Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

How Do Diffusion Models Improve Adversarial Robustness?

Liu Yuezhang, Xue-Xin Wei

TL;DR

Diffusion-model-based adversarial purification does not merely denoise; this work systematically uncovers the mechanisms behind observed robustness. By dissecting randomness, measuring how purification moves inputs in $\ell_p$ space, and introducing a compression-rate metric, it shows that (i) internal randomness largely drives purification outputs, (ii) a deterministic compression of image space correlates with robust accuracy, and (iii) removing randomness substantially reduces reported gains. The authors demonstrate that prior robustness estimates were inflated by stochasticity and that, under fixed randomness, the true robustness on CIFAR-10 drops to $23.7\%$ and to $29.5\%$ on ImageNet, highlighting a principled, gradient-free predictor via compression rate. They propose a compression-based purification framework and provide actionable guidance for designing more reliable adversarial purification systems with strong clean accuracy at anchor points and meaningful input-space compression around them.

Abstract

Recent findings suggest that diffusion models significantly enhance empirical adversarial robustness. While some intuitive explanations have been proposed, the precise mechanisms underlying these improvements remain unclear. In this work, we systematically investigate how and how well diffusion models improve adversarial robustness. First, we observe that diffusion models intriguingly increase, rather than decrease, the $\ell_p$ distance to clean samples--challenging the intuition that purification denoises inputs closer to the original data. Second, we find that the purified images are heavily influenced by the internal randomness of diffusion models, where a compression effect arises within each randomness configuration. Motivated by this observation, we evaluate robustness under fixed randomness and find that the improvement drops to approximately 24% on CIFAR-10--substantially lower than prior reports approaching 70%. Importantly, we show that this remaining robustness gain strongly correlates with the model's ability to compress the input space, revealing the compression rate as a reliable robustness indicator without requiring gradient-based analysis. Our findings provide novel insights into the mechanisms underlying diffusion-based purification, and offer guidance for developing more effective and principled adversarial purification systems.

How Do Diffusion Models Improve Adversarial Robustness?

TL;DR

Diffusion-model-based adversarial purification does not merely denoise; this work systematically uncovers the mechanisms behind observed robustness. By dissecting randomness, measuring how purification moves inputs in space, and introducing a compression-rate metric, it shows that (i) internal randomness largely drives purification outputs, (ii) a deterministic compression of image space correlates with robust accuracy, and (iii) removing randomness substantially reduces reported gains. The authors demonstrate that prior robustness estimates were inflated by stochasticity and that, under fixed randomness, the true robustness on CIFAR-10 drops to and to on ImageNet, highlighting a principled, gradient-free predictor via compression rate. They propose a compression-based purification framework and provide actionable guidance for designing more reliable adversarial purification systems with strong clean accuracy at anchor points and meaningful input-space compression around them.

Abstract

Recent findings suggest that diffusion models significantly enhance empirical adversarial robustness. While some intuitive explanations have been proposed, the precise mechanisms underlying these improvements remain unclear. In this work, we systematically investigate how and how well diffusion models improve adversarial robustness. First, we observe that diffusion models intriguingly increase, rather than decrease, the distance to clean samples--challenging the intuition that purification denoises inputs closer to the original data. Second, we find that the purified images are heavily influenced by the internal randomness of diffusion models, where a compression effect arises within each randomness configuration. Motivated by this observation, we evaluate robustness under fixed randomness and find that the improvement drops to approximately 24% on CIFAR-10--substantially lower than prior reports approaching 70%. Importantly, we show that this remaining robustness gain strongly correlates with the model's ability to compress the input space, revealing the compression rate as a reliable robustness indicator without requiring gradient-based analysis. Our findings provide novel insights into the mechanisms underlying diffusion-based purification, and offer guidance for developing more effective and principled adversarial purification systems.

Paper Structure

This paper contains 37 sections, 19 equations, 7 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Related work and preliminaries
  3. Generative models for adversarial purification
  4. Diffusion models and randomness
  5. Empirical evaluation of the robustness of diffusion models
  6. Intriguing behaviors of diffusion models under adversarial purification
  7. Overview and notations
  8. Diffusion models push perturbed images further away from clean images
  9. Diffusion models increase $\ell_p$ distances to clean images after purification.
  10. Diffusion-based purification leads to perceptually dissimilar outputs.
  11. Diffusion models lead to a reduction of distributional distances.
  12. Internal randomness dominates the behavior of diffusion models
  13. The compression effect within each randomness configuration.
  14. Evaluating the robustness of diffusion models without stochasticity
  15. EOT as a transfer attack.
  16. ...and 22 more sections

Figures (7)

  • Figure 1: Diffusion models purify states away from the clean images. (a) Schematic showing a common hypothesis that diffusion models improve robustness by "denoising" inputs toward the clean image. (b) Summary of our findings, which challenge the denoising hypothesis. (c) Measured $\ell_2$ distances to clean images on CIFAR-10 during purification. We track the distances between intermediate purified states and clean images, using PGD attacks ($\ell_\infty=8/255$) as initialization. Across all methods, the purified outputs are consistently farther away from the clean image.
  • Figure 2: The variability of the outputs of diffusion models is dominated by intrinsic noise, not variability in the input images. (a--c) Schematics illustrating how diffusion models transform input perturbations under different sources of variability. (a) When the image is fixed and internal noise varies, purification exhibits an expansion of the input space. (b) When the noise is fixed and the image varies, the input space are compressed toward a shared direction. (c) When both image and noise vary, internal randomness dominates, producing an overall expansion. (d) Purification directions under different noise samples for the same image are weakly aligned (mean correlation: 0.22$\pm$0.003). (e) Under fixed noise, purification directions across perturbed images are highly consistent (mean correlation: 0.93$\pm$0.0002). (f) Distribution of $\ell_2$ distances to the centroid. Fixed-noise purification compresses the input ball (radius: 1.004 $\to$ 0.241); varying noise leads to expansion (radius: 1.004 $\to$ 3.282), confirming that internal randomness drives the dominant effect.
  • Figure 3: Diffusion models improve robustness by compressing image space. (a) The singular value spectrum of Jacobian matrices shows that diffusion models strongly compress input space: over 90% of singular values are below 0.25, and only 1.3% exceed 1.0. (b) The compression rate and robustness without stochasticity of diffusion models follow a consistent relation well captured by a sigmoid function. Note that the curve generalizes across different sampling methods and extrapolates smoothly to clean accuracies at the y-intercept. (c) The compression–robustness curve resembles the PGD robustness curve of the base classifier under smaller attack budgets.
  • Figure S1: Additional distance measurements during DiffPure on CIFAR-10.
  • Figure S2: Additional distance measurements during DiffPure on ImageNet.
  • ...and 2 more figures

Theorems & Definitions (1)

  • proof