Test-time Adversarial Defense with Opposite Adversarial Path and High Attack Time Cost
This work addresses the problem of adversarial robustness for deep learning systems, offering a plug-in defense method that is incremental in improving test-time security.
The paper tackles the vulnerability of deep learning models to adversarial attacks by proposing a test-time defense method that uses diffusion-based recovery along opposite adversarial paths to purify inputs, achieving improved robust accuracy with a detailed analysis of attack time costs.
Deep learning models are known to be vulnerable to adversarial attacks by injecting sophisticated designed perturbations to input data. Training-time defenses still exhibit a significant performance gap between natural accuracy and robust accuracy. In this paper, we investigate a new test-time adversarial defense method via diffusion-based recovery along opposite adversarial paths (OAPs). We present a purifier that can be plugged into a pre-trained model to resist adversarial attacks. Different from prior arts, the key idea is excessive denoising or purification by integrating the opposite adversarial direction with reverse diffusion to push the input image further toward the opposite adversarial direction. For the first time, we also exemplify the pitfall of conducting AutoAttack (Rand) for diffusion-based defense methods. Through the lens of time complexity, we examine the trade-off between the effectiveness of adaptive attack and its computation complexity against our defense. Experimental evaluation along with time cost analysis verifies the effectiveness of the proposed method.