Adversarial purification for no-reference image-quality metrics: applicability study and new methods

TL;DR

The paper addresses the vulnerability of no-reference image quality assessment (NR-IQA) metrics to adversarial perturbations and explores whether purification defenses developed for image classifiers can defend NR-IQA. It adapts 10 attack methods to NR-IQA, introduces 16 purification techniques including diffusion-based methods (DiffPure) and a novel FCN filter, and constructs an adversarial dataset based on the NIPS 2017 benchmark to evaluate defenses against three NR-IQA metrics, primarily Linearity. Key findings show that diffusion-based purifications, especially DiffPure with optional unsharp masking, achieve high image quality and preserve correlation with subjective quality, while simple transformations like rotation or flipping can be surprisingly effective; the FCN filter offers strong defense against colour-based attacks (AdvCF). The work demonstrates transferability of purification strategies to NR-IQA, provides a benchmark dataset for adversarial NR-IQA, and suggests directions toward provable defenses for robust IQA metrics with practical impact on benchmarks and optimization tasks in vision systems.

Abstract

Recently, the area of adversarial attacks on image quality metrics has begun to be explored, whereas the area of defences remains under-researched. In this study, we aim to cover that case and check the transferability of adversarial purification defences from image classifiers to IQA methods. In this paper, we apply several widespread attacks on IQA models and examine the success of the defences against them. The purification methodologies covered different preprocessing techniques, including geometrical transformations, compression, denoising, and modern neural network-based methods. Also, we address the challenge of assessing the efficacy of a defensive methodology by proposing ways to estimate output visual quality and the success of neutralizing attacks. Defences were tested against attack on three IQA metrics -- Linearity, MetaIQA and SPAQ. The code for attacks and defences is available at: (link is hidden for a blind review).

Figures (6)

• Figure 1: Original image (first column), image after the adversarial attack (AMI-FGSM, second columns), and two defence techniques applied to the adversarial image (third and fourth columns). All images are cropped to size $100\times80$.
• Figure 2: Examples of attacks. The first column shows the original (clean) image, the following columns display the corresponding image after the attack.
• Figure 3: Heatmap showing Gain score for all attacks separately and for the original images. Purification methods are located along the X-axis. The Y-axis contains different attacks. Columns are sorted by their mean value. Thus, the more left the defence is, the better it eliminates the effects of the attack on average across all images.
• Figure 4: Heatmap showing Spearman correlation coefficients (SROCC) for all attacks separately and for the original images. Purification methods are located along the X-axis. The Y-axis contains different attacks. Columns are sorted by the mean value.
• Figure 5: Gain score depending on minimum SSIM (left) / metric (right) values. Most defences modify their behaviour in terms of Gain score slightly depending on SSIM, but monotonically depends on adversarial metric values. Furthermore, most defences increase the Gain score with metric value, but some (DiffPure, Blur and Unsharp) start decreasing.