Purify++: Improving Diffusion-Purification with Advanced Diffusion Models and Control of Randomness

TL;DR

Purify++ advances diffusion-based adversarial purification by integrating improved models, simulation techniques, and randomness control, establishing a new state-of-the-art defense against adversarial attacks.

Contribution

The paper introduces Purify++, a novel diffusion purification method that enhances existing techniques through systematic improvements and optimal randomness control.

Findings

Purify++ outperforms previous diffusion purification methods.

It achieves state-of-the-art robustness against multiple adversarial attacks.

Systematic exploration of diffusion purification limits.

Abstract

Adversarial attacks can mislead neural network classifiers. The defense against adversarial attacks is important for AI safety. Adversarial purification is a family of approaches that defend adversarial attacks with suitable pre-processing. Diffusion models have been shown to be effective for adversarial purification. Despite their success, many aspects of diffusion purification still remain unexplored. In this paper, we investigate and improve upon three limiting designs of diffusion purification: the use of an improved diffusion model, advanced numerical simulation techniques, and optimal control of randomness. Based on our findings, we propose Purify++, a new diffusion purification algorithm that is now the state-of-the-art purification method against several adversarial attacks. Our work presents a systematic exploration of the limits of diffusion purification methods.