ZeroPur: Succinct Training-Free Adversarial Purification

TL;DR

ZeroPur is a training-free adversarial purification method that effectively defends against unseen attacks by projecting adversarial images onto the natural image manifold without external models or retraining.

Contribution

ZeroPur introduces a simple, training-free purification technique that relies solely on victim classifiers, avoiding retraining or external generative models, and achieves state-of-the-art robustness.

Findings

Achieves state-of-the-art robustness on CIFAR-10, CIFAR-100, and ImageNet-1K.

Operates without external models or retraining of classifiers.

Demonstrates effectiveness across various classifier architectures.

Abstract

Adversarial purification is a kind of defense technique that can defend against various unseen adversarial attacks without modifying the victim classifier. Existing methods often depend on external generative models or cooperation between auxiliary functions and victim classifiers. However, retraining generative models, auxiliary functions, or victim classifiers relies on the domain of the fine-tuned dataset and is computation-consuming. In this work, we suppose that adversarial images are outliers of the natural image manifold, and the purification process can be considered as returning them to this manifold. Following this assumption, we present a simple adversarial purification method without further training to purify adversarial images, called ZeroPur. ZeroPur contains two steps: given an adversarial example, Guided Shift obtains the shifted embedding of the adversarial example by the guidance of its blurred counterparts; after that, Adaptive Projection constructs a directional vector by this shifted embedding to provide momentum, projecting adversarial images onto the manifold adaptively. ZeroPur is independent of external models and requires no retraining of victim classifiers or auxiliary functions, relying solely on victim classifiers themselves to achieve purification. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) using various classifier architectures (ResNet, WideResNet) demonstrate that our method achieves state-of-the-art robust performance. The code will be publicly available.