No-Reference Image Quality Assessment (NR-IQA) models play an important role in various real-world applications. Recently, adversarial attacks against NR-IQA models have attracted increasing attention, as they provide valuable insights for revealing model vulnerabilities and guiding robust system design. Some effective attacks have been proposed against NR-IQA models in white-box settings, where the attacker has full access to the target model. However, these attacks often suffer from poor transferability to unknown target models in more realistic black-box scenarios, where the target model is inaccessible. This work makes the first attempt to address the challenge of low transferability in attacking NR-IQA models by proposing a transferable Signed Ensemble Gaussian black-box Attack (SEGA). The main idea is to approximate the gradient of the target model by applying Gaussian smoothing to source models and ensembling their smoothed gradients. To ensure the imperceptibility of adversarial perturbations, SEGA further removes inappropriate perturbations using a specially designed perturbation filter mask. Experimental results on the CLIVE dataset demonstrate the superior transferability of SEGA, validating its effectiveness in enabling successful transfer-based black-box attacks against NR-IQA models.
翻译:无参考图像质量评估(NR-IQA)模型在众多现实应用中扮演着重要角色。近年来,针对NR-IQA模型的对抗攻击日益受到关注,因为它们为揭示模型脆弱性和指导鲁棒系统设计提供了宝贵洞见。已有研究在白盒设置下提出了一些针对NR-IQA模型的有效攻击方法,其中攻击者能完全访问目标模型。然而,在目标模型不可访问、更为现实的黑盒场景中,这些攻击方法对未知目标模型的迁移性往往较差。本研究首次尝试通过提出一种可迁移的符号集成高斯黑盒攻击(SEGA)来解决攻击NR-IQA模型时迁移性低的挑战。其核心思想是通过对源模型应用高斯平滑并集成其平滑后的梯度,来近似目标模型的梯度。为确保对抗扰动的不可感知性,SEGA进一步利用专门设计的扰动过滤掩码去除不恰当的扰动。在CLIVE数据集上的实验结果表明,SEGA具有卓越的迁移性,验证了其在实现对NR-IQA模型基于迁移的黑盒攻击方面的有效性。