Random Sampling for Diffusion-based Adversarial Purification

TL;DR

This paper introduces a novel random sampling method for diffusion-based adversarial purification, enhancing robustness and stability against attacks by sampling from a random noisy space, and proposes a mediator guidance to improve prediction consistency.

Contribution

It proposes a new random sampling scheme for diffusion models and a mediator-guided approach, significantly improving adversarial robustness and outperforming state-of-the-art methods.

Findings

Random sampling improves robustness against adversarial attacks.

Mediator guidance ensures prediction consistency.

DiffAP outperforms existing methods in accuracy and stability.

Abstract

Denoising Diffusion Probabilistic Models (DDPMs) have gained great attention in adversarial purification. Current diffusion-based works focus on designing effective condition-guided mechanisms while ignoring a fundamental problem, i.e., the original DDPM sampling is intended for stable generation, which may not be the optimal solution for adversarial purification. Inspired by the stability of the Denoising Diffusion Implicit Model (DDIM), we propose an opposite sampling scheme called random sampling. In brief, random sampling will sample from a random noisy space during each diffusion process, while DDPM and DDIM sampling will continuously sample from the adjacent or original noisy space. Thus, random sampling obtains more randomness and achieves stronger robustness against adversarial attacks. Correspondingly, we also introduce a novel mediator conditional guidance to guarantee the consistency of the prediction under the purified image and clean image input. To expand awareness of guided diffusion purification, we conduct a detailed evaluation with different sampling methods and our random sampling achieves an impressive improvement in multiple settings. Leveraging mediator-guided random sampling, we also establish a baseline method named DiffAP, which significantly outperforms state-of-the-art (SOTA) approaches in performance and defensive stability. Remarkably, under strong attack, our DiffAP even achieves a more than 20% robustness advantage with 10$\times$ sampling acceleration.