AdvDiff: Generating Unrestricted Adversarial Examples using Diffusion Models

TL;DR

AdvDiff introduces a novel diffusion model-based approach for generating realistic unrestricted adversarial examples, effectively bypassing defenses and outperforming existing methods on large-scale datasets like ImageNet.

Contribution

The paper presents two new adversarial guidance techniques for diffusion models, enabling stable and high-quality adversarial example generation with interpretability.

Findings

AdvDiff outperforms state-of-the-art attack methods on MNIST and ImageNet.

Generated adversarial examples are realistic and effective in fooling classifiers.

The approach demonstrates stability and interpretability in adversarial sampling.

Abstract

Unrestricted adversarial attacks present a serious threat to deep learning models and adversarial defense techniques. They pose severe security problems for deep learning applications because they can effectively bypass defense mechanisms. However, previous attack methods often directly inject Projected Gradient Descent (PGD) gradients into the sampling of generative models, which are not theoretically provable and thus generate unrealistic examples by incorporating adversarial objectives, especially for GAN-based methods on large-scale datasets like ImageNet. In this paper, we propose a new method, called AdvDiff, to generate unrestricted adversarial examples with diffusion models. We design two novel adversarial guidance techniques to conduct adversarial sampling in the reverse generation process of diffusion models. These two techniques are effective and stable in generating high-quality, realistic adversarial examples by integrating gradients of the target classifier interpretably. Experimental results on MNIST and ImageNet datasets demonstrate that AdvDiff is effective in generating unrestricted adversarial examples, which outperforms state-of-the-art unrestricted adversarial attack methods in terms of attack performance and generation quality.