Memory Efficient Full-gradient Attacks (MEFA) Framework for Adversarial Defense Evaluations

TL;DR

This paper introduces a memory-efficient framework for exact gradient evaluation in stochastic purification defenses, enabling stronger white-box attacks and more reliable robustness assessments.

Contribution

It presents a novel framework combining checkpointed backpropagation and controlled stochastic evaluation to accurately evaluate defenses with reduced memory usage.

Findings

Full-gradient attacks reveal vulnerabilities missed by approximate methods.

The framework produces stronger white-box attacks on diffusion-based defenses.

Exact-gradient evaluation improves robustness benchmarking reliability.

Abstract

This work studies the robust evaluation of iterative stochastic purification defenses under white-box adversarial attacks. Our key technical insight is that gradient checkpointing makes exact end-to-end gradient computation through long purification trajectories practical by trading additional recomputation for substantially lower memory usage. This enables full-gradient adaptive attacks against diffusion- and Langevin-based purification defenses, where prior evaluations often resort to approximate backpropagation due to memory constraints. These approximations can weaken the attack signal and risk overestimating robustness. In parallel, stochasticity in iterative purification is frequently under-controlled, even though different purification trajectories can substantially change reported robustness metrics. Building on this insight, we introduce a memory-efficient full-gradient evaluation framework for stochastic purification defenses. The framework combines checkpointed backpropagation with evaluation protocols that control stochastic variability, thereby reducing memory bottlenecks while preserving exact gradients. We evaluate diffusion-based purification and Langevin sampling with Energy-Based Models (EBMs), demonstrating that full-gradient attacks uncover vulnerabilities missed by approximate-gradient evaluations. Our framework yields stronger state-of-the-art $\ell_{\infty}$ and $\ell_{2}$ white-box attacks and further supports probing out-of-distribution robustness. Overall, our results show that exact-gradient evaluation is essential for reliable benchmarking of iterative stochastic defenses.