Diffusion-based Adversarial Purification from the Perspective of the Frequency Domain
Authors: Gaozheng Pei, Ke Ma, Yingfei Sun, Qianqian Xu, Qingming Huang
ICML 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirical evidence from extensive experiments demonstrates that our method significantly outperforms most current defense methods. |
| Researcher Affiliation | Academia | 1School of Electronic, Electrical and Communication Engineering, UCAS, Beijing. 2Key Laboratory of Intelligent Information Processing, Institute of Computing Technology, CAS, Beijing. 3School of Computer Science and Technology, UCAS, Beijing. 4Key Laboratory of Big Data Mining and Knowledge Management, UCAS, Beijing.. Correspondence to: Ke Ma <EMAIL>, Qingming Huang <EMAIL>. |
| Pseudocode | Yes | Algorithm 1 Sampling Process Require: Sample xadv, timestep t . 1: xt N(0, I) 2: for t = t , . . . , 1 do 3: x0|t = 1 αt xt Zθ(xt, t) 1 αt 4: (Ax0|t, Px0|t) = DCT(x0|t) 5: (Axadv, Pxadv) = DCT(xadv) 6: // Amplitude Spectrum Exchange 7: ˆAx0|t = Ax0|t (1 HA) + Ax0 HA 8: // Phase Spectrum Projection 9: ˆPx0|t = ΠPL+δ(PL) + Px0|t (1 HP ) 10: // Next State Generation 11: ˆx0|t = i DCT( ˆAx0|t, ˆPx0|t) 12: xt 1 p(xt 1|xt, ˆx0|t) 13: end for 14: Output x0 |
| Open Source Code | Yes | Code is available at https://github.com/ Gaozheng Pei/Freq Pure. |
| Open Datasets | Yes | Three datasets are utilized for evaluation: CIFAR-10 (Krizhevsky & Hinton, 2009), SVHN and Image Net (Deng et al., 2009). |
| Dataset Splits | Yes | Three datasets are utilized for evaluation: CIFAR-10 (Krizhevsky & Hinton, 2009), SVHN and Image Net (Deng et al., 2009). ... Given the significant computational expense associated with evaluating models against adaptive attacks, we randomly sample a fixed subset of 512 images from the test set for robust evaluation, consistent with (Nie et al., 2022; Lee & Kim, 2023; Song et al., 2024; Lin et al., 2024; Bai et al., 2024). |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., exact GPU/CPU models, processor types with speeds, memory amounts, or detailed computer specifications) used for running its experiments. It only mentions pre-trained models from NVIDIA and guided-diffusion library, which are sources of models, not hardware specifications for their own runs. |
| Software Dependencies | No | The paper mentions the 'Torch Vision library' as a source for classifier weights and 'Robust Bench' for comparison, but it does not specify any version numbers for these or any other software dependencies such as Python, PyTorch, CUDA, or other relevant libraries. |
| Experiment Setup | Yes | Diffusion-based purification methods are evaluated using the PGD attack with 200 update iterations, while BPDA and Auto Attack are assessed with 100 update iterations, except for Image Net, which utilizes 20 iterations. The number of EOT is set to 20, and the step size is 0.007. ... From Figure 5, we can see that the best performance is achieved when DA = 3 and DP = 2, δ = 0.2. |