scan.json (30142B)
1 { 2 "paper": { 3 "title": "Exploring adversarial robustness of JPEG AI: methodology, comparison and new methods", 4 "authors": [ 5 "Egor Kovalev", 6 "Georgii Bychkov", 7 "Khaled Abud", 8 "Aleksandr Gushchin", 9 "Anna Chistyakova", 10 "Sergey Lavrushkin", 11 "Dmitriy Vatolin", 12 "Anastasia Antsiferova" 13 ], 14 "year": 2024, 15 "venue": "arXiv", 16 "arxiv_id": "2411.11795", 17 "doi": "10.48550/arXiv.2411.11795" 18 }, 19 "checklist": { 20 "artifacts": { 21 "code_released": { 22 "applies": true, 23 "answer": false, 24 "justification": "The abstract states 'Our evaluation results and code are publicly available online (link is hidden for a blind review).' Since the link is hidden and no working URL is provided, this counts as NO." 25 }, 26 "data_released": { 27 "applies": true, 28 "answer": true, 29 "justification": "All four evaluation datasets are publicly available standard benchmarks: KODAK Photo CD, CITYSCAPES, NIPS 2017 Adversarial Learning Development Set, and BSDS (Section 4.4)." 30 }, 31 "environment_specified": { 32 "applies": true, 33 "answer": false, 34 "justification": "Section 4.6 lists hardware (120× NVIDIA A100 80GB, Intel Xeon Ice Lake) and mentions Slurm, but provides no software dependencies, library versions, requirements.txt, or environment specification." 35 }, 36 "reproduction_instructions": { 37 "applies": true, 38 "answer": false, 39 "justification": "No step-by-step reproduction instructions are provided. The code link is hidden for blind review, and the paper does not include a 'Reproducing Results' section." 40 } 41 }, 42 "statistical_methodology": { 43 "confidence_intervals_or_error_bars": { 44 "applies": true, 45 "answer": false, 46 "justification": "Results are reported as averaged metrics across 4 runs with varied parameters, but no confidence intervals, error bars, or uncertainty measures are shown in any figure or table." 47 }, 48 "significance_tests": { 49 "applies": true, 50 "answer": false, 51 "justification": "The paper makes numerous comparative claims (e.g., 'JPEG AI showed relatively high robustness,' 'CDC showed the lowest robustness') based solely on comparing averaged metric values without any statistical significance tests." 52 }, 53 "effect_sizes_reported": { 54 "applies": true, 55 "answer": true, 56 "justification": "Delta metrics (ΔPSNR, ΔMSE, ΔMS-SSIM, ΔVMAF) provide magnitude of quality degradation. BSQ-rate (Section 5.7) reports 'over 50% less bitrate with the same quality.' Fig. 7 shows specific transferability values. These provide meaningful effect size context." 57 }, 58 "sample_size_justified": { 59 "applies": true, 60 "answer": false, 61 "justification": "No justification is given for why 4 datasets with specific sizes were chosen, why 4 parameter variations per attack were used, or any power analysis." 62 }, 63 "variance_reported": { 64 "applies": true, 65 "answer": false, 66 "justification": "Section 4.6 states 'We applied each adversarial attack to each encoder four times with varied attack parameters. We then averaged the metrics for all launches.' No standard deviation, IQR, or any spread measure is reported." 67 } 68 }, 69 "evaluation_design": { 70 "baselines_included": { 71 "applies": true, 72 "answer": true, 73 "justification": "Ten NIC models are compared (Table 2), including established baselines like Ballé 2018, mbt2018, and Cheng2020. Random noise is included as a baseline attack (Table 3)." 74 }, 75 "baselines_contemporary": { 76 "applies": true, 77 "answer": true, 78 "justification": "Baselines include models from 2018–2024: CDC (2024), JPEG AI 6.1 (2024), Li-tcm (2023), qres-vae (2023), alongside older established codecs. The mix of historical and contemporary models is appropriate." 79 }, 80 "ablation_study": { 81 "applies": false, 82 "answer": false, 83 "justification": "This paper evaluates and compares existing codecs, attacks, and defenses — it does not propose a novel system with components to ablate." 84 }, 85 "multiple_metrics": { 86 "applies": true, 87 "answer": true, 88 "justification": "Seven evaluation metrics are used: ΔPSNR, ΔMSE, ΔMS-SSIM, ΔVMAF, BPP change, Color metric, and Texture metric (Sections 4.5, 5.4)." 89 }, 90 "human_evaluation": { 91 "applies": true, 92 "answer": false, 93 "justification": "All evaluation is automated using full-reference image quality metrics and artifact detection methods. No human perceptual evaluation of image quality under attack is conducted." 94 }, 95 "held_out_test_set": { 96 "applies": true, 97 "answer": false, 98 "justification": "The paper evaluates pre-trained codecs on standard datasets but does not discuss whether any of these datasets were used in NIC model training, nor is there an explicit separation of tuning vs. evaluation data." 99 }, 100 "per_category_breakdown": { 101 "applies": true, 102 "answer": true, 103 "justification": "Results are broken down by codec (Fig. 3, 6), by attack type and loss function (Fig. 2), by bitrate (Fig. 4, 7), and by defense strategy (Fig. 8). Section 5.4 breaks down artifacts by codec." 104 }, 105 "failure_cases_discussed": { 106 "applies": true, 107 "answer": true, 108 "justification": "Section 5.1 reports that reconstruction losses actually improve decoded quality rather than degrading it — a failure case for those attack objectives. Section 5.2 notes specific attacks are ineffective against JPEG AI while devastating for other codecs." 109 }, 110 "negative_results_reported": { 111 "applies": true, 112 "answer": true, 113 "justification": "Section 5.1 reports that reconstruction losses produce negative ΔPSNR/ΔSSIM (decoded images improve after attack), which is a negative result for those attack strategies. 'More complex losses showed less efficiency' is also a negative finding." 114 } 115 }, 116 "claims_and_evidence": { 117 "abstract_claims_supported": { 118 "applies": true, 119 "answer": true, 120 "justification": "The abstract claims: new methodology for NIC robustness (supported by Section 4), first large-scale evaluation of JPEG AI (supported by Section 5 with 10 codecs, 6 attacks, 10 loss functions), and comparison with other NICs (supported by Figs. 2–9). Code availability claim is technically unfulfilled due to blind review." 121 }, 122 "causal_claims_justified": { 123 "applies": true, 124 "answer": false, 125 "justification": "The paper makes causal claims such as 'adversarial noise causes significant changes in latent representation, yielding noticeable quality degradation' (Section 5.2 on CDC), and 'This model may be less robust by design.' These claims are based on observational comparison, not controlled architectural ablation." 126 }, 127 "generalization_bounded": { 128 "applies": true, 129 "answer": true, 130 "justification": "The title and claims are specifically about JPEG AI and named NIC models. Claims are bounded to the tested codecs, attacks, and datasets. The paper explicitly scopes to white-box attacks with stated justification (Section 4.2)." 131 }, 132 "alternative_explanations_discussed": { 133 "applies": true, 134 "answer": false, 135 "justification": "The paper offers single explanations for observations (e.g., CDC's vulnerability attributed to diffusion architecture, BPP increase attributed to noise structure) without considering alternative explanations or confounding factors." 136 }, 137 "proxy_outcome_distinction": { 138 "applies": true, 139 "answer": true, 140 "justification": "The paper defines its metrics clearly (Equation 5, Section 4.5): Δscore measures quality drop caused by adversarial attack. The metrics directly measure what is claimed — the gap between measurement and framing is minimal. The paper does not over-generalize from ΔPSNR to broader 'robustness' without defining the connection." 141 } 142 }, 143 "setup_transparency": { 144 "model_versions_specified": { 145 "applies": true, 146 "answer": true, 147 "justification": "Specific codec versions are listed in Table 2: JPEG AI 4.1, 5.1, 6.1 (each with HOP/BOP), and specific model variants for other codecs (e.g., Cheng2020+attn, mbt2018-mean). Section 4.6 notes they used source code of JPEG AI without additional pretraining." 148 }, 149 "prompts_provided": { 150 "applies": false, 151 "answer": false, 152 "justification": "This paper evaluates neural image compression codecs under adversarial attacks. No language model prompting is involved." 153 }, 154 "hyperparameters_reported": { 155 "applies": true, 156 "answer": false, 157 "justification": "Section 4.6 states attacks were run 'four times with varied attack parameters (learning rate, number of iterations, and perturbation bound)' but the specific values are not reported. Random noise σ range is given (Table 3), but attack hyperparameters are missing." 158 }, 159 "scaffolding_described": { 160 "applies": false, 161 "answer": false, 162 "justification": "No agentic scaffolding is used. This is a neural image compression adversarial robustness study." 163 }, 164 "data_preprocessing_documented": { 165 "applies": true, 166 "answer": false, 167 "justification": "Section 4.4 lists datasets with basic descriptions (image count, resolution) but does not document any preprocessing, filtering, or transformation steps applied to the images before experimentation." 168 } 169 }, 170 "limitations_and_scope": { 171 "limitations_section_present": { 172 "applies": true, 173 "answer": false, 174 "justification": "There is no dedicated limitations or threats-to-validity section. The conclusion mentions challenges ('assessing attack success in NICs remains challenging') but provides no substantive limitations discussion." 175 }, 176 "threats_to_validity_specific": { 177 "applies": true, 178 "answer": false, 179 "justification": "No specific threats to validity are discussed. The conclusion makes brief mentions of challenges in assessing attack success but does not identify specific methodological threats." 180 }, 181 "scope_boundaries_stated": { 182 "applies": true, 183 "answer": false, 184 "justification": "While Section 4.2 explains the focus on white-box attacks, the paper does not explicitly state what the results do NOT show. No systematic scope boundaries are provided — e.g., no discussion of how results may not extend to black-box settings, other image domains, or real-world deployment conditions." 185 } 186 }, 187 "data_integrity": { 188 "raw_data_available": { 189 "applies": true, 190 "answer": false, 191 "justification": "Results and code are claimed to be available but the link is hidden for blind review. No raw experimental data (per-image metrics, per-run results) is provided in the paper or supplements." 192 }, 193 "data_collection_described": { 194 "applies": true, 195 "answer": true, 196 "justification": "Section 4.4 describes datasets used (KODAK, CITYSCAPES, NIPS 2017, BSDS) with image counts and resolutions. Section 4.6 describes the experimental procedure: attacks applied 4 times with varied parameters, results averaged." 197 }, 198 "recruitment_methods_described": { 199 "applies": false, 200 "answer": false, 201 "justification": "No human participants. All datasets are standard public benchmarks." 202 }, 203 "data_pipeline_documented": { 204 "applies": true, 205 "answer": false, 206 "justification": "The high-level pipeline is described (attack images → compress → measure quality delta) but intermediate steps are poorly documented. The specific attack parameter configurations, filtering of ~3000 images for artifact analysis (Section 5.4), and how results were aggregated across datasets and bitrates are not fully specified." 207 } 208 }, 209 "conflicts_of_interest": { 210 "funding_disclosed": { 211 "applies": true, 212 "answer": false, 213 "justification": "No funding or acknowledgments section is present in the paper. Multiple institutional affiliations are listed (MSU Institute for AI, ISP RAS, Innopolis University) but no funding sources disclosed." 214 }, 215 "affiliations_disclosed": { 216 "applies": true, 217 "answer": true, 218 "justification": "Author affiliations are clearly listed: MSU Institute for Artificial Intelligence, ISP RAS Research Center for Trusted Artificial Intelligence, Lomonosov Moscow State University, and Innopolis University." 219 }, 220 "funder_independent_of_outcome": { 221 "applies": true, 222 "answer": false, 223 "justification": "No funding is disclosed, making it impossible to assess funder independence. The ISP RAS 'Research Center for Trusted Artificial Intelligence' affiliation raises questions about whether institutional interests favor particular robustness outcomes." 224 }, 225 "financial_interests_declared": { 226 "applies": true, 227 "answer": false, 228 "justification": "No competing interests or financial interests statement is present in the paper." 229 } 230 }, 231 "contamination": { 232 "training_cutoff_stated": { 233 "applies": true, 234 "answer": false, 235 "justification": "None of the 10 NIC models have their training data described or training cutoff dates stated. The paper does not discuss what data was used to train any of the codecs." 236 }, 237 "train_test_overlap_discussed": { 238 "applies": true, 239 "answer": false, 240 "justification": "No discussion of whether KODAK, CITYSCAPES, NIPS 2017, or BSDS images (or similar images) appeared in the training data of any NIC model. KODAK is commonly used in compression research and may well be in training sets." 241 }, 242 "benchmark_contamination_addressed": { 243 "applies": true, 244 "answer": false, 245 "justification": "KODAK (1991) and other datasets predate all NIC models and are widely used in the compression field. The paper does not discuss whether NIC models may have been trained or tuned on these same benchmarks." 246 } 247 }, 248 "human_studies": { 249 "pre_registered": { 250 "applies": false, 251 "answer": false, 252 "justification": "No human participants in this study." 253 }, 254 "irb_or_ethics_approval": { 255 "applies": false, 256 "answer": false, 257 "justification": "No human participants in this study." 258 }, 259 "demographics_reported": { 260 "applies": false, 261 "answer": false, 262 "justification": "No human participants in this study." 263 }, 264 "inclusion_exclusion_criteria": { 265 "applies": false, 266 "answer": false, 267 "justification": "No human participants in this study." 268 }, 269 "randomization_described": { 270 "applies": false, 271 "answer": false, 272 "justification": "No human participants in this study." 273 }, 274 "blinding_described": { 275 "applies": false, 276 "answer": false, 277 "justification": "No human participants in this study." 278 }, 279 "attrition_reported": { 280 "applies": false, 281 "answer": false, 282 "justification": "No human participants in this study." 283 } 284 }, 285 "cost_and_practicality": { 286 "inference_cost_reported": { 287 "applies": true, 288 "answer": false, 289 "justification": "Section 4.6 lists hardware (120× A100 80GB GPUs) but does not report per-image attack/compression time, total wall-clock time, or any cost metric for running the evaluation." 290 }, 291 "compute_budget_stated": { 292 "applies": true, 293 "answer": false, 294 "justification": "Hardware is listed (Section 4.6) but total GPU hours, experiment duration, or compute budget are not quantified. With 10 codecs × 6 attacks × 10 losses × 4 datasets × 4 runs, the total compute is likely substantial but unreported." 295 } 296 }, 297 "experimental_rigor": { 298 "seed_sensitivity_reported": { 299 "applies": true, 300 "answer": false, 301 "justification": "Results are averaged across 4 runs with varied parameters but no seed sensitivity analysis is reported and no variance across runs is shown." 302 }, 303 "number_of_runs_stated": { 304 "applies": true, 305 "answer": true, 306 "justification": "Section 4.6 explicitly states: 'We applied each adversarial attack to each encoder four times with varied attack parameters.'" 307 }, 308 "hyperparameter_search_budget": { 309 "applies": true, 310 "answer": false, 311 "justification": "Attack parameters (learning rate, iterations, perturbation bound) were varied across 4 configurations but the specific values and selection rationale are not reported." 312 }, 313 "best_config_selection_justified": { 314 "applies": true, 315 "answer": true, 316 "justification": "The paper averages results across all 4 parameter configurations rather than selecting the best one, avoiding cherry-picking. Section 4.6: 'We then averaged the metrics for all launches.'" 317 }, 318 "multiple_comparison_correction": { 319 "applies": false, 320 "answer": false, 321 "justification": "No statistical significance tests are performed, so multiple comparison correction is not applicable." 322 }, 323 "self_comparison_bias_addressed": { 324 "applies": true, 325 "answer": false, 326 "justification": "The authors do not acknowledge potential bias in their evaluation methodology or discuss whether their modified JPEG AI interface could affect results. Section 4.6 notes they made 'minor changes to the interface' but does not discuss how this might bias comparisons." 327 }, 328 "compute_budget_vs_performance": { 329 "applies": true, 330 "answer": false, 331 "justification": "Different codecs have vastly different computational requirements (noted in Section 2.2 — HOP vs BOP trade off efficiency and complexity) but performance is never reported as a function of compute budget." 332 }, 333 "benchmark_construct_validity": { 334 "applies": true, 335 "answer": false, 336 "justification": "The paper uses ΔPSNR, ΔVMAF, etc. as robustness measures without discussing whether these metrics adequately capture perceptual robustness or whether the adversarial threat model reflects realistic deployment conditions." 337 }, 338 "scaffold_confound_addressed": { 339 "applies": false, 340 "answer": false, 341 "justification": "No agentic scaffolding is involved in this study." 342 } 343 }, 344 "data_leakage": { 345 "temporal_leakage_addressed": { 346 "applies": true, 347 "answer": false, 348 "justification": "The evaluation datasets (KODAK 1991, CITYSCAPES 2016, BSDS 2011) all predate the NIC models being tested. The paper does not discuss whether models were tuned on these or similar datasets." 349 }, 350 "feature_leakage_addressed": { 351 "applies": true, 352 "answer": false, 353 "justification": "No discussion of whether the evaluation setup introduces information leakage. The white-box attack setting is intentional but the potential for evaluation-time information leakage beyond the intended threat model is not discussed." 354 }, 355 "non_independence_addressed": { 356 "applies": true, 357 "answer": false, 358 "justification": "No discussion of whether evaluation images overlap with or are similar to NIC training data. KODAK is ubiquitous in compression research and very likely in many models' training pipelines." 359 }, 360 "leakage_detection_method": { 361 "applies": true, 362 "answer": false, 363 "justification": "No leakage detection or prevention methods are used. No analysis of train/test overlap for any of the 10 codecs." 364 } 365 } 366 }, 367 "scan_version": 3, 368 "active_modules": ["experimental_rigor", "data_leakage"], 369 "claims": [ 370 { 371 "claim": "JPEG AI shows relatively high adversarial robustness compared to other NIC models.", 372 "evidence": "Section 5.2, Fig. 3: ΔVMAF heatmap across all codecs and attacks shows JPEG AI versions with smaller quality drops than most competitors. 'JPEG AI showed relatively high robustness compared to other NIC models.'", 373 "supported": "moderate" 374 }, 375 { 376 "claim": "JPEG AI achieves over 50% bitrate reduction at equivalent VMAF quality compared to mbt2018.", 377 "evidence": "Section 5.7, Fig. 9: BSQ-rate comparison shows JPEG AI versions (especially 6.1 HOP and 5.1 HOP) at the bottom of the chart with lowest BSQ-rate, indicating largest bitrate savings.", 378 "supported": "strong" 379 }, 380 { 381 "claim": "Adversarial attacks increase compressed image size even when not explicitly targeting BPP.", 382 "evidence": "Section 5.3, Fig. 4: Shows BPP increase across codecs and bitrates for attacks not targeting BPP. Explained by 'more noise structure of adversarial images, which yields a different rate-distortion trade-off.'", 383 "supported": "moderate" 384 }, 385 { 386 "claim": "JPEG AI's robustness improves with newer versions (6.1 better than 5.1).", 387 "evidence": "Section 5.2: 'the robustness of JPEG AI improved with a newer version (6.1 compared to 5.1).' Fig. 6 shows decreasing artifacts across versions.", 388 "supported": "moderate" 389 }, 390 { 391 "claim": "Diffusion-based CDC method shows the lowest robustness to adversarial attacks.", 392 "evidence": "Section 5.2: 'the diffusion-based CDC method showed the lowest robustness to various attacks. This model may be less robust by design.' Visible as worst performer in Fig. 3.", 393 "supported": "moderate" 394 }, 395 { 396 "claim": "Quality degradation from adversarial attacks is primarily due to color artifacts rather than texture artifacts.", 397 "evidence": "Section 5.4, Fig. 5: Spearman correlation shows Color metric correlates above 0.5 with ΔPSNR (0.72), while Texture metric shows minimal correlation with other metrics. Fig. 6 confirms stronger color artifacts in reconstructed images.", 398 "supported": "moderate" 399 }, 400 { 401 "claim": "Simple reversible defenses (Flip, Random Ensemble, Random Roll) can partially negate adversarial attacks.", 402 "evidence": "Section 5.6, Fig. 8: ΔPSNR values are lower (better) for Flip, Random Ensemble, and Random Roll compared to no defense.", 403 "supported": "moderate" 404 }, 405 { 406 "claim": "Adversarial attacks on one JPEG AI version transfer to other versions, especially from lower to higher bitrates.", 407 "evidence": "Section 5.5, Fig. 7: Transferability matrix shows positive ˆΔVMAF values between JPEG AI versions and bitrates, with higher values when transferring from low to high bitrate.", 408 "supported": "moderate" 409 } 410 ], 411 "methodology_tags": ["benchmark-eval"], 412 "key_findings": "JPEG AI demonstrates relatively high adversarial robustness compared to other neural image compression codecs, with robustness improving across successive versions (4.1→5.1→6.1). Diffusion-based compression (CDC) is the most vulnerable to adversarial attack. Adversarial attacks on NIC models cause quality degradation primarily through color artifacts, and even attacks not targeting bitrate increase compressed file size. Simple reversible preprocessing defenses (flipping, rolling) can partially mitigate attacks, and adversarial examples transfer between JPEG AI versions, particularly from lower to higher bitrates.", 413 "red_flags": [ 414 { 415 "flag": "No uncertainty quantification", 416 "detail": "All results are averaged across 4 parameter-varied runs with no standard deviation, confidence intervals, or error bars reported. Comparative claims between codecs are made without any statistical tests." 417 }, 418 { 419 "flag": "Attack hyperparameters not disclosed", 420 "detail": "Section 4.6 states attacks were run with 'varied attack parameters (learning rate, number of iterations, and perturbation bound)' but the actual values are not reported, making reproduction impossible." 421 }, 422 { 423 "flag": "No limitations section", 424 "detail": "The paper has no dedicated limitations or threats-to-validity section. Key limitations (white-box only, dataset-specific results, no discussion of real-world deployment scenarios) are not systematically addressed." 425 }, 426 { 427 "flag": "Parameter variation conflated with randomness", 428 "detail": "The 4 runs use different attack parameter settings (learning rate, iterations, perturbation bound) which are then averaged together. This conflates the effect of parameter choice with run-to-run variance, making it impossible to assess the stability of any single configuration." 429 }, 430 { 431 "flag": "Potential benchmark familiarity", 432 "detail": "KODAK (1991) is extremely widely used in compression research and likely present in training pipelines of multiple evaluated codecs. No discussion of whether models were trained or tuned on evaluation datasets." 433 } 434 ], 435 "cited_papers": [ 436 { 437 "title": "A survey on adversarial attacks and defences", 438 "authors": ["Anirban Chakraborty", "Manaar Alam", "Vishal Dey", "Anupam Chattopadhyay", "Debdeep Mukhopadhyay"], 439 "year": 2021, 440 "relevance": "Comprehensive survey on adversarial robustness techniques, relevant to AI safety and model reliability evaluation." 441 }, 442 { 443 "title": "Towards evaluating the robustness of neural networks", 444 "authors": ["Nicholas Carlini", "David Wagner"], 445 "year": 2017, 446 "relevance": "Foundational work on evaluating neural network robustness through adversarial attacks, widely used methodology in AI safety research." 447 }, 448 { 449 "title": "Towards deep learning models resistant to adversarial attacks", 450 "authors": ["Aleksander Madry", "Aleksandar Makelov", "Ludwig Schmidt", "Dimitris Tsipras", "Adrian Vladu"], 451 "year": 2018, 452 "relevance": "Introduces PGD attack and adversarial training framework, foundational to adversarial robustness evaluation methodology." 453 }, 454 { 455 "title": "Diffusion models for adversarial purification", 456 "authors": ["Weili Nie", "Brandon Guo", "Yujia Huang", "Chaowei Xiao", "Arash Vahdat", "Anima Anandkumar"], 457 "year": 2022, 458 "arxiv_id": "2205.07460", 459 "relevance": "State-of-the-art adversarial defense using diffusion models, relevant to understanding AI model robustness and defense strategies." 460 }, 461 { 462 "title": "A survey on universal adversarial attack", 463 "authors": ["Chaoning Zhang", "Philipp Benz", "Chenguo Lin", "Adil Karjauv", "Jing Wu", "In So Kweon"], 464 "year": 2021, 465 "arxiv_id": "2103.01498", 466 "relevance": "Survey of universal adversarial attacks applicable across neural network architectures, relevant to AI safety evaluation." 467 }, 468 { 469 "title": "Physical adversarial attack meets computer vision: A decade survey", 470 "authors": ["Hui Wei", "Hao Tang", "Xuemei Jia"], 471 "year": 2024, 472 "relevance": "Recent survey on physical adversarial attacks covering real-world deployment safety concerns for neural network systems." 473 }, 474 { 475 "title": "Attack and defense analysis of learned image compression", 476 "authors": ["Tianyu Zhu"], 477 "year": 2024, 478 "arxiv_id": "2401.10345", 479 "relevance": "Directly related work analyzing adversarial robustness of learned image compression systems." 480 }, 481 { 482 "title": "Toward robust neural image compression: Adversarial attack and model finetuning", 483 "authors": ["Tong Chen", "Zhan Ma"], 484 "year": 2023, 485 "relevance": "Proposes FTDA attack and geometric self-ensemble defense for neural image compression, foundational methodology adopted in this paper." 486 }, 487 { 488 "title": "Comparing the robustness of modern no-reference image- and video-quality metrics to adversarial attacks", 489 "authors": ["Anastasia Antsiferova", "Khaled Abud", "Aleksandr Gushchin"], 490 "year": 2024, 491 "relevance": "Evaluates adversarial robustness of quality assessment models, related work on AI model vulnerability evaluation." 492 }, 493 { 494 "title": "Boosting adversarial attacks with momentum", 495 "authors": ["Yinpeng Dong", "Fangzhou Liao", "Tianyu Pang", "Hang Su", "Jun Zhu", "Xiaolin Hu", "Jianguo Li"], 496 "year": 2018, 497 "relevance": "Influential adversarial attack methodology using momentum, widely used in robustness evaluation of neural networks." 498 } 499 ], 500 "engagement_factors": { 501 "practical_relevance": { 502 "score": 1, 503 "justification": "Relevant to image compression researchers and standards bodies but not immediately actionable for general practitioners." 504 }, 505 "surprise_contrarian": { 506 "score": 1, 507 "justification": "Confirms expected vulnerability of neural networks to adversarial attacks; the JPEG AI standard context adds moderate novelty but no fundamental surprise." 508 }, 509 "fear_safety": { 510 "score": 2, 511 "justification": "Demonstrates that the first international neural compression standard (JPEG AI), intended for consumer devices, is vulnerable to adversarial attacks with transferable exploits across versions." 512 }, 513 "drama_conflict": { 514 "score": 0, 515 "justification": "No controversy or conflict; a straightforward evaluation study with results favorable to JPEG AI's relative robustness." 516 }, 517 "demo_ability": { 518 "score": 0, 519 "justification": "Code link is hidden for blind review, so no one can try the evaluation pipeline." 520 }, 521 "brand_recognition": { 522 "score": 1, 523 "justification": "JPEG is a recognized standard but JPEG AI is not yet widely known outside the compression community." 524 } 525 } 526 }