DiffBreak: Is Diffusion-Based Purification Robust?

TL;DR

DiffBreak critically evaluates diffusion-based purification for adversarial defense, revealing fundamental flaws and proposing more reliable evaluation methods that challenge its robustness claims.

Contribution

The paper introduces DiffBreak, a toolkit for proper gradient analysis of DBP, and proposes a statistically sound majority-vote scheme to improve robustness evaluation.

Findings

Gradient attacks target the diffusion model, not the classifier.

Single purification testing is invalid for robustness assessment.

Majority voting offers partial robustness improvement.

Abstract

Diffusion-based purification (DBP) has become a cornerstone defense against adversarial examples (AEs), regarded as robust due to its use of diffusion models (DMs) that project AEs onto the natural data manifold. We refute this core claim, theoretically proving that gradient-based attacks effectively target the DM rather than the classifier, causing DBP's outputs to align with adversarial distributions. This prompts a reassessment of DBP's robustness, attributing it to two critical flaws: incorrect gradients and inappropriate evaluation protocols that test only a single random purification of the AE. We show that with proper accounting for stochasticity and resubmission risk, DBP collapses. To support this, we introduce DiffBreak, the first reliable toolkit for differentiation through DBP, eliminating gradient flaws that previously further inflated robustness estimates. We also analyze the current defense scheme used for DBP where classification relies on a single purification, pinpointing its inherent invalidity. We provide a statistically grounded majority-vote (MV) alternative that aggregates predictions across multiple purified copies, showing partial but meaningful robustness gain. We then propose a novel adaptation of an optimization method against deepfake watermarking, crafting systemic perturbations that defeat DBP even under MV, challenging DBP's viability.