Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Adversarially Robust Industrial Anomaly Detection Through Diffusion Model

Yuanpu Cao, Lu Lin, Jinghui Chen

TL;DR

This work tackles the adversarial vulnerability of industrial anomaly detectors by showing that naive purification can erase genuine anomaly signals. It introduces AdvRAD, a diffusion-model framework that simultaneously performs anomaly detection and adversarial purification through robust reconstruction, enabling real-time one-shot denoising and a multiscale reconstruction-error-based anomaly score. The method is extended with randomized smoothing to provide certified $l_2$-norm robustness and is validated on MVTec AD, ViSA, and BTAD, where it achieves superior robust AUC while maintaining competitive standard AUC. A comprehensive set of experiments against state-of-the-art detectors, diffusion-based baselines, and adaptive attacks demonstrates strong practical robustness and competitive detection performance, highlighting AdvRAD’s potential for reliable industrial deployment.

Abstract

Deep learning-based industrial anomaly detection models have achieved remarkably high accuracy on commonly used benchmark datasets. However, the robustness of those models may not be satisfactory due to the existence of adversarial examples, which pose significant threats to the practical deployment of deep anomaly detectors. Recently, it has been shown that diffusion models can be used to purify the adversarial noises and thus build a robust classifier against adversarial attacks. Unfortunately, we found that naively applying this strategy in anomaly detection (i.e., placing a purifier before an anomaly detector) will suffer from a high anomaly miss rate since the purifying process can easily remove both the anomaly signal and the adversarial perturbations, causing the later anomaly detector failed to detect anomalies. To tackle this issue, we explore the possibility of performing anomaly detection and adversarial purification simultaneously. We propose a simple yet effective adversarially robust anomaly detection method, \textit{AdvRAD}, that allows the diffusion model to act both as an anomaly detector and adversarial purifier. We also extend our proposed method for certified robustness to $l_2$ norm bounded perturbations. Through extensive experiments, we show that our proposed method exhibits outstanding (certified) adversarial robustness while also maintaining equally strong anomaly detection performance on par with the state-of-the-art methods on industrial anomaly detection benchmark datasets.

Adversarially Robust Industrial Anomaly Detection Through Diffusion Model

TL;DR

This work tackles the adversarial vulnerability of industrial anomaly detectors by showing that naive purification can erase genuine anomaly signals. It introduces AdvRAD, a diffusion-model framework that simultaneously performs anomaly detection and adversarial purification through robust reconstruction, enabling real-time one-shot denoising and a multiscale reconstruction-error-based anomaly score. The method is extended with randomized smoothing to provide certified -norm robustness and is validated on MVTec AD, ViSA, and BTAD, where it achieves superior robust AUC while maintaining competitive standard AUC. A comprehensive set of experiments against state-of-the-art detectors, diffusion-based baselines, and adaptive attacks demonstrates strong practical robustness and competitive detection performance, highlighting AdvRAD’s potential for reliable industrial deployment.

Abstract

Deep learning-based industrial anomaly detection models have achieved remarkably high accuracy on commonly used benchmark datasets. However, the robustness of those models may not be satisfactory due to the existence of adversarial examples, which pose significant threats to the practical deployment of deep anomaly detectors. Recently, it has been shown that diffusion models can be used to purify the adversarial noises and thus build a robust classifier against adversarial attacks. Unfortunately, we found that naively applying this strategy in anomaly detection (i.e., placing a purifier before an anomaly detector) will suffer from a high anomaly miss rate since the purifying process can easily remove both the anomaly signal and the adversarial perturbations, causing the later anomaly detector failed to detect anomalies. To tackle this issue, we explore the possibility of performing anomaly detection and adversarial purification simultaneously. We propose a simple yet effective adversarially robust anomaly detection method, \textit{AdvRAD}, that allows the diffusion model to act both as an anomaly detector and adversarial purifier. We also extend our proposed method for certified robustness to norm bounded perturbations. Through extensive experiments, we show that our proposed method exhibits outstanding (certified) adversarial robustness while also maintaining equally strong anomaly detection performance on par with the state-of-the-art methods on industrial anomaly detection benchmark datasets.
Paper Structure (32 sections, 1 theorem, 7 equations, 2 figures, 21 tables, 4 algorithms)

This paper contains 32 sections, 1 theorem, 7 equations, 2 figures, 21 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Building Unified Adversarial Attacks for Anomaly Detectors
  4. Adversarially Robust Anomaly Detection
  5. Preliminaries on Diffusion Models
  6. Naive Attempt: Applying DiffPure on Anomaly Detection
  7. Merging Anomaly Detection and Adversarial Purification through Diffusion Model
  8. Experiments
  9. Experimental Settings
  10. Comparison with the State-of-the-art Anomaly Detectors
  11. Comparisons with other Diffusion model based Anomaly Detectors
  12. Comparison with Model-agnostic Defending Strategies
  13. Comparison with defense-enabled Anomaly Detectors
  14. Defending against Stronger Adaptive Attacks
  15. Extension: Certified Adversarial Robustness
  16. ...and 17 more sections

Key Result

Theorem 5.1

[Smoothed AdvRAD] Given a well-trained AdvRAD detector $A_{{\bm{\theta}}}({\mathbf{x}})$, for any given threshold $h$ and $\bm{\delta} \sim \mathcal{N}(0, \sigma^2\mathbf{I})$, if it satisfies $\mathbb{P}[A_{{\bm{\theta}}}({\mathbf{x}}+\bm{\delta}) > h] \geq p_{\text{anomaly}}(h) > 1/2$, then $\math

Figures (2)

  • Figure 1: Left: purification-based adversarial robust model in the traditional classification task. Right: purification-based adversarial robust anomaly detection model. The anomaly signal can also be erased during the purification process leading to a high anomaly miss rate.
  • Figure 2: Reconstruction results of normal data, anomalous data, and adversarially perturbed data using our model. The observed reconstruction is robust to adversarial noise.

Theorems & Definitions (1)

  • Theorem 5.1