Diffusion-Based Adversarial Sample Generation for Improved Stealthiness and Controllability
This addresses the trade-off between strength and stealthiness in adversarial attacks for neural networks, offering a more controllable and stable approach for tasks like digital and physical attacks, though it is incremental as it builds on existing gradient-based and diffusion techniques.
The paper tackles the problem of generating adversarial samples that are both effective and stealthy by proposing Diff-PGD, a framework that uses diffusion models to guide gradient-based attacks, resulting in samples with better transferability and anti-purification power compared to traditional methods.
Neural networks are known to be susceptible to adversarial samples: small variations of natural examples crafted to deliberately mislead the models. While they can be easily generated using gradient-based techniques in digital and physical scenarios, they often differ greatly from the actual data distribution of natural images, resulting in a trade-off between strength and stealthiness. In this paper, we propose a novel framework dubbed Diffusion-Based Projected Gradient Descent (Diff-PGD) for generating realistic adversarial samples. By exploiting a gradient guided by a diffusion model, Diff-PGD ensures that adversarial samples remain close to the original data distribution while maintaining their effectiveness. Moreover, our framework can be easily customized for specific tasks such as digital attacks, physical-world attacks, and style-based attacks. Compared with existing methods for generating natural-style adversarial samples, our framework enables the separation of optimizing adversarial loss from other surrogate losses (e.g., content/smoothness/style loss), making it more stable and controllable. Finally, we demonstrate that the samples generated using Diff-PGD have better transferability and anti-purification power than traditional gradient-based methods. Code will be released in https://github.com/xavihart/Diff-PGD