Sample-specific Noise Injection for Diffusion-based Adversarial Purification

Q1: Contribution of this study

R1: Due to character limits, please refer to Response to Reviewer ynLT - Q1 where we clarify our contribution.

Discussion on [1]

We acknowledge that score-based metrics, including EPS [1], are established tools for distinguishing between clean and adversarial samples. Though score norms can estimate sample deviation [3], we follow the motivation in [1] and adopt their proposed EPS as it offers more robust estimates.

Fig.2 serves only as motivation of SSNI, building on understandings from [1]. It empirically visualizes correlations between score norms and perturbation levels, justifying why score norm is suitable for guiding SSNI's adaptive mechanism. We do not claim it as a contribution and will cite [3] and [1] near Fig.2 to credit foundational concepts, ensuring this is clear in our revision.

So, while we leverage EPS from [1], our core contribution is the SSNI framework, enabling sample-specific noise injection to address the accuracy-robustness trade-off problem in DBP.

Q2: Generality of SSNI

R2: We consider SSNI a general framework because its principle - adaptively adjusting the denoising level $t(x)$ based on a sample's deviation using a reweighting function $f$ - is applicable to various DBP methods and across different datasets.

Eq.7-8 are presented as proof-of-concept instantiations of $f$ within this framework. $b$ is a hyperparameter within these instantiations, allowing reweighted $t^*$ to exceed the baseline $t^*$ to improve robustness.

Tuning hyperparameter per dataset is a common practice in machine learning and does not invalidate the framework's generality. Many 'general' methods (including baseline DBPs that require tuning $t^*$) do have hyperparameters that benefit from dataset-specific tuning for better performance.

In this sense, we argue that SSNI is a general framework of sample-specific noise injection for DBP, rather than a specific method implementation. Reviewer xxTh also acknowledged SSNI's generality.

Q3: More Evaluations on AutoAttack and [2]

R3: Thanks for bringing [2] to our discussion, which addresses a similar challenge (accuracy-robustness trade-off) in DBP to SSNI but takes a different approach.

[2] learns adversarial guidance during the reverse diffusion step, requiring training an auxiliary network to modify the diffusion direction. Instead, SSNI is training-free, adaptively adjusting diffusion noise levels per sample before standard diffusion at inference time, based on pre-computed score norms. We will include the discussion of [2] in our revision.

These two methods are thus complementary. In principle, SSNI can be integrated with this method. However, as this paper has yet open-sourced the code, we are unable to get the results now but willing to include them later. See link for required results.

Q4: Usefulness of SSNI-L

R4: We included SSNI-L as a first step when exploring training-free reweighting functions for SSNI. Its purpose was to establish a simple baseline with linear mapping before investigating more complex non-linear ones.

However, SSNI-N consistently provided a superior accuracy-robustness trade-off, possibly due to simple linear mapping can't fully model the complex reweighting operation, justifying our focus on SSNI-N in the main text.

In the revision, we will clearly state the role of SSNI-L as a simpler baseline and summarize its relative performance.

Q5: Triangle inequality

R5: Thank you for carefully reading our proof. We'd like to clarify it is correctly used.

Q6: Theoretical Claim

R6: We'd like to kindly recall our core contribution is the SSNI framework for sample-specific noise injection in DBP.

Theoretically proving the optimality of $t^*$ is challenging, as there is no clear definition of 'true optimal' noise level. To be clear, we do not claim to derive the 'optimal' noise level; our focus is to emphasize noise level should be sample-specific. We will ensure this is clarified in the revision to avoid any potential overclaiming.

The effectiveness of SSNI is empirically validated and 'theoretically' justified (Recall our response to Q1).

We believe identifying the true optimal $t^*$ is an interesting open question. We will ensure our revision accurately reflects the scope of our claims and contributions.

[1] Detecting Adversarial Data by Probing Multiple Perturbations Using Expected Perturbation Score. ICML 2023

[2] Robust Diffusion Models For Adversarial Purification. ArXiv 2024

[3] Adversarial purification with Score-based generative models. ICML 2021

Thanks for your review! If our response addresses your concern, we hope you might consider increasing score.

Q1: Evaluation with transformer-based classifiers, Diff-PGD, and unrestricted attacks

R1: We have supplemented the transformer-based model and Diff-PGD experiments. Due to character limits, please see here for results

Regarding unrestricted attacks: In this paper, we primarily focus on defending human-imperceptible adversarial perturbations, while unrestricted attack is a different problem setup, which breaks the assumption of human-imperceptible perturbations in most adversarial defense literature. However, we acknowledge this is an interesting open question to be explored.

[1] Diffusion models for adversarial purification. ICML, 2022.

Q2: Discussion on the innovation

R2: We thank the reviewer for acknowledging SSNI's generality.

We'd like to respectively argue that customizing sample-specific noise level $t^*$ is new because $t^*$ is fundamentally critical to DBP performances, and the fixed $t^*$ used in existing studies is a core limitation causing suboptimal accuracy-robustness trade-offs.

SSNI's main contribution is introducing a conceptual advance of sampled-adaptive $t(x)$, leveraging score norms that represent a sample's deviation from clean data, tailoring purification strengths based on instance-specific score norms. With extensive experiments, we confirm this 'simple' modification leads to substantial gains of accuracy-robustness balance.

We believe the simplicity and effectiveness of SSNI, while being easily integrated into diverse DBP methods (as the reviewer mentioned), is a key strength.

To our knowledge, SSNI is the first framework to systematically implement and validate score-norm-driven adaptive $t^*$ for DBP, which offers a practical, impactful and thus novel purification principle.

Q3: Discussion on the performance-time trade-off

R3: Thank you for raising this discussion. We acknowledge that increased inference time is a limitation of SSNI, however, it is primarily attributed to the inherent limitation of diffusion models, which our method relies on in estimating score norms. We look forward to more efficient strategies to accelerate this step.

On the other hand, we argue the benefits often justify the cost. On SSNI delivers absolute gains of +2.0-2.5% standard and +1.0-4.8% robust accuracy on ImageNet with 1000 classes (PGD $\ell_\infty$), gains often considered substantial in robustness contexts. Moreover, SSNI improves the overall accuracy-robustness balance, which is a qualitative benefit beyond only numerical results.

Ultimately, the cost-benefit analysis is indeed context-dependent. For security-critical offline tasks, the improved accuracy-robustness profile provided by SSNI could well justify the additional inference time. As a modular enhancement, SSNI provides practitioners an option when the computational budget allows for improved DBP effectiveness and accuracy-robustness trade-off. We also note that ongoing advances in efficient score estimator will help to reduce this overhead.

Q4: Black-box settings

R4: We focused on adaptive white-box attacks (PGD+EOT, BPDA+EOT), aligning with the standard evaluation protocol for DBP methods (Lee&Kim ICCV 2023), which is common practice in recent DBP literature as it directly stress-tests the defense pipeline against the worst-case threat model. Robustness against these strong attacks typically implies robustness against weaker black-box threats. Thus, we prioritized demonstrating effectiveness against the established challenging white-box benchmarks.

Still, we provide results for a gray-box attack setting with PGD+EOT $\ell_{\infty}$ ($\epsilon=8/255$) and $\ell_{2}$ ($\epsilon=1$) on CIFAR-10 dataset (partial results only, we'll report full results in the revision), where the attacker can access the target classifier, not the entire defense system. Due to character limits, please see here for results

Q5: Visualization of Imagenet-1K R5: Thank you for the feedback. Regarding ImageNet-1K, we will include high-quality ImageNet-1K purification visualizations in the revision.

For the CIFAR-10 images (Fig.5-7), visual differences are indeed subtle due to low resolution. Our main goal here was not necessarily to showcase visually superior cleanness, but rather to show that SSNI maintains semantic integrity. Even when SSNI adaptively uses different (sometimes higher) noise levels $t^*$ per sample, the mechanism driving improved robust accuracy does not corrupt the essential semantic information, unlike the failure cases illustrated in Fig.1 where improper $t^*$ leads to misclassification. This thus confirms that more flexible purification does not** come at the cost of distorting image content and compromising clean/robust accuracy.

Thank you for your time again! Hope our responses address your concerns.

Q1: Discussion on performance gain and robust accuracy

R1: We appreciate the reviewer for raising this concern. We'd like to first clarify our contribution and provide a clearer context.

Contribution

The central goal of this paper (and SSNI) is to achieve a more favorable accuracy-robustness balance, which is a crucial consideration in adversarial training/defense studies [1]. Our contributions are

• identifying a critical limitation in existing DBPs: they rely on a fixed diffusion noise level $t^*$ injected during the forward pass, forcing a single, yet often suboptimal, denoising effort across all samples. For any clean or adversarial sample, an inappropriate noise level might
  • fail to remove adversarial perturbations sufficiently (hurting robustness) or
  • excessively corrupt sample semantics (hurting accuracy).
• (core contribution) proposing a new framework for sample-specific noise injection (SSNI) to directly address this limitation. Based on the estimated deviation from the clean data distribution, SSNI adaptively sets the diffusion noise level $t(x)$ for each sample, assigning lower noise for cleaner samples to preserve accuracy, and potentially higher noise for more perturbed samples to enhance robustness.
• confirming that SSNI has a larger purification capacity and is more flexible than sample-shared-noise DBPs, supported by empirical results and theoretical justification (Appendix A)
• (central implication) SSNI improves the overall accuracy-robustness trade-off in DBP, particularly achieved in a training-free manner.

Significance and risk

Our results show SSNI's success in achieving this better balance. We observe that in most cases, both standard and robust accuracy are improved simultaneously (e.g., GDMP under BPDA+EOT, Table 3: +1.63% Std Acc, +1.11% Rob Acc). Even in rare cases where robust accuracy sees a minor decrease (e.g., -0.06% for DiffPure PGD-L2, Table 1), it is often coupled with a substantial gain in standard accuracy (+2.15% in that case). We argue this often represents a preferable trade-off point, recovering clean performance sacrificed by using fixed $t^*$.

The consistent improvements on ImageNet (Table 2) further confirm that SSNI can effectively balance these targets on large-scale tasks. We thus argue that SSNI generally enhances the robustness aspect of the accuracy-robustness balance compared to baselines.

In summary, we believe that SSNI represents a principled framework to address the fundamental accuracy-robustness trade-off in DBP via adaptive denoising budgets, providing flexibility and improved overall balance that fixed $t^*$ methods cannot achieve.

[1] Improving Accuracy-robustness Trade-off via Pixel Reweighted Adversarial Training, ICML 2024.

Q2: Results with additional DBP backbone (DiffAttack)

R2: Thank you for the suggestion. We have supplemented experiments and reported these results as requested.

Please see the DiffAttack results. The table provides results of utilizing DiffAttack [2] with $\ell_{\infty}$ ($\epsilon=8/255$) on target classifier WRN-28-10 on CIFAR-10 (due to limited time frame within the rebuttal phase, we can only include partial results therein; we will report full results in the revision).

It is easy to observe consistent performance gains over all DBP baselines with our SSNI integrated.

[2] DiffAttack: Evasion Attacks Against Diffusion-Based Adversarial Purification, NeurIPS 2023

Thank you very much again for your time! We hope our response addresses your concern. If you have any further questions, please feel free to ask, we’d be happy to provide more clarification.

Q1: Evidence of Claim

R1: Thanks for pointing it out. We now show that samples with larger deviation (caused by larger perturbation, leading to higher score norm) need stronger denoising (higher $t^*$).

With a DBP method [1], we assess the robust accuracy of WRN-28-10 against AEs from PGD+EOT $\ell_{\infty}$ attacks with varying perturbation budgets on CIFAR-10, finding a shared $t^*$ leads to poor robust accuracy for the other three groups (results).

[1] Robust evaluation of diffusion-based adversarial purification. ICCV 2023.

Q2: Visualization of ImageNet

R2: Thanks for the advice! We will include visualizations of ImageNet. Due to character limits, we kindly refer you to Response to Reviewer xxTh Q5 where we also discuss this in detail.

Q3: Clarify adversarial perturbation from diffusion noise

R3: This confusion is caused by inconsistent $\epsilon$ between motivation and experiment sections.

We now clarify the difference between adversarial perturbation budget $\epsilon$ and the adaptive diffusion noise $t(x)$ applied by SSNI.

Our experiments indeed use a fixed $\epsilon$, defining attack strength used to generate adversarial examples (AEs) for controlled evaluation. However, SSNI's sample-specific noise refers to the amount of Gaussian noise injected during DBP process, not $\epsilon$ of adversarial attack.

Our motivation is that different samples benefit from sample-specific diffusion noise levels for purification. Fig.1 implies this need. Fig.2 then shows that score norms (our chosen metric) correlate with perturbation intensities (using different attack budgets $\epsilon$ is a clear way to show this correlation). It establishes score norms as a proxy for deviation from the clean manifold.

We still need sample-specific diffusion noise level $t(x)$ even when evaluating against the same budget $\epsilon$.

• The same attack (shared $\epsilon$) applied to different clean examples (CEs) will produce AEs perturbed to varying degrees relative to the clean manifold, depending on each CE's own property and its interactions with the attack.
• So, even under a fixed $\epsilon$, AEs have different score norms.
• This leads to different diffusion noise level $t(x)$ tailored to sample-specific deviations (Eq.4).

So, the same $\epsilon$ in evaluation does not omit sample-specific diffusion noise levels $t(x)$.

Q4: NN-based reweighting function

R4: The presented SSNI-L/N are instantiations of the reweighting mechanism within our SSNI framework. Our primary goal was to introduce the core SSNI concept and show its effectiveness using simple and computationally lightweight functions working entirely at inference time without additional training.

Using a NN as the reweighting function is indeed a valid extension. But this would require a training phase for optimization, shifting from the current training-free paradigm and introducing training overhead. We agree that investigating such learnable functions is a promising direction.

Q5: Pre-defined noise level

R5: Yes, we used a pre-defined base noise level for score estimation via EPS (L252). Bypassing these pre-defined levels is challenging within the training-free paradigm. Similar to the reweighting function, one could train NN to predict a proper level per sample. Yet this would also introduce a training phase and associated overhead. Developing a purely analytical training-free method to determine these levels without any reference is non-trivial.

We appreciate the reviewer's question and leave this interesting avenue for future work.

Q6: Score network choice

R6: Thank you for this valuable advice. We used a standard SDE-based score network [1] pre-trained on CIFAR-10 and a guided diffusion model [2] pretrained on ImageNet, following previous score estimation studies (Zhang et al. 2023).

Moreover, SSNI should not be sensitive to a specific score network, as we use EPS, which averages scores over multiple noise levels for more robust score estimation (L264-274, Eq.6), supported by Appendix G. Thus, we believe SSNI can generalize to other score networks (e.g. LDM, EDM), as long as they provide reliable score estimations.

We are empirically evaluating with other score networks and will report the results once we obtain them.

Q7: Related work

R7: Thanks for providing the reference [3]. Both [3] and SSNI leverage diffusion models and analyze choice of noise level in different contexts. [3] denoises imitation learning demonstrations with an optimal $t^*$ before IL, whereas SSNI targets adversarial defense with sample-specific $t^*(x)$ selection based on score norms. We will include the discussion in the revision.

[1] Score-Based Generative Modeling through Stochastic Differential Equations ICLR 2021

[2] Diffusion Models Beat GANs on Image Synthesis NeurIPS 2021

[3] Imitation Learning from Purified Demonstrations ICML 2024