Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AdvAD: Exploring Non-Parametric Diffusion for Imperceptible Adversarial Attacks

Jin Li, Ziqiang He, Anwei Luo, Jian-Fang Hu, Z. Jane Wang, Xiangui Kang

TL;DR

AdvAD reframes imperceptible adversarial attacks as a non-parametric diffusion process initiated from fixed noise, guided at each step by AMG and constrained by PC to minimize perceptual perturbations. It eliminates the need for extra networks by leveraging the attacked model itself to generate adversarial guidance, and grounds the approach in diffusion theory (DDIM/conditional sampling) with provable bounds on perturbation behavior. An enhanced AdvAD-X version introduces Dynamic Guidance Injection and CAM-based suppression to push performance toward an extreme, idealized limit, while maintaining theoretical interpretability. Extensive experiments across four architectures on an ImageNet-like dataset show AdvAD achieves near-perfect attack success with substantially lower perturbation strength and favorable perceptual metrics, outperforming existing imperceptible attack methods and demonstrating robust behavior under defenses. The work suggests a general, theoretically grounded diffusion-based attack framework with potential implications for understanding DNN robustness and guiding defense strategies, including in high-precision floating-point regimes.

Abstract

Imperceptible adversarial attacks aim to fool DNNs by adding imperceptible perturbation to the input data. Previous methods typically improve the imperceptibility of attacks by integrating common attack paradigms with specifically designed perception-based losses or the capabilities of generative models. In this paper, we propose Adversarial Attacks in Diffusion (AdvAD), a novel modeling framework distinct from existing attack paradigms. AdvAD innovatively conceptualizes attacking as a non-parametric diffusion process by theoretically exploring basic modeling approach rather than using the denoising or generation abilities of regular diffusion models requiring neural networks. At each step, much subtler yet effective adversarial guidance is crafted using only the attacked model without any additional network, which gradually leads the end of diffusion process from the original image to a desired imperceptible adversarial example. Grounded in a solid theoretical foundation of the proposed non-parametric diffusion process, AdvAD achieves high attack efficacy and imperceptibility with intrinsically lower overall perturbation strength. Additionally, an enhanced version AdvAD-X is proposed to evaluate the extreme of our novel framework under an ideal scenario. Extensive experiments demonstrate the effectiveness of the proposed AdvAD and AdvAD-X. Compared with state-of-the-art imperceptible attacks, AdvAD achieves an average of 99.9$\%$ (+17.3$\%$) ASR with 1.34 (-0.97) $l_2$ distance, 49.74 (+4.76) PSNR and 0.9971 (+0.0043) SSIM against four prevalent DNNs with three different architectures on the ImageNet-compatible dataset. Code is available at https://github.com/XianguiKang/AdvAD.

AdvAD: Exploring Non-Parametric Diffusion for Imperceptible Adversarial Attacks

TL;DR

AdvAD reframes imperceptible adversarial attacks as a non-parametric diffusion process initiated from fixed noise, guided at each step by AMG and constrained by PC to minimize perceptual perturbations. It eliminates the need for extra networks by leveraging the attacked model itself to generate adversarial guidance, and grounds the approach in diffusion theory (DDIM/conditional sampling) with provable bounds on perturbation behavior. An enhanced AdvAD-X version introduces Dynamic Guidance Injection and CAM-based suppression to push performance toward an extreme, idealized limit, while maintaining theoretical interpretability. Extensive experiments across four architectures on an ImageNet-like dataset show AdvAD achieves near-perfect attack success with substantially lower perturbation strength and favorable perceptual metrics, outperforming existing imperceptible attack methods and demonstrating robust behavior under defenses. The work suggests a general, theoretically grounded diffusion-based attack framework with potential implications for understanding DNN robustness and guiding defense strategies, including in high-precision floating-point regimes.

Abstract

Imperceptible adversarial attacks aim to fool DNNs by adding imperceptible perturbation to the input data. Previous methods typically improve the imperceptibility of attacks by integrating common attack paradigms with specifically designed perception-based losses or the capabilities of generative models. In this paper, we propose Adversarial Attacks in Diffusion (AdvAD), a novel modeling framework distinct from existing attack paradigms. AdvAD innovatively conceptualizes attacking as a non-parametric diffusion process by theoretically exploring basic modeling approach rather than using the denoising or generation abilities of regular diffusion models requiring neural networks. At each step, much subtler yet effective adversarial guidance is crafted using only the attacked model without any additional network, which gradually leads the end of diffusion process from the original image to a desired imperceptible adversarial example. Grounded in a solid theoretical foundation of the proposed non-parametric diffusion process, AdvAD achieves high attack efficacy and imperceptibility with intrinsically lower overall perturbation strength. Additionally, an enhanced version AdvAD-X is proposed to evaluate the extreme of our novel framework under an ideal scenario. Extensive experiments demonstrate the effectiveness of the proposed AdvAD and AdvAD-X. Compared with state-of-the-art imperceptible attacks, AdvAD achieves an average of 99.9 (+17.3) ASR with 1.34 (-0.97) distance, 49.74 (+4.76) PSNR and 0.9971 (+0.0043) SSIM against four prevalent DNNs with three different architectures on the ImageNet-compatible dataset. Code is available at https://github.com/XianguiKang/AdvAD.

Paper Structure

This paper contains 33 sections, 6 theorems, 46 equations, 10 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Proposed Adversarial Attacks in Diffusion
  4. Overview
  5. Attacked Model Guidance Module
  6. Pixel-level Constraint Module
  7. AdvAD to AdvAD-X: Extreme Version
  8. DGI and CA Strageties.
  9. Ideal Scenario.
  10. Experiments
  11. Experimental Setup
  12. Comparison with State-of-the-art Methods
  13. White-Box Attacks.
  14. Visualization.
  15. Robustness
  16. ...and 18 more sections

Key Result

Theorem 1

Given diffusion coefficients $\alpha_{T:0}\in(0,1]^T$, the $\boldsymbol{x}_{ori}$, $\boldsymbol{\Bar{x}}_{t}$, $\boldsymbol{\epsilon}_0$ from the original trajectory, $\boldsymbol{\Hat{x}}_{t}$, $\boldsymbol{\Hat{\epsilon}}_{t}$ from the modified trajectory, and a variable $\xi$, if $\boldsymbol{\Ha for all $t\in[T:1]$, then it follows that $\|\boldsymbol{\Hat{x}}_{t} - \boldsymbol{\Bar{x}}_{t}\|_

Figures (10)

  • Figure 1: Overview of the proposed Adversarial Attacks in Diffusion (AdvAD) that models the attack as a non-parametric diffusing process. At each step, Attacked Model Guidance (AMG) module adopts the non-Markovian process for approximating $\boldsymbol{x}_{adv}$ using $\boldsymbol{\hat{x}}_{t}^0$ to craft adversarial guidance and injects it into the initialized diffusion noise, then Pixel-level Constraint (PC) module imposes restriction to produce the noise for the next step and serves to control the whole process precisely.
  • Figure 2: Visualizations of adversarial examples and corresponding perturbations crafted by nine imperceptible attacks. Perturbations are amplified as marked in top-right for the convenience of observation. Please zoom in to observe the details of the images with original resolution of $224\times224$.
  • Figure 3: Rubostness on JPEG compression and Bit-depth reduction with different factors.
  • Figure 4: Results of imperceptible attacks against random smoothing defense. Adversarial examples are crafted using only the base model, and then 100 rounds of random smoothing are applied to obtain the final ASR. $\sigma$ is the variance of smoothing noise.
  • Figure 5: More results of (a) effect of step $T$ on AdvAD and (b) transferability-imperceptibility relationship of attacks.
  • ...and 5 more figures

Theorems & Definitions (9)

  • Theorem 1
  • Proposition 1
  • Proposition 2
  • Theorem 1
  • Proof 1
  • Proposition 1
  • Proof 2
  • Proposition 2
  • Proof 3