CaltechAUTHORS
  A Caltech Library Service
Login

Diffusion Models for Adversarial Purification

Nie, Weili and Guo, Brandon and Huang, Yujia and Xiao, Chaowei and Vahdat, Arash and Anandkumar, Anima (2022) Diffusion Models for Adversarial Purification. Proceedings of Machine Learning Research, 162 . pp. 16805-16827. ISSN 2640-3498. https://resolver.caltech.edu/CaltechAUTHORS:20220715-174841781

[img] PDF - Published Version
See Usage Policy.
12MB
[img] PDF - Submitted Version
See Usage Policy.
12MB

Use this Persistent URL to link to this item: https://resolver.caltech.edu/CaltechAUTHORS:20220715-174841781

Abstract

Adversarial purification refers to a class of defense methods that remove adversarial perturbations using a generative model. These methods do not make assumptions on the form of attack and the classification model, and thus can defend pre-existing classifiers against unseen threats. However, their performance currently falls behind adversarial training methods. In this work, we propose DiffPure that uses diffusion models for adversarial purification: Given an adversarial example, we first diffuse it with a small amount of noise following a forward diffusion process, and then recover the clean image through a reverse generative process. To evaluate our method against strong adaptive attacks in an efficient and scalable way, we propose to use the adjoint method to compute full gradients of the reverse generative process. Extensive experiments on three image datasets including CIFAR-10, ImageNet and CelebA-HQ with three classifier architectures including ResNet, WideResNet and ViT demonstrate that our method achieves the state-of-the-art results, outperforming current adversarial training and adversarial purification methods, often by a large margin. Project page: https://diffpure.github.io.


Item Type:Article
Related URLs:
URLURL TypeDescription
https://proceedings.mlr.press/v162/nie22a.htmlPublisherArticle
http://arxiv.org/abs/2205.07460arXivDiscussion Paper
https://diffpure.github.io.Related ItemProject Website
ORCID:
AuthorORCID
Huang, Yujia0000-0001-7667-8342
Xiao, Chaowei0000-0002-7043-4926
Anandkumar, Anima0000-0002-6974-6797
Additional Information:© 2022 by the author(s). We would like to thank the AIALGO team at NVIDIA and Anima Anandkumar’s research group at Caltech for reading the paper and providing fruitful suggestions. We also thank the anonymous reviewers for helpful comments.
Record Number:CaltechAUTHORS:20220715-174841781
Persistent URL:https://resolver.caltech.edu/CaltechAUTHORS:20220715-174841781
Usage Policy:No commercial reproduction, distribution, display or performance rights in this work are provided.
ID Code:115623
Collection:CaltechAUTHORS
Deposited By: George Porter
Deposited On:18 Jul 2022 15:19
Last Modified:27 Jul 2022 17:26

Repository Staff Only: item control page

CaltechAUTHORS is powered by EPrints 3.3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.