SuperPure: Efficient Purification of Localized and Distributed Adversarial Patches via Super-Resolution GAN Models
Hossein Khalili, Seongbin Park, Venkat Bollapragada, Nader Sehatbakhsh
TL;DR
SuperPure tackles the dual demands of robustness to both localized and distributed adversarial patches and low end-to-end latency in vision systems. By iteratively downsampling, GAN-based upsampling, and pixel-wise masking, it purges patch signals while preserving clean image content, with an optional enhancement (SuperPure+) to handle subtle distributed perturbations. Across ImageNet experiments on ViT, EfficientNet, and ResNet, SuperPure outperforms PatchCleanser and PAD in robust accuracy and reduces latency by orders of magnitude, achieving practical deployment viability. The approach remains effective under white-box attacks and generalizes to other datasets and detectors, with open-source code enabling broad adoption.
Abstract
As vision-based machine learning models are increasingly integrated into autonomous and cyber-physical systems, concerns about (physical) adversarial patch attacks are growing. While state-of-the-art defenses can achieve certified robustness with minimal impact on utility against highly-concentrated localized patch attacks, they fall short in two important areas: (i) State-of-the-art methods are vulnerable to low-noise distributed patches where perturbations are subtly dispersed to evade detection or masking, as shown recently by the DorPatch attack; (ii) Achieving high robustness with state-of-the-art methods is extremely time and resource-consuming, rendering them impractical for latency-sensitive applications in many cyber-physical systems. To address both robustness and latency issues, this paper proposes a new defense strategy for adversarial patch attacks called SuperPure. The key novelty is developing a pixel-wise masking scheme that is robust against both distributed and localized patches. The masking involves leveraging a GAN-based super-resolution scheme to gradually purify the image from adversarial patches. Our extensive evaluations using ImageNet and two standard classifiers, ResNet and EfficientNet, show that SuperPure advances the state-of-the-art in three major directions: (i) it improves the robustness against conventional localized patches by more than 20%, on average, while also improving top-1 clean accuracy by almost 10%; (ii) It achieves 58% robustness against distributed patch attacks (as opposed to 0% in state-of-the-art method, PatchCleanser); (iii) It decreases the defense end-to-end latency by over 98% compared to PatchCleanser. Our further analysis shows that SuperPure is robust against white-box attacks and different patch sizes. Our code is open-source.