Backdoor Attacks against No-Reference Image Quality Assessment Models via a Scalable Trigger

TL;DR

This paper investigates backdoor vulnerabilities in No-Reference Image Quality Assessment (NR-IQA) models and proposes BAIQA, a scalable backdoor using a DCT-domain universal trigger whose effect is modulated by a coefficient $\alpha$. The approach injects triggers in the DCT space via UAP-DCT, enabling both poison-label and clean-label backdoors with theoretical guidance to maintain clean-data performance while shifting outputs to a target $y + \alpha \Delta y_t$. Comprehensive experiments on LIVEC and KonIQ-10k across multiple NR-IQA models show strong attack effectiveness and robustness to defenses, underscoring practical security risks in NR-IQA systems. This work provides a framework for defending against perceptual backdoors and motivates further study of adversarial risks in perceptual tasks.

Abstract

No-Reference Image Quality Assessment (NR-IQA), responsible for assessing the quality of a single input image without using any reference, plays a critical role in evaluating and optimizing computer vision systems, e.g., low-light enhancement. Recent research indicates that NR-IQA models are susceptible to adversarial attacks, which can significantly alter predicted scores with visually imperceptible perturbations. Despite revealing vulnerabilities, these attack methods have limitations, including high computational demands, untargeted manipulation, limited practical utility in white-box scenarios, and reduced effectiveness in black-box scenarios. To address these challenges, we shift our focus to another significant threat and present a novel poisoning-based backdoor attack against NR-IQA (BAIQA), allowing the attacker to manipulate the IQA model's output to any desired target value by simply adjusting a scaling coefficient $α$ for the trigger. We propose to inject the trigger in the discrete cosine transform (DCT) domain to improve the local invariance of the trigger for countering trigger diminishment in NR-IQA models due to widely adopted data augmentations. Furthermore, the universal adversarial perturbations (UAP) in the DCT space are designed as the trigger, to increase IQA model susceptibility to manipulation and improve attack effectiveness. In addition to the heuristic method for poison-label BAIQA (P-BAIQA), we explore the design of clean-label BAIQA (C-BAIQA), focusing on $α$ sampling and image data refinement, driven by theoretical insights we reveal. Extensive experiments on diverse datasets and various NR-IQA models demonstrate the effectiveness of our attacks. Code can be found at https://github.com/yuyi-sd/BAIQA.

Figures (8)

• Figure 1: 1) Poison subset: After using (a) to get the trigger $\boldsymbol{t}$, we utilize the trigger injection $T(\boldsymbol{x}, {\alpha} \!\cdot\! \boldsymbol{t})$ outlined in (b), enabling the P-BAIQA/C-BAIQA in (c)/(d). 2) Train model:$f_{\boldsymbol{\theta^{*}}}$ are trained on the set $\mathcal{D}_t$ consisting of a clean subset $\mathcal{D}_c$ and a poisoned subset $\mathcal{D}_p$. 3) Attack at test-time: As shown in (b), attackers can adjust the output to any desired value using $\alpha$ to generate the triggered image $\boldsymbol{x_p}\!=\!T(\boldsymbol{x}, {\alpha} \!\cdot\! \boldsymbol{t})$. We offer the PSNR between the clean $\boldsymbol{x}$ and $\boldsymbol{x_p}$, along with the predictions. We set $\Delta{y_t}\!=\!40$.
• Figure 2: $\text{MRA}(\alpha)$ with HyperIQA as victim models.
• Figure 3: Resistance to fine-tuning and pruning (HyperIQA as models and LIVEC as the dataset).
• Figure 4: $\text{MAE}(\alpha)$ for both P-BAIQA and C-BAIQA (HyperIQA as victim models).
• Figure 5: Visualized results of poison-label attacks on Koniq-10k. For all poisoned images, we adopt $\alpha=1$, and the deviations of the output are compared to the clean output of corresponding models.