Model-Free Adversarial Purification via Coarse-To-Fine Tensor Network Representation

TL;DR

This paper introduces Tensor Network Purification (TNP), a model-free adversarial defense method that reconstructs clean images from adversarial examples using tensor network decomposition, demonstrating robustness across various datasets and attack types.

Contribution

The paper presents a novel tensor network-based purification method that does not rely on pre-trained models or dataset-specific training, enhancing generalization against diverse adversarial attacks.

Findings

Effective across CIFAR-10, CIFAR-100, and ImageNet datasets.

Robust against various norm threats and attack types.

Outperforms existing defenses in generalization and robustness.

Abstract

Deep neural networks are known to be vulnerable to well-designed adversarial attacks. Although numerous defense strategies have been proposed, many are tailored to the specific attacks or tasks and often fail to generalize across diverse scenarios. In this paper, we propose Tensor Network Purification (TNP), a novel model-free adversarial purification method by a specially designed tensor network decomposition algorithm. TNP depends neither on the pre-trained generative model nor the specific dataset, resulting in strong robustness across diverse adversarial scenarios. To this end, the key challenge lies in relaxing Gaussian-noise assumptions of classical decompositions and accommodating the unknown distribution of adversarial perturbations. Unlike the low-rank representation of classical decompositions, TNP aims to reconstruct the unobserved clean examples from an adversarial example. Specifically, TNP leverages progressive downsampling and introduces a novel adversarial optimization objective to address the challenge of minimizing reconstruction error but without inadvertently restoring adversarial perturbations. Extensive experiments conducted on CIFAR-10, CIFAR-100, and ImageNet demonstrate that our method generalizes effectively across various norm threats, attack types, and tasks, providing a versatile and promising adversarial purification technique.