Phase and Amplitude-aware Prompting for Enhancing Adversarial Robustness

Thanks for your great efforts spending on reviewing our paper. Your comments are important to the improvement of our work, and we address them as follows:

The clarity on limitations. We are sorry for the lack of clarity on limitations. The main limitation of our method is the sacrifice of natural accuracy. We would provide a clear introduction to this issue in a separate section. In addition, due to the limitation of computational resources, we do not perform evaluations on ImageNet and feel sorry for that. However, we conduct experiments on Tiny-ImageNet which has been widely used. Tiny-ImageNet-200 is larger and has a larger resolution than CIFAR-10, with more numbers of classes than those of ImageNet-100. Results show that our method achieves superior performances, leading us to believe that our method can also work well on ImageNet. We would state it in the updated version.

The selection of attacks. Table 2 aims at verifying the different impacts of amplitude-level and phase-level prompts on robustness. In Table 2, we use PGD which is a popular method for evaluating the defense, to efficiently reflect the impacts of them on robustness. Table 3 and other evaluations in Section 4 aim at comprehensively evaluating the defense effectiveness of the proposed method. Therefore, we use the stronger AutoAttack which contains PGD to evaluate the proposed method comprehensively.

Typos. We are sorry for these typos. We would correct them as follows:

1. Ln 12: “Deep neural networks are found to be vulnerable to adversarial perturbations.”

2. Ln 71: “White-box attacks like Projected Gradient Descent (PGD) attack (Madry et al., 2018), AutoAttack (AA) (Croce & Hein, 2020), Carlini&Wagner (C&W) (Carlini & Wagner, 2017) and Decoupling Direction and Norm (DDN) (Rony et al., 2019) craft noises through accessing and utilizing models’ intrinsic information like structures and parameters.”

3. Ln158: “However, existing prompt-based defenses focus on mixed patterns like pixel or frequency information, which cannot capture specific patterns like structures and textures (Ying et al., 2001; Ren et al., 2015).”

4. Equation 2 and 3: We are sorry for the waste of space here. We would move the "Classification Loss" section and these equations into the Appendix in the updated version.

5. Ln325: Yes, the default perturbation budget for L-2 norm is 0.5. We would supplement it in the updated version:

"The perturbation budget for L∞-norm AA is 8/255. And the perturbation budget for L-2 norm attacks is 0.5."

Explanations of C-AVP. Following previous works [1-4], C-AVP performs prompting in the pixel space by adding random noises to the surrounding area inside the image, only keeping the square area in the center unchanged. Therefore, C-AVP is only a frame. We would state it in the updated version.

[1] Visual prompting: modifying pixel space to adapt pre-trained models. arXiv:2203.17274, 2022.

[2] Adversarial reprogramming of neural networks. arXiv:1806.11146, 2018.

[3] Transfer learning without knowing: reprogramming black-box machine learning models with scarce data and limited resources. ICML, 2020.

[4] Fairness reprogramming. NeurIPS, 2022.

Rationale behind suggesting contrastive learning. In the defense area, Contrastive Learning is a useful method for mitigating the trade-off problem between natural and robust accuracies, by learning the invariant natural semantic information between natural and adversarial examples through contrastive losses [5-7]. Therefore, we suggest Contrastive Learning and hope it can help break the limitation of our method about sacrificing natural accuracy when performing defenses. We would state it in the updated version.

[5] Adversarial self-supervised contrastive learning. NeurIPS, 2020.

[6] Robust pre-training by adversarial contrastive learning. NeurIPS, 2020.

[7] Enhancing adversarial contrastive learning via adversarial invariant regularization. NeurIPS, 2024.

Effectiveness on C&W. C&W method generates adversarial perturbations by performing optimizations in the pixel domain. Differently, our approach additionally considers the frequency domain. It disentangles the frequency domain information and leverages the amplitude and phase spectra as a way to focus more finely on important structural semantics and textures, which are not covered in the compared baselines. Therefore, our method can provide a more effective defense against perturbations generated by C&W. We would supplement this statement in the updated version.

We sincerely hope our answers can solve your concerns and obtain your increase in the score.

Thanks for your valuable comments. The responses to your concerns are as follows:

The superiority of our method. Our method indeed does not outperform “Freq” by a large margin in a few scenarios. However, as shown in the Table 3, 4, 6, 7, 12 and 13, Freq sacrifices natural accuracy by a large margin in many cases. In comparison, the natural accuracy drop of our method is fewer, and our method achieves superior defenses in almost all of the defense cases.

The superiority of the prompt selection strategy. The prompt selection method of C-AVP will become extremely inefficient on numerous classes. Meanwhile, as shown in Table 4, baselines using this strategy sacrifice natural accuracy by a large margin, further verifying its limitations on the model’s performances. Instead, our prompt selection strategy is efficient on numerous classes, and our defense using this strategy achieves superior defense without losing natural accuracy too much. We would state it in the updated version:

"The prompt selection strategy of C-AVP is inefficient on numerous classes, and results in Table 4 show baselines with this strategy lose natural accuracy a lot. In comparison, our prompt selection strategy is efficient on numerous classes, and our defense with this strategy achieves superior defenses with higher natural accuracy, verifying the superiority of our prompt selection strategy."

Minor mistakes. We are sorry for these mistakes. We would correct them:

1. “Nat. Pha./Amp. indicates we replace phase/amplitude spectra with corresponding natural spectra.”
2. “Motivated by the above studies, we propose a Phase and Amplitude-aware Prompting (PAP) defense mechanism, which constructs phase and amplitude-level prompts to stabilize the model’s predictions during testing.”

Training strategy of baselines. For baselines Freq and C-AVP, we train them following the settings from their original papers without any modification for a fair comparison.

The superiority compared with universal prompts. The defense superiority of our method still exists against attacks which are different from AA. As shown in the table below, our method achieves superior defenses against various attacks compared with universal prompts.

We sincerely hope our answers can solve your concerns and obtain your increase in the score.

Thanks for your constructive suggestions. Your comments are important to our work, and we address them as follows:

Stability in natural accuracy. Our method lose a few natural accuracy when performing defenses. However, as shown in the Section 4, baselines lose more natural accuracy under various scenarios, such as the performances of C-AVP under transferability evaluations and those of Freq in Table 3. In comparison, our method remains high natural accuracy in these scenarios, achieving more stable performances in natural accuracy. We would state it in the updated version:

"As a whole, our method performs more stably in natural accuracy. As shown in Section 4, baselines lose more natural accuracy under many cases, such as the worse transferability and performances under adaptive attacks of C-AVP and the natural accuray drop of Freq shown in Table 3 under adversarially pre-trained models. In comparison, our defense remains high natural accuracy in all of these cases, verifying the stability of our defense."

The introduction of experimental settings. We are sorry for such a presentation that is not easy to read. We would introduce all of them in the section of experimental settings clearly in the updated version:

"We set λ1=3, λ2=400, λ3=4 for naturally pre-trained models, and λ1=1, λ2=5000, λ3=4 for adversarially pre-trained models. The threshold τ is set as 0.1, and we adjust the weights of amplitude-level prompts every 5 epochs."

The consistency of the phrase. We are sorry for the inconsistency. We would correct the phrase:

“To this end, we apply Gaussian Blur on the test image for evaluations.”

Settings of adaptive attacks. During training and testing, for other settings of adaptive attacks, the perturbation budget is 8/255, and the step size is 2/255.

Influences of the data-prompt mismatching loss. The data-prompt mismatching loss does not contradict the classification loss. As shown in Figure 5, when the λ3 varies from 0 to 4, both the natural and robust accuracies increase by a large margin. Therefore, training prompts using these losses simultaneously can achieve superior performances in both natural and robust accuracies.

The settings of Gaussian Blur in the ablation study. For the Gaussian Blur performed in the ablation study, the kernel size is set as 3, and the standard deviation is sampled randomly from 0.1 to 2.0. The Gaussian Blur is conducted on the test image for evaluations.

We sincerely hope our answers can solve your concerns and obtain your increase in the score.

Thanks for your valuable comments and constructive suggestions. The responses to your concerns are as follows:

Discussions on the trade-off problem. Our method has a trade-off problem under different hyper-parameters. On naturally pre-trained models, when λ1 increases, the natural accuracy increases while the robust accuracy drops explicitly. As λ2 increases, the robust accuracy drops a lot while the natural accuracy does not change too much for the naturally pre-trained models. On adversarially pre-trained models, the trade-off problem only exists when λ2 varies. Overall, the selected hyper-parameters achieve superior performances in both natural and robust accuracies. We would state it in the updated version:

"There exists a trade-off problem in our method. As shown in Figure 5, for naturally pre-trained models, the natural accuracy increases while the robust accuracy drops as λ1 or λ2 increases. As shown in Figure 6, for adversarially pre-trained models, when λ2 varies from 0 to 5000, the trade-off problem exists explicitly. Overall, the hyper-parameters we set achieve superior performances in both natural and robust accuracies."

Analyses of visualizations of prompted images. C-AVP performs prompting only by adding noises around the image in the pixel space to mitigate the negative effects of adversarial perturbations. Frequency Prompting method directly adds frequency prompts on the high-frequency domain. They both construct and train their prompts without considering their disruptions on the natural semantic patterns in the pixel space. In comparison, our method constructs prompts on the more specific semantic patterns (i.e., textures from amplitude spectra and structures from phase spectra), and trains them using a loss which enforces the prompted images to be as similar as possible to the corresponding natural images in the pixel space. To this end, our method preserves more natural semantic patterns after prompting compared with baselines. We would state it in the updated version:

"C-AVP performs prompting by adding noises around the image in the pixel domain, while Freq performs prompting on the high-frequency domain. They both train their prompts without considering their disruptions on the natural semantic patterns. In comparison, our method construct prompts on more specific semantic patterns, training them to enforce the prompted images to be as similar as possible to corresponding natural images. This can preserve more natural semantic patterns as shown in Figure 4, 7 and 8."

Fairness of the comparison with universal prompts. The data-prompt mismatching loss indeed cannot be performed on universal prompts. For fairness, we remove the data-prompt mismatching loss on universal prompts, and other training settings for universal prompts are the same as those from our method. We would state it in the updated version:

"For fairness, the data-prompt mismatching loss is removed on universal prompts, and other settings for universal prompts are the same as those from our method."

Typos. We are sorry for this typo. We would correct the typo:

“Clearly, when the number of classes becomes large, this strategy for testing can easily cause extremely high computational costs.”

Settings of adaptive attacks. For adaptive attacks on training and testing, the perturbation budget is 8/255 and the step size is 2/255. The iteration number is 10 for training, and 20 and 40 for testing.

The integrity of spectra after prompting. We conduct a reconstruction loss to train the prompts, enforcing the prompted images to be as similar as possible to the corresponding natural images in the pixel space. Therefore, our method does not disrupt the integrity of these spectra, which can be shown in the Figure 4, 7 and 8.

We sincerely hope our answers can solve your concerns and obtain your increase in the score.