Sample-specific Noise Injection for Diffusion-based Adversarial Purification
Authors: Yuhao Sun, Jiacheng Zhang, Zesheng Ye, Chaowei Xiao, Feng Liu
ICML 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Through extensive evaluations on benchmark image datasets such as CIFAR-10 (Krizhevsky et al., 2009) and Image Net-1K (Deng et al., 2009), we demonstrate the effectiveness of SSNI in Section 5. Specifically, combined with different DBP methods (Nie et al., 2022; Xiao et al., 2023; Lee & Kim, 2023), SSNI can boost clean accuracy and robust accuracy simultaneously by a notable margin against the well-designed adaptive white-box attack (see Section 5.2). |
| Researcher Affiliation | Academia | 1School of Computing and Information Systems, The University of Melbourne 2University of Wisconsin, Madison. Correspondence to: Feng Liu <EMAIL>. |
| Pseudocode | Yes | Algorithm 1 Diffusion-based Purification with SSNI. Algorithm 2 Adaptive white-box PGD+EOT attack for SSNI. Algorithm 3 Adaptive white-box BPDA+EOT attack. |
| Open Source Code | Yes | Our code is available at: https: //github.com/tmlr-group/SSNI. |
| Open Datasets | Yes | Through extensive evaluations on benchmark image datasets such as CIFAR-10 (Krizhevsky et al., 2009) and Image Net-1K (Deng et al., 2009) |
| Dataset Splits | Yes | Following Lee & Kim (2023), we use a fixed subset of 512 randomly sampled images for all evaluations due to high computational cost of applying adaptive white-box attacks to DBP methods. |
| Hardware Specification | Yes | We conduct each of the experiments on up to 4 NVIDIA A100 GPUs (see https://github.com/tmlr-group/SSNI). |
| Software Dependencies | Yes | We implemented our code on Python version 3.8, CUDA version 12.2.0, and Py Torch version 2.0.1 with Slurm Workload Manager. |
| Experiment Setup | Yes | Diff Pure chooses optimal t = 100 and t = 75 on CIFAR-10 against threat models ℓ (ϵ = 8/255) and ℓ2(ϵ = 0.5), respectively. It also tests on high-resolution dataset like Image Net-1K with t = 150 against threat models ℓ (ϵ = 4/255). ... following Lee & Kim (2023), we mainly use adaptive white-box PGD+EOT attack with 200 PGD iterations for CIFAR-10 and 20 PGD iterations for Image Net-1K. We use 20 EOT iterations for all experiments to mitigate the stochasticity introduced by the diffusion models. ... We investigate how the temperature coefficient τ in Eq. (8) affects the performance of SSNI-N against adaptive white-box PGD+EOT ℓ (ϵ = 8/255) attack on CIFAR-10 in Figure 4. ... we choose τ = 20 for the non-linear reweighting function to optimize the accuracy-robustness trade-off for DBP methods. |