Diffusion Models for Adversarial Purification (2205.07460v1)

Published 16 May 2022 in cs.LG, cs.CR, and cs.CV

Abstract: Adversarial purification refers to a class of defense methods that remove adversarial perturbations using a generative model. These methods do not make assumptions on the form of attack and the classification model, and thus can defend pre-existing classifiers against unseen threats. However, their performance currently falls behind adversarial training methods. In this work, we propose DiffPure that uses diffusion models for adversarial purification: Given an adversarial example, we first diffuse it with a small amount of noise following a forward diffusion process, and then recover the clean image through a reverse generative process. To evaluate our method against strong adaptive attacks in an efficient and scalable way, we propose to use the adjoint method to compute full gradients of the reverse generative process. Extensive experiments on three image datasets including CIFAR-10, ImageNet and CelebA-HQ with three classifier architectures including ResNet, WideResNet and ViT demonstrate that our method achieves the state-of-the-art results, outperforming current adversarial training and adversarial purification methods, often by a large margin. Project page: https://diffpure.github.io.

Authors (6)

Weili Nie (41 papers)
Brandon Guo (1 paper)
Yujia Huang (12 papers)
Chaowei Xiao (110 papers)
Arash Vahdat (69 papers)
Anima Anandkumar (236 papers)

Citations (343)

View on Semantic Scholar

Summary

Diffusion Models for Adversarial Purification

The paper in question explores the application of diffusion models for adversarial purification in the context of machine learning, an area that has garnered significant interest due to the vulnerability of neural networks to adversarial attacks. Specifically, the authors propose a new method named DiffPure, which utilizes diffusion models to purify adversarially perturbed images before classification. This approach contrasts with traditional adversarial training methods, which often require explicit knowledge of the attack forms and tend to be computationally expensive.

Problem Statement and Methodology

Adversarial attacks in neural networks involve the subtle alteration of input data in a manner that misleads the network into making incorrect predictions. Several defense strategies have been developed, with adversarial training being the most notable. Nevertheless, adversarial training is usually specialized for certain attack types and often fails against others, particularly unseen threats. It is also computationally demanding, which hampers its scalability.

The paper introduces DiffPure, which leverages diffusion models to address these limitations. DiffPure consists of two main stages: a forward diffusion process that introduces noise to the adversarial example, effectively diluting the adversarial perturbations, and a reverse generation process that reconstructs the clean image from this noisy version. The reverse process, based on pre-trained diffusion models, ensures that the reconstructed image aligns well with the original distribution of clean data.

Numerical Results and Discussion

The authors validate DiffPure's method on several datasets, including CIFAR-10, ImageNet, and CelebA-HQ, with various classifier architectures such as ResNet, WideResNet, and Vision Transformers (ViT). The experimental results demonstrate that DiffPure frequently outperforms existing adversarial training and purification methods, achieving state-of-the-art results in terms of robust accuracy across multiple strong adaptive attack benchmarks.

For instance, on the CIFAR-10 dataset under the popular AutoAttack $\ell_\infty$ threat model, DiffPure attains a robust accuracy improvement of up to 5.44% over the leading adversarial training methods with extra data. Similarly, significant accuracy gains are observed on the ImageNet dataset with DiffPure outperforming competitive baselines across both convolutional networks and transformer-based architectures, reinforcing the versatility of the approach.

Theoretical Implications

The theoretical backbone of the proposed method is provided through an analysis of the noise levels necessary during the diffusion process to ensure adversarial perturbations are removed while preserving the essential features of the original data. Additionally, the authors utilize the adjoint method to compute full gradients through the reverse stochastic differential equation, facilitating evaluation against strong adaptive attacks without incurring prohibitive memory costs.

Practical Implications and Future Work

DiffPure showcases notable practical implications in enhancing model robustness while maintaining computational efficiency, thus presenting a compelling alternative to current adversarial training approaches. The ability to defend against unseen and diverse threats in a plug-and-play manner can drive the adoption of diffusion-based purification as a standard practice in robust machine learning system design.

Looking forward, potential developments could focus on accelerating the purification process, reducing inference time while maintaining stochastic robustness. The exploration of diffusion models specifically tailored for adversarial defense could further enrich the field, addressing current limitations such as the sensitivity to color-based perturbations and broadening the applicability of such models in various contexts.

In summary, this paper offers a well-founded and empirically validated contribution to the domain of machine learning security, with implications that stretch beyond mere defense against known attacks to fostering resilience against unforeseen adversarial scenarios.

Related Papers

Find Related Papers

GitHub

Tweets

https://twitter.com/moai_kohitan/status/1857070906863972449

YouTube

Show All Videos