backdoor attack on deep neural networks

Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. Reflection backdoor: A natural backdoor attack on deep neural networks. InComputer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part X 16, pages 182–199. Springer, 2020

work page 2020

[39] [41]

Deep feature space trojan attack of neural networks by controlled detoxification

Siyuan Cheng, Yingqi Liu, Shiqing Ma, and Xiangyu Zhang. Deep feature space trojan attack of neural networks by controlled detoxification. InProceedings of the AAAI Conference on Artificial Intelligence, volume 35, pages 1148–1156, 2021

work page 2021

[40] [42]

Invisible backdoor attack with sample-specific triggers

Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. Invisible backdoor attack with sample-specific triggers. InProceedings of the IEEE/CVF international conference on computer vision, pages 16463–16472, 2021

work page 2021

[41] [43]

Hidden trigger backdoor attacks

Aniruddha Saha, Akshayvarun Subramanya, and Hamed Pirsiavash. Hidden trigger backdoor attacks. InProceedings of the AAAI conference on artificial intelligence, volume 34, pages 11957–11965, 2020

work page 2020

[42] [44]

Label-Consistent Backdoor Attacks, December 2019

Alexander Turner, Dimitris Tsipras, and Aleksander Madry. Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771, 2019

work page arXiv 1912

[43] [45]

End-to-end optimized image compres- sion

Johannes Ballé, Valero Laparra, and Eero P Simoncelli. End-to-end optimized image compres- sion. In5th International Conference on Learning Representations, ICLR 2017, 2017

work page 2017

[44] [46]

Varia- tional image compression with a scale hyperprior

Johannes Ballé, David Minnen, Saurabh Singh, Sung Jin Hwang, and Nick Johnston. Varia- tional image compression with a scale hyperprior. InInternational Conference on Learning Representations, 2018

work page 2018

[45] [47]

Learned image compression with discretized gaussian mixture likelihoods and attention modules

Zhengxue Cheng, Heming Sun, Masaru Takeuchi, and Jiro Katto. Learned image compression with discretized gaussian mixture likelihoods and attention modules. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 7939–7948, 2020

work page 2020

[46] [48]

Two-stage octave residual network for end-to- end image compression

Fangdong Chen, Yumeng Xu, and Li Wang. Two-stage octave residual network for end-to- end image compression. InProceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 3922–3929, 2022

work page 2022

[47] [49]

Transformer-based transform coding

Yinhao Zhu, Yang Yang, and Taco Cohen. Transformer-based transform coding. InInternational Conference on Learning Representations, 2022

work page 2022

[48] [50]

Learned image compression with mixed transformer- cnn architectures

Jinming Liu, Heming Sun, and Jiro Katto. Learned image compression with mixed transformer- cnn architectures. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 14388–14397, 2023. 13

work page 2023

[49] [51]

Content-aware mamba for learned image compression

Yunuo Chen, Zezheng Lyu, Bing He, Hongwei Hu, Qi Wang, Yuan Tian, Li Song, Wenjun Zhang, and Guo Lu. Content-aware mamba for learned image compression. InThe Fourteenth International Conference on Learning Representations, 2026

work page 2026

[50] [52]

Neural rate control for learned video compression

Yiwei Zhang, Guo Lu, Yunuo Chen, Shen Wang, Yibo Shi, Jing Wang, and Li Song. Neural rate control for learned video compression. InThe Twelfth International Conference on Learning Representations, 2023

work page 2023

[51] [53]

Elic: Efficient learned image compression with unevenly grouped space-channel contextual adaptive coding

Dailan He, Ziming Yang, Weikun Peng, Rui Ma, Hongwei Qin, and Yan Wang. Elic: Efficient learned image compression with unevenly grouped space-channel contextual adaptive coding. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5718–5727, 2022

work page 2022

[52] [54]

Checkerboard context model for efficient learned image compression

Dailan He, Yaoyan Zheng, Baocheng Sun, Yan Wang, and Hongwei Qin. Checkerboard context model for efficient learned image compression. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14771–14780, 2021

work page 2021

[53] [55]

Channel-wise autoregressive entropy models for learned image compression

David Minnen and Saurabh Singh. Channel-wise autoregressive entropy models for learned image compression. In2020 IEEE International Conference on Image Processing (ICIP), pages 3339–3343. IEEE, 2020

work page 2020

[54] [56]

Entroformer: A transformer- based entropy model for learned image compression

Yichen Qian, Xiuyu Sun, Ming Lin, Zhiyu Tan, and Rong Jin. Entroformer: A transformer- based entropy model for learned image compression. InInternational Conference on Learning Representations

work page

[55] [57]

Region of interest in jpeg

David Ba ˇrina and Ondˇrej Klíma. Region of interest in jpeg. pages 1–5, 01 2022

work page 2022

[56] [58]

Medical image compression based on region of interest using better portable graphics (bpg)

David Yee, Sara Soltaninejad, Deborsi Hazarika, Gaylord Mbuyi, Rishi Barnwal, and Anup Basu. Medical image compression based on region of interest using better portable graphics (bpg). In2017 IEEE international conference on systems, man, and cybernetics (SMC), pages 216–221. IEEE, 2017

work page 2017

[57] [59]

Jpeg 2000 and region of interest coding

Andrew P Bradley and Fred WM Stentiford. Jpeg 2000 and region of interest coding. InDigital Image Computing Techniques and Applications, volume 2, pages 1–6. Citeseer, 2002

work page 2000

[58] [60]

The jpeg 2000 still image compression standard.IEEE Signal processing magazine, 18(5):36–58, 2001

Athanassios Skodras, Charilaos Christopoulos, and Touradj Ebrahimi. The jpeg 2000 still image compression standard.IEEE Signal processing magazine, 18(5):36–58, 2001

work page 2000

[59] [61]

An embarrassingly simple backdoor attack on self-supervised learning

Changjiang Li, Ren Pang, Zhaohan Xi, Tianyu Du, Shouling Ji, Yuan Yao, and Ting Wang. An embarrassingly simple backdoor attack on self-supervised learning. InProceedings of the IEEE/CVF International Conference on Computer Vision, pages 4367–4378, 2023

work page 2023

[60] [62]

Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition.Neural networks, 32:323–332, 2012

work page 2012

[61] [63]

Learning multiple layers of features from tiny images

Alex Krizhevsky, Geoffrey Hinton, et al. Learning multiple layers of features from tiny images. 2009

work page 2009

[62] [64]

Deep learning face attributes in the wild

Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. Deep learning face attributes in the wild. InProceedings of the IEEE international conference on computer vision, pages 3730–3738, 2015

work page 2015

[63] [65]

Nnoculation: broad spectrum and targeted treatment of backdoored dnns.arXiv preprint arXiv:2002.08313, 3:18, 2020

Akshaj Kumar Veldanda, Kang Liu, Benjamin Tan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri, Brendan Dolan-Gavitt, and Siddharth Garg. Nnoculation: broad spectrum and targeted treatment of backdoored dnns.arXiv preprint arXiv:2002.08313, 3:18, 2020

work page arXiv 2002

[64] [66]

Deep residual learning for image recognition

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016

work page 2016

[65] [67]

Identity mappings in deep residual networks

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Identity mappings in deep residual networks. InComputer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11–14, 2016, Proceedings, Part IV 14, pages 630–645. Springer, 2016. 14

work page 2016

[66] [68]

Mobilenetv2: Inverted residuals and linear bottlenecks

Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. Mobilenetv2: Inverted residuals and linear bottlenecks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 4510–4520, 2018

work page 2018

[67] [69]

Squeeze-and-excitation networks

Jie Hu, Li Shen, and Gang Sun. Squeeze-and-excitation networks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 7132–7141, 2018

work page 2018

[68] [70]

Joint autoregressive and hierarchical priors for learned image compression.Advances in neural information processing systems, 31, 2018

David Minnen, Johannes Ballé, and George D Toderici. Joint autoregressive and hierarchical priors for learned image compression.Advances in neural information processing systems, 31, 2018

work page 2018

[69] [71]

Fine-pruning: Defending against backdooring attacks on deep neural networks

Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. Fine-pruning: Defending against backdooring attacks on deep neural networks. InInternational symposium on research in attacks, intrusions, and defenses, pages 273–294. Springer, 2018

work page 2018

[70] [72]

Strip: A defence against trojan attacks on deep neural networks

Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C Ranasinghe, and Surya Nepal. Strip: A defence against trojan attacks on deep neural networks. InProceedings of the 35th annual computer security applications conference, pages 113–125, 2019. 15

work page 2019