Adversarial purification with Score-based generative models

TL;DR

This paper introduces a fast and robust adversarial purification method using a Score-based EBM trained with Denoising Score-Matching, which effectively defends against various attacks with fewer steps and added randomness.

Contribution

The paper proposes a novel adversarial purification approach using a Score-based EBM trained with DSM that requires fewer steps and incorporates random noise for enhanced robustness.

Findings

Achieves rapid purification within a few steps.

Demonstrates robustness against various adversarial attacks.

Outperforms existing purification methods in effectiveness.

Abstract

While adversarial training is considered as a standard defense method against adversarial attacks for image classifiers, adversarial purification, which purifies attacked images into clean images with a standalone purification model, has shown promises as an alternative defense method. Recently, an Energy-Based Model (EBM) trained with Markov-Chain Monte-Carlo (MCMC) has been highlighted as a purification model, where an attacked image is purified by running a long Markov-chain using the gradients of the EBM. Yet, the practicality of the adversarial purification using an EBM remains questionable because the number of MCMC steps required for such purification is too large. In this paper, we propose a novel adversarial purification method based on an EBM trained with Denoising Score-Matching (DSM). We show that an EBM trained with DSM can quickly purify attacked images within a few steps. We further introduce a simple yet effective randomized purification scheme that injects random noises into images before purification. This process screens the adversarial perturbations imposed on images by the random noises and brings the images to the regime where the EBM can denoise well. We show that our purification method is robust against various attacks and demonstrate its state-of-the-art performances.