Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Defense Against Adversarial Attacks on No-Reference Image Quality Models with Gradient Norm Regularization (2403.11397v1)

Published 18 Mar 2024 in cs.CV and eess.IV

Abstract: The task of No-Reference Image Quality Assessment (NR-IQA) is to estimate the quality score of an input image without additional information. NR-IQA models play a crucial role in the media industry, aiding in performance evaluation and optimization guidance. However, these models are found to be vulnerable to adversarial attacks, which introduce imperceptible perturbations to input images, resulting in significant changes in predicted scores. In this paper, we propose a defense method to improve the stability in predicted scores when attacked by small perturbations, thus enhancing the adversarial robustness of NR-IQA models. To be specific, we present theoretical evidence showing that the magnitude of score changes is related to the $\ell_1$ norm of the model's gradient with respect to the input image. Building upon this theoretical foundation, we propose a norm regularization training strategy aimed at reducing the $\ell_1$ norm of the gradient, thereby boosting the robustness of NR-IQA models. Experiments conducted on four NR-IQA baseline models demonstrate the effectiveness of our strategy in reducing score changes in the presence of adversarial attacks. To the best of our knowledge, this work marks the first attempt to defend against adversarial attacks on NR-IQA models. Our study offers valuable insights into the adversarial robustness of NR-IQA models and provides a foundation for future research in this area.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (49)
  1. Demystifying limited adversarial transferability in automatic speech recognition systems. In ICLR, pages 1–17, 2022.
  2. Comparing the robustness of modern no-reference image-and video-quality metrics to adversarial attacks. arXiv preprint arXiv:2310.06958, 2023.
  3. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pages 39–57, 2016.
  4. Image quality assessment: Unifying structure and texture similarity. IEEE TPAMI, 44(5):2567–2581, 2022.
  5. An image is worth 16×16161616\times 1616 × 16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
  6. Quality-of-experience of adaptive video streaming: Exploring the space of adaptations. In ACM MM, pages 1752–1760, 2017.
  7. Scaleable input gradient regularization for adversarial robustness. Machine Learning with Applications, 3:100017, 2021.
  8. Asymmetric learned image compression with multi-scale residual block, importance scaling, and post-quantization filtering. IEEE TCSVT, 33(8):4309–4321, 2023.
  9. Massive online crowdsourced study of subjective and objective picture quality. IEEE TIP, 25:372–387, 2016.
  10. Explaining and harnessing adversarial examples. In ICLR, pages 1–11, 2015.
  11. Deep residual learning for image recognition. In CVPR, pages 770–778, 2016.
  12. Prior convictions: Black-box adversarial attacks with bandits and priors. In ICLR, pages 1–23, 2019.
  13. Feature space perturbations yield more transferable adversarial examples. In CVPR, pages 7066–7074, 2019.
  14. Which is the better inpainted image? Training data generation without any manual operations. IJCV, 127(11-12):1751–1766, 2019.
  15. MUSIQ: Multi-scale image quality transformer. In ICCV, pages 5148–5157, 2021.
  16. Level-5 autonomous driving - Are we there yet? A review of research literature. ACM Computing Surveys, 55:27:1–27:38, 2023.
  17. Adversarial attacks against blind image quality assessment models. In Proceedings of the 2nd Workshop on Quality of Experience in Visual Multimedia Applications, pages 3–11, 2022.
  18. Norm-in-norm loss with faster convergence and better performance for image quality assessment. In ACM MM, pages 789–797, 2020.
  19. Uncovering the connections between adversarial transferability and knowledge transferability. In ICML, pages 1–11, 2021.
  20. Perceptual-sensitive GAN for generating adversarial patches. In AAAI, pages 1028–1035, 2019.
  21. Transferable adversarial examples based on global smooth perturbations. Computers & Security, 121:1–10, 2022.
  22. Use of deep learning for disease detection and diagnosis. In Bio-inspired Neurocomputing, pages 181–201. Springer Singapore, 2021.
  23. No-reference image quality assessment in the spatial domain. IEEE TIP, 21(12):4695–4708, 2012.
  24. Blind image quality assessment: From natural scene statistics to perceptual quality. IEEE TIP, 20(12):3350–3364, 2011.
  25. DeepFool: A simple and accurate method to fool deep neural networks. In CVPR, pages 2574–2582, 2016.
  26. Impact of adversarial examples on deep learning models for biomedical image segmentation. In MICCAI, pages 300–308, 2019.
  27. Learned video compression. In ICCV, pages 3453–3462, 2019.
  28. U-Net: Convolutional networks for biomedical image segmentation. In MICCAI, pages 234–241, 2015.
  29. Adversarial training for free! In NeurIPS, pages 3353–3364, 2019.
  30. Universal perturbation attack on differentiable no-reference image- and video-quality metrics. In BMVC, pages 1–12, 2022.
  31. Fast adversarial CNN-based perturbation attack on No-Reference image-and video-quality metrics. In The First Tiny Papers Track at ICLR, pages 1–4, 2023.
  32. Blindly assess image quality in the wild guided by a self-adaptive hyper network. In CVPR, pages 3664–3673, 2020.
  33. Intriguing properties of neural networks. In ICLR, pages 1–10, 2014.
  34. Fooling automated surveillance cameras: Adversarial patches to attack person detection. In CVPR Workshops, pages 1–7, 2019.
  35. Ensemble adversarial training: Attacks and defenses. In ICLR, pages 1–22, 2018.
  36. VQEG. Final report from the Video Quality Experts Group on the validation of objective models of video quality assessment, 2000.
  37. Image quality assessment: From error visibility to structural similarity. IEEE TIP, 13(4):600–12, 2004.
  38. The Mathematics of Financial Derivatives: A Student Introduction. Cambridge University Press, 1995.
  39. Generating adversarial examples with adversarial networks. In IJCAI, pages 3905–3911, 2018.
  40. Improving transferability of adversarial examples with input diversity. In CVPR, pages 2730–2739, 2019.
  41. MANIQA: Multi-dimension attention network for no-reference image quality assessment. In CVPR Workshops, pages 1190–1199, 2022.
  42. From patches to pictures (PaQ-2-PiQ): Mapping the perceptual space of picture quality. In CVPR, pages 3575–3585, 2020.
  43. You only propagate once: Accelerating adversarial training via maximal principle. In NeurIPS, pages 227–238, 2019a.
  44. The unreasonable effectiveness of deep features as a perceptual metric. In CVPR, pages 586–595, 2018.
  45. RankSRGAN: Generative adversarial networks with ranker for image super-resolution. In ICCV, pages 3096–3105, 2019b.
  46. Blind image quality assessment using a deep bilinear convolutional neural network. IEEE TCSVT, 30(1):36–47, 2020.
  47. Perceptual attacks of no-reference image quality models with human-in-the-loop. In NeurIPS, pages 2916–2929, 2022.
  48. Generating natural adversarial examples. In ICLR, pages 1–15, 2018.
  49. FreeLB: Enhanced adversarial training for natural language understanding. In ICLR, pages 1–14, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Yujia Liu (27 papers)
  2. Chenxi Yang (14 papers)
  3. Dingquan Li (18 papers)
  4. Jianhao Ding (16 papers)
  5. Tingting Jiang (27 papers)