Divide and Conquer: Heterogeneous Noise Integration for Diffusion-based Adversarial Purification
This work addresses adversarial attacks in machine learning models by improving purification efficiency, though it is incremental as it builds on existing diffusion-based approaches.
The paper tackles the problem of diffusion-based adversarial purification by introducing a heterogeneous noise strategy that applies higher-intensity noise to model-focused pixels and lower-intensity noise elsewhere, achieving substantial performance gains over existing methods across three datasets.
Existing diffusion-based purification methods aim to disrupt adversarial perturbations by introducing a certain amount of noise through a forward diffusion process, followed by a reverse process to recover clean examples. However, this approach is fundamentally flawed: the uniform operation of the forward process across all pixels compromises normal pixels while attempting to combat adversarial perturbations, resulting in the target model producing incorrect predictions. Simply relying on low-intensity noise is insufficient for effective defense. To address this critical issue, we implement a heterogeneous purification strategy grounded in the interpretability of neural networks. Our method decisively applies higher-intensity noise to specific pixels that the target model focuses on while the remaining pixels are subjected to only low-intensity noise. This requirement motivates us to redesign the sampling process of the diffusion model, allowing for the effective removal of varying noise levels. Furthermore, to evaluate our method against strong adaptative attack, our proposed method sharply reduces time cost and memory usage through a single-step resampling. The empirical evidence from extensive experiments across three datasets demonstrates that our method outperforms most current adversarial training and purification techniques by a substantial margin.