Beyond Classification: Evaluating Diffusion Denoised Smoothing for Security-Utility Trade off
This work addresses the security-utility trade-off for foundation models against adversarial attacks, showing limitations of current methods and proposing a new attack, though it appears incremental in scope.
The paper evaluated Diffusion Denoised Smoothing for adversarial robustness beyond classification tasks, finding that high-noise settings degrade performance by up to 57% on clean images while low-noise settings fail to protect against all attacks, and introduced a novel attack targeting the diffusion process.
While foundation models demonstrate impressive performance across various tasks, they remain vulnerable to adversarial inputs. Current research explores various approaches to enhance model robustness, with Diffusion Denoised Smoothing emerging as a particularly promising technique. This method employs a pretrained diffusion model to preprocess inputs before model inference. Yet, its effectiveness remains largely unexplored beyond classification. We aim to address this gap by analyzing three datasets with four distinct downstream tasks under three different adversarial attack algorithms. Our findings reveal that while foundation models maintain resilience against conventional transformations, applying high-noise diffusion denoising to clean images without any distortions significantly degrades performance by as high as 57%. Low-noise diffusion settings preserve performance but fail to provide adequate protection across all attack types. Moreover, we introduce a novel attack strategy specifically targeting the diffusion process itself, capable of circumventing defenses in the low-noise regime. Our results suggest that the trade-off between adversarial robustness and performance remains a challenge to be addressed.