Deceptive Diffusion: Generating Synthetic Adversarial Examples

TL;DR

This paper presents deceptive diffusion, a method for generating large-scale adversarial images using generative models, which can improve defenses but also reveal new vulnerabilities through data poisoning.

Contribution

Introduces deceptive diffusion, a novel approach for creating adversarial images with generative models, enabling scalable adversarial training and exposing new poisoning vulnerabilities.

Findings

Deceptive diffusion can generate numerous misclassified images.

Training on partially attacked data reveals diffusion model vulnerabilities.

Method enhances adversarial training capabilities.

Abstract

We introduce the concept of deceptive diffusion -- training a generative AI model to produce adversarial images. Whereas a traditional adversarial attack algorithm aims to perturb an existing image to induce a misclassificaton, the deceptive diffusion model can create an arbitrary number of new, misclassified images that are not directly associated with training or test images. Deceptive diffusion offers the possibility of strengthening defence algorithms by providing adversarial training data at scale, including types of misclassification that are otherwise difficult to find. In our experiments, we also investigate the effect of training on a partially attacked data set. This highlights a new type of vulnerability for generative diffusion models: if an attacker is able to stealthily poison a portion of the training data, then the resulting diffusion model will generate a similar proportion of misleading outputs.