TAIGen: Training-Free Adversarial Image Generation via Diffusion Models

TL;DR

TAIGen is a training-free, efficient black-box adversarial image generation method using diffusion models, achieving high success rates with minimal sampling steps and preserving image quality.

Contribution

Introduces TAIGen, a novel approach that generates adversarial images with only 3-20 diffusion steps without training, improving efficiency and attack success.

Findings

Achieves over 70% attack success on ImageNet models.

Maintains PSNR above 30 dB across datasets.

Generates adversarial examples 10x faster than existing methods.

Abstract

Adversarial attacks from generative models often produce low-quality images and require substantial computational resources. Diffusion models, though capable of high-quality generation, typically need hundreds of sampling steps for adversarial generation. This paper introduces TAIGen, a training-free black-box method for efficient adversarial image generation. TAIGen produces adversarial examples using only 3-20 sampling steps from unconditional diffusion models. Our key finding is that perturbations injected during the mixing step interval achieve comparable attack effectiveness without processing all timesteps. We develop a selective RGB channel strategy that applies attention maps to the red channel while using GradCAM-guided perturbations on green and blue channels. This design preserves image structure while maximizing misclassification in target models. TAIGen maintains visual quality with PSNR above 30 dB across all tested datasets. On ImageNet with VGGNet as source, TAIGen achieves 70.6% success against ResNet, 80.8% against MNASNet, and 97.8% against ShuffleNet. The method generates adversarial examples 10x faster than existing diffusion-based attacks. Our method achieves the lowest robust accuracy, indicating it is the most impactful attack as the defense mechanism is least successful in purifying the images generated by TAIGen.