Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Classifier Guidance Enhances Diffusion-based Adversarial Purification by Preserving Predictive Information

Mingkun Zhang, Jianing Li, Wei Chen, Jiafeng Guo, Xueqi Cheng

TL;DR

This work introduces COUP, a classifier-confidence guided purification method that enhances diffusion-based adversarial purification by preserving predictive information and avoiding decision-boundary regions. By augmenting the reverse-time diffusion with a gradient term derived from the classifier's confidence, COUP reduces label-shift risk and bounds purification distortion, yielding improved robustness against strong attacks such as AutoAttack and BPDA+EOT on CIFAR-10/100. Theoretical results justify the design with propositions on label stability and $l_2$ purification bounds, while extensive experiments demonstrate consistent robustness gains across backbone architectures and attack settings. The approach leverages off-the-shelf diffusion models and classifiers, achieving superior performance without bespoke adversarial training, and offers practical insights into the trade-offs between denoising strength and information preservation in diffusion-based purification.

Abstract

Adversarial purification is one of the promising approaches to defend neural networks against adversarial attacks. Recently, methods utilizing diffusion probabilistic models have achieved great success for adversarial purification in image classification tasks. However, such methods fall into the dilemma of balancing the needs for noise removal and information preservation. This paper points out that existing adversarial purification methods based on diffusion models gradually lose sample information during the core denoising process, causing occasional label shift in subsequent classification tasks. As a remedy, we suggest to suppress such information loss by introducing guidance from the classifier confidence. Specifically, we propose Classifier-cOnfidence gUided Purification (COUP) algorithm, which purifies adversarial examples while keeping away from the classifier decision boundary. Experimental results show that COUP can achieve better adversarial robustness under strong attack methods.

Classifier Guidance Enhances Diffusion-based Adversarial Purification by Preserving Predictive Information

TL;DR

This work introduces COUP, a classifier-confidence guided purification method that enhances diffusion-based adversarial purification by preserving predictive information and avoiding decision-boundary regions. By augmenting the reverse-time diffusion with a gradient term derived from the classifier's confidence, COUP reduces label-shift risk and bounds purification distortion, yielding improved robustness against strong attacks such as AutoAttack and BPDA+EOT on CIFAR-10/100. Theoretical results justify the design with propositions on label stability and purification bounds, while extensive experiments demonstrate consistent robustness gains across backbone architectures and attack settings. The approach leverages off-the-shelf diffusion models and classifiers, achieving superior performance without bespoke adversarial training, and offers practical insights into the trade-offs between denoising strength and information preservation in diffusion-based purification.

Abstract

Adversarial purification is one of the promising approaches to defend neural networks against adversarial attacks. Recently, methods utilizing diffusion probabilistic models have achieved great success for adversarial purification in image classification tasks. However, such methods fall into the dilemma of balancing the needs for noise removal and information preservation. This paper points out that existing adversarial purification methods based on diffusion models gradually lose sample information during the core denoising process, causing occasional label shift in subsequent classification tasks. As a remedy, we suggest to suppress such information loss by introducing guidance from the classifier confidence. Specifically, we propose Classifier-cOnfidence gUided Purification (COUP) algorithm, which purifies adversarial examples while keeping away from the classifier decision boundary. Experimental results show that COUP can achieve better adversarial robustness under strong attack methods.
Paper Structure (41 sections, 2 theorems, 38 equations, 6 figures, 4 tables)

This paper contains 41 sections, 2 theorems, 38 equations, 6 figures, 4 tables.

Table of Contents

  1. Related Work
  2. Objective of Adversarial Purification
  3. Classifier-Confidence Guided Purification
  4. Methodology
  5. Score-based Diffusion Models
  6. Purification with Guidance of Classifier Confidence
  7. The COUP Algorithm
  8. Adaptive Attack
  9. Analysis of COUP
  10. Experiments
  11. Experimental Settings
  12. Comparison with Related Work
  13. AutoAttack
  14. BPDA
  15. Experimental Analysis
  16. ...and 26 more sections

Key Result

Proposition 1

If for any $t\in[0,1]$ and $x>0$, there is $f_0(x,t)<f_1(x,t)$ and $f_0(x,t)$ is strictly monotonically increasing w.r.t. $x$, then

Figures (6)

  • Figure 1: The distinction between the existing purification method and classifier-confidence guided purification is elucidated in terms of (a) purification objective and (b) visualization of the purification path and (c) the resultant purified image. In (a), the blue curve and green curve represent $p(x|y=0)$ and $p(x|y=1)$, respectively. The orange dotted line indicates the optimization objective ($p(x)$ or $\max_{y} p(x | y)$) and the direction of the gradient is shown accordingly by the orange arrow. This comparison underscores the importance of classifier confidence guidance in directing the purification process toward the category center. The purification approach outlined in (b) demonstrates that classifier guidance effectively preserves essential predictive information, which is crucial for successful classification. Furthermore, the purified images shown in (c) serve as evidence that classifier guidance retains information necessary for enhanced purification quality.
  • Figure 2: (a) Expectation of disminative confidence $\hat{p}(y|\boldsymbol{x})$ of WRN-28-10 on label $y_{\mathrm{true}}$ and adversarial label $y_{\mathrm{adv}}$ over 14 bad cases of reverse-time SDE. (b) Robustness of different denoising methods, including the forward-reverse-time SDE (DiffPure) and the reverse-time SDE only (COUP and COUP w/o Guidance) under different classifier backbones. (c) Robustness of SOTA adversarial training method wang2023better (marked as Adv. CLS), in both the cross (trained under different $l_p$ norm with evaluation) and non-cross settings, and combined with our COUP against APGD-ce.
  • Figure 3: (a) The 2-Gaussian toy data and classifier with noise level $c=1$. (b) Label flip probability under different noise levels $c$ and guidance weight $\lambda$ on 2-Gaussian toy data.
  • Figure 4: Accuracy and Robustness against APGD-ce under $l_{\infty} (\epsilon=8/255)$ threat model for (a) variant purification timestep $t^*$ and (b) variant weight of guidance $\lambda$.
  • Figure 5: Purified images by DiffPure, SDE, COUP.
  • ...and 1 more figures

Theorems & Definitions (2)

  • Proposition 1
  • Proposition 2