Black-box Adversarial Attacks Against Image Quality Assessment Models

TL;DR

This paper makes the first attempt to explore the black-box adversarial attacks on NR-IQA models, and develops an efficient and effective black-box attack method against NR-IQA models.

Abstract

The goal of No-Reference Image Quality Assessment (NR-IQA) is to predict the perceptual quality of an image in line with its subjective evaluation. To put the NR-IQA models into practice, it is essential to study their potential loopholes for model refinement. This paper makes the first attempt to explore the black-box adversarial attacks on NR-IQA models. Specifically, we first formulate the attack problem as maximizing the deviation between the estimated quality scores of original and perturbed images, while restricting the perturbed image distortions for visual quality preservation. Under such formulation, we then design a Bi-directional loss function to mislead the estimated quality scores of adversarial examples towards an opposite direction with maximum deviation. On this basis, we finally develop an efficient and effective black-box attack method against NR-IQA models. Extensive experiments reveal that all the evaluated NR-IQA models are vulnerable to the proposed attack method. And the generated perturbations are not transferable, enabling them to serve the investigation of specialities of disparate IQA models.

Figures (8)

• Figure 1: An illustration for adversarial attacks against a DNN-based NR-IQA model. The quality of photos taken with a smartphone camera is becoming one of the key factors that users consider when purchasing a smartphone zhu2020multiple. However, in real-world scenario, suppose that (a) and (c) are two photos taken with two different smartphone cameras, which will be sent to the third-party authoritative platform for quality assessment. (b) and (d) are their corresponding adversarial examples generated by attackers. If the original images are unfortunately replaced by adversarial examples. Then, we may see that the third-party platform, i.e., a DNNs-based NR-IQA model, would output very different quality scores for these two adversarial examples even their semantic information and visual qualities are preserved. These estimated quality results would significantly mislead the consumers' perception of the two smartphones.
• Figure 2: The distributions of prediction scores using MSE loss and Bi-directional loss in white-box setting.
• Figure 3: An illustration of the Bi-directional loss, where (a) is the case that $\mathcal{F}(\boldsymbol{x})$ is greater than ($\beta_1+\beta_2)/2$, and (b) is the opposite case.
• Figure 4: The curves of RGO w.r.t the number of queries by our attack method against UNIQUE model on LIVE and CSIQ datasets.
• Figure 5: The adversarial examples and their associated perturbations added to the original image (a) by attacking DBCNN (b), UNIQUE (c), TReS (d) and LIQE (e) models, respectively. $\rightarrow$ denotes the predicted quality score change between original image (a) and its adversarial example. Image (a) is from CSIQ dataset. Note that the image is center cropped to size $224\times224$ for TReS model due to its input constraint. Perturbations are scaled to $[0, 1]$ for visibility.