Efficient Adversarial Detection and Purification with Diffusion Models

• The presentation needs improvement. The title of section 4.2 is "Adversarial Example Detection," yet within this section, subsection 4.2.3 is titled "Adversarial Detection," and subsection 4.2.4 is titled "Adversarial Purification." There is a logical disorganization between the sections.
• The paper combines both detection and purification methods. It is uncertain whether there is a clear enhanced performance over previous works when considering either detection or purification alone.
• Lack of novelty; the methods of anti-aliasing and super-resolution are somewhat trivial, and there is a lack of strategies to enhance defensive efficiency, which is the main proposal in the title.
• The effectiveness of a standalone purification method without detection is questionable. According to my understanding, this paper does not improve the purification method. If there is a misunderstanding here, please clarify the specific differences between your purification method and previous works.

• The visualization of the RGB conversion result in Figure 2 seems strange according to the statements in Lines 242-246, where rounding the RGB values of the AutoAttack example to integer and clipping them to 0-255 should not produce a significant variation.
• As a major technical contribution of the proposed method, the implementation of adversarial anti-aliasing is not clearly stated in Sec. 4.2.1.
• The attacks used in the experiments may be insufficient to assess the robustness of the proposed method. Specifically, it has been suggested by (Lee & Kim, 2023) that the AutoAttack and BPDA used in this paper tend to overestimate the robustness of diffusion-based purification methods. Instead, PGD+EOT with exact gradients of the complete computation graph (i.e., including the proposed adversarial AA+SR) should be the more reliable adaptive attack. This may also apply to the unrestricted attacks.

1. The paper's innovation is insufficient; the method proposed by the authors resembles a combination of existing approaches.
2. Although the paper compares the proposed method with existing techniques, the analysis of differences between these methods is insufficient, particularly regarding performance variations under different attack types.

The soundness of this work is quite poor due to the following reasons:

1. The anti-aliasing and then super-resolution process is conceptually similar to JPEG compression [1], which has been shown to be an unreliable defense method [2]. The improvement of this work is to use the diffusion-based super-resolution method. However, the robustness of diffusion models are also overestimated [3, 4].

2. No adaptive attacks [2] are evaluated in this work, which also indicates that the results in this paper can be unreliable.

3. The proposed method is an adversarial detection method. However, no adversarial detection method [5, 6] is compared in this work. The adversarial detection cannot be compared with adversarial defense method directly. The evaluation metric [408-413] can be quite problematic.

Based on these, I think this work should not be published.

[1] Guo C, Rana M, Cisse M, et al. Countering adversarial images using input transformations[J]. arXiv preprint arXiv:1711.00117, 2017.

[2] Athalye A, Carlini N, Wagner D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples[C] ICML. 2018: 274-283.

[3] Lee M, Kim D. Robust evaluation of diffusion-based adversarial purification[C] ICCV. 2023: 134-144.

[4] Li X, Sun W, Chen H, et al. ADBM: Adversarial diffusion bridge model for reliable adversarial purification[J]. arXiv preprint arXiv:2408.00315, 2024.

[5] Carlini N, Wagner D. Adversarial examples are not easily detected: Bypassing ten detection methods[C]//Proceedings of the 10th ACM workshop on artificial intelligence and security. 2017: 3-14.

[6] Wang Y, Su H, Zhang B, et al. Interpret neural networks by extracting critical subnetworks[J]. IEEE Transactions on Image Processing, 2020, 29: 6707-6720.