Classifier Guidance Enhances Diffusion-based Adversarial Purification by Preserving Predictive Information

TL;DR

This paper introduces COUP, a diffusion-based adversarial purification method that uses classifier confidence guidance to preserve information and improve robustness against attacks.

Contribution

The paper proposes a novel classifier-confidence guided purification (COUP) method that prevents information loss during diffusion-based adversarial purification.

Findings

COUP improves adversarial robustness under strong attacks.

It effectively preserves sample information during denoising.

Experimental results outperform existing diffusion-based purification methods.

Abstract

Adversarial purification is one of the promising approaches to defend neural networks against adversarial attacks. Recently, methods utilizing diffusion probabilistic models have achieved great success for adversarial purification in image classification tasks. However, such methods fall into the dilemma of balancing the needs for noise removal and information preservation. This paper points out that existing adversarial purification methods based on diffusion models gradually lose sample information during the core denoising process, causing occasional label shift in subsequent classification tasks. As a remedy, we suggest to suppress such information loss by introducing guidance from the classifier confidence. Specifically, we propose Classifier-cOnfidence gUided Purification (COUP) algorithm, which purifies adversarial examples while keeping away from the classifier decision boundary. Experimental results show that COUP can achieve better adversarial robustness under strong attack methods.