Beyond Classification: Evaluating Diffusion Denoised Smoothing for Security-Utility Trade off

TL;DR

This paper evaluates the effectiveness of Diffusion Denoised Smoothing in enhancing model robustness against adversarial attacks across multiple datasets and tasks, revealing significant performance trade-offs and vulnerabilities.

Contribution

It extends the analysis of diffusion-based smoothing techniques beyond classification to various downstream tasks and introduces a novel attack targeting the diffusion process.

Findings

High-noise diffusion degrades performance by up to 57%.

Low-noise diffusion preserves performance but offers limited robustness.

A new attack can bypass defenses in low-noise settings.

Abstract

While foundation models demonstrate impressive performance across various tasks, they remain vulnerable to adversarial inputs. Current research explores various approaches to enhance model robustness, with Diffusion Denoised Smoothing emerging as a particularly promising technique. This method employs a pretrained diffusion model to preprocess inputs before model inference. Yet, its effectiveness remains largely unexplored beyond classification. We aim to address this gap by analyzing three datasets with four distinct downstream tasks under three different adversarial attack algorithms. Our findings reveal that while foundation models maintain resilience against conventional transformations, applying high-noise diffusion denoising to clean images without any distortions significantly degrades performance by as high as 57%. Low-noise diffusion settings preserve performance but fail to provide adequate protection across all attack types. Moreover, we introduce a novel attack strategy specifically targeting the diffusion process itself, capable of circumventing defenses in the low-noise regime. Our results suggest that the trade-off between adversarial robustness and performance remains a challenge to be addressed.