Diffusion-based Adversarial Purification from the Perspective of the Frequency Domain

Thank you for recognizing our paper. To the best of our knowledge, our paper is the first to improve the purification effect of diffusion models from the perspective of the frequency domain. Compared to pixel space, the frequency domain makes it easier to decouple the perturbed components from the unperturbed components. This significantly enhances the purification effect

Format of references

Thank you for noticing this issue. We will change the format uniformly as per your request to facilitate reading.

Experimental results on CLIP

We conduct a simple experiment on CLIP. We randomly select two classes from the ImageNet dataset, totaling 100 images, and use ['a photo of a xxx'] as the text to implement a simple zero-shot classification task with CLIP. The results are as follows:

Our method still performs the best, which demonstrates the generalizability of our approach.

Thank you for your constructive feedback, which will enhance the completeness and persuasiveness of our article.

Claims And Evidence

Figure 1 shows the extent of damage caused by adversarial perturbations to the phase spectrum and amplitude spectrum of images at different frequency components. The vertical axis represents the difference between the amplitude spectrum and phase spectrum of original clean samples and adversarial samples. It is not the Var mentioned in Section 3. To illustrate our theory in Section 3 more intuitively, we conduct experiments using Var as the vertical coordinate, and we provide the experimental results from low frequency to high frequency: (https://bashify.io/i/tBXTqh). These results are consistent with our theoretical analysis. Additionally, we find that the phase spectrum is more easily damaged compared to the amplitude spectrum, indicating the importance of preserving the phase spectrum during the purification process. Regarding final purification damage and attack damage of diffusion, we calculate the mean of different frequency variations for some samples. The experimental results are as follows: (https://bashify.io/i/CQpvZD). We observe that the trends of attack damage of diffusion and purification damage are consistent, which also supports our claims.

Different experimental conclusions

We cite this paper in the second paragraph of the Introduction and briefly claim the differences between these methods and ours. Here, we elaborate on the distinctions between this paper and our method. First, there is a difference in the measurement approach. This paper defines a Perturbation Gradients $\frac{dy}{d\delta}$ and observes its variation with frequency using the DCT decomposition. Therefore, more accurately, the conclusion of this paper should be that Perturbation Gradients are neither high frequency nor low frequency phenomena, while we directly measure the differences between the amplitude and phase spectrum values of adversarial samples in the frequency domain and those of normal samples. Additionally, the decomposition method we use is the DFT, which can directly compute the phase spectrum of images. The importance of the phase spectrum has been validated in many papers, such as (Chen et al., CVPR2021) and (Zhou et al., ICML2023).

Monotonicity of Equation 3

The RHS being monotonically decreasing requires both coefficients to be greater than 0. However, under the assumptions we derived, the coefficient of the first term is less than 0. However, this assumption is somewhat strong, so we re-derive part of the conclusions in the proof. Specifically, we re-derive the first moment of the amplitude spectrum:

$$\mathbf{x}_t(u,v) = \sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)+\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v)= \underbrace{\mathfrak{R}\mathfrak{e}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v))+\mathfrak{R}\mathfrak{e}(\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v))}_R+i\underbrace{(\mathfrak{I}\mathfrak{m}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v))+\mathfrak{I}\mathfrak{m}(\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v)))}_I$$

$R\sim\mathcal{N}(\mathfrak{R}\mathfrak{e}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)),\frac{1-\overline{\alpha}_t}{2})$ and $I\sim\mathcal{N}(\mathfrak{I}\mathfrak{m}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)),\frac{1-\overline{\alpha}_t}{2})$. We can see that the means of the real part and the imaginary part are different, the variances are the same, and they are independent of each other. Therefore, the amplitude $|\mathbf{x}_t(u,v)|$ follows a Rice distribution. "Therefore, we can utilize some known conclusions.With the assumption of $SNR_t>1$ in the Theorem 3.4. We can obtain the following conclusions：

$$\mathbb{E}(|\mathbf{x}_t(u,v)|)\approx \nu+\frac{\sigma^2}{2\nu}=\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)| + \frac{1-\overline{\alpha}_t}{4\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)|}$$

For $\mathbb{E}(|\mathbf{x}_t(u,v)|^2)$ we still use the conclusion derived from Equation 40. We re-derive $Var(\Delta A_t(u,v))$as follows:

$$\begin{aligned} Var(\Delta A_t(u,v)) &\approx \overline{\alpha}_t |\mathbf{x}_0(u,v)|^2+(1-\overline{\alpha}_t) + (\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)| + \frac{1-\overline{\alpha}_t}{4\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)|})^2\\ &=\frac{1-\overline{\alpha}_t}{2} -\frac{(1-\overline{\alpha}_t)^2}{16|\mathbf{x}_0(u,v)|^2\overline{\alpha}_t} \end{aligned}$$

It is clear that the RHS is monotonically increasing with respect to $t$.

Discussion

The characteristics of adversarial perturbations in the frequency domain are that the values of high-frequency components are greater than those of low-frequency components. Diffusion perturbations are normal Gaussian noise, and their amplitude and phase spectrum distributions in frequency domain conform to a normal distribution.

Missing Reference

We will add them in our paper.

We greatly appreciate your responsible and meticulous review. Your valuable feedback will improve our work greatly.

Q1.1: Assumption of Theorem 3.2

This assumption is indeed somewhat strong, especially for the amplitude spectrum of low frequencies. Therefore, to eliminate this assumption, we re-derive the first moment of the amplitude spectrum, as detailed below:

$$\mathbf{x}_t(u,v) = \sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)+\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v)= \underbrace{\mathfrak{R}\mathfrak{e}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v))+\mathfrak{R}\mathfrak{e}(\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v))}_R+i\underbrace{(\mathfrak{I}\mathfrak{m}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v))+\mathfrak{I}\mathfrak{m}(\sqrt{1-\overline{\alpha}_t}\mathbf{\epsilon}(u,v)))}_I$$

$R\sim\mathcal{N}(\mathfrak{R}\mathfrak{e}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)),\frac{1-\overline{\alpha}_t}{2})$ and $I\sim\mathcal{N}(\mathfrak{I}\mathfrak{m}(\sqrt{\overline{\alpha}_t}\mathbf{x}_0(u,v)),\frac{1-\overline{\alpha}_t}{2})$. We can see that the means of the real part and the imaginary part are different, the variances are the same, and they are independent of each other. Therefore, the amplitude $|\mathbf{x}_t(u,v)|$ follows a Rice distribution. "Therefore, we can utilize some known conclusions.With the assumption of $SNR_t>1$ in the Theorem 3.4. We can obtain the following conclusions：

$$\mathbb{E}(|\mathbf{x}_t(u,v)|)\approx \nu+\frac{\sigma^2}{2\nu}=\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)| + \frac{1-\overline{\alpha}_t}{4\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)|}$$

For $\mathbb{E}(|\mathbf{x}_t(u,v)|^2)$ we still use the conclusion derived from Equation 40. We re-derive $Var(\Delta A_t(u,v))$as follows:

$$\begin{aligned} Var(\Delta A_t(u,v)) &\approx \overline{\alpha}_t |\mathbf{x}_0(u,v)|^2+(1-\overline{\alpha}_t) + (\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)| + \frac{1-\overline{\alpha}_t}{4\sqrt{\overline{\alpha}_t}|\mathbf{x}_0(u,v)|})^2\\ &=\frac{1-\overline{\alpha}_t}{2} -\frac{(1-\overline{\alpha}_t)^2}{16|\mathbf{x}_0(u,v)|^2\overline{\alpha}_t} \end{aligned}$$

Therefore, our paper only has one assumption $SNR_t>1$.

Q1.2: Assumption of Theorem 3.4

The assumption $SNR_t>1$ is not strong. We plot a graph (https://bashify.io/i/Qn7ZX7) showing how $SNR_t$ changes with $t$, and it can be observed that the condition $SNR_t>1$ only occurs when $t=500$. In the experiment, for $l_{\infty}=\frac{8}{255}$ we choose $t=100$. This means that for attacks with a larger radius, this assumption can still be satisfied.

Q2: Frequency-Aware Attack Resilience

The attack methods used in our paper are all strong adaptive attacks, meaning that the attacker calculates the complete gradient of the defense system. This white-box attack has incorporated our strategy of retaining low frequencies into the gradient calculation. We test the generalization of our method using the code provided in paper: Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity. The result is as follows (https://bashify.io/i/dj9GYO)

Q3: Phase Projection vs. Alternatives

Compared to the amplitude spectrum, the phase spectrum is more significantly affected by adversarial perturbations. Therefore, performing a projection operation can extract coarse-grained low-frequency phase information, while using a diffusion model can generate phase information that best fits the natural distribution within a specified range. Additionally, ablation experiments also demonstrate that directly replacing the phase spectrum is a suboptimal choice. To balance robustness vs overfitting, we use hyperparameter search to find the optimal parameter.

Q4: Hyperparameter Generalization

The hyperparameters exhibit a certain degree of generalization across datasets of the same size; for example, the parameters from the CIFAR-10 dataset can be transferred to the SVHN dataset. As for the ImageNet dataset, due to its larger size, the preserved frequencies must also be increased. We nearly double the values for $D_A$ and $D_P$, but we keep$\delta$ unchanged because the range of phase spectrum variation is$[0,2\pi]$, which is independent of the image size. Figure 5 shows the performance of suboptimal choices on the CIFAR-10 dataset; even with suboptimal results, our method still surpasses the state-of-the-art.

Q5: Perceptual Quality Metrics

Adversarial purification is strictly a classification task and does not concern itself with whether it will introduce artifacts. Previous methods only evaluated experimental metrics such as Standard Accuracy and Robust Accuracy. We also calculate FID and LPIPS (https://bashify.io/i/ZYZsP5).

Q6: Unspecified Subset Size

The size of the subset is fixed and remains consistent with previous methods. Considering that the subset may vary, we select multiple subsets for the experiments and report the experimental errors.

Thank you for your valuable feedback, which will enhance the integrity of our paper. To address your concerns, we have provided additional theoretical proofs and experiments. We sincerely hope our response resolves the concerns raised, and we would greatly appreciate reconsideration of the score.

W1&Q1 Computational Efficiency

Adversarial purification is a test-time defense that involves no training process, only an inference process. For example, for the ImageNet and CIFAR-10 datasets, we directly use the pre-trained weights of the corresponding diffusion models. In terms of inference time, our approach requires just one additional DFT/IDFT pair per time step, with minimal computational impact as the Fourier transform operations contribute negligible overhead. The inference time for various methods are as follows:

W2 Theoretical Proof

We provide a simple proof regarding how adversarial perturbations primarily disrupt the high-frequency components of an image.
The original image is denoted as $x$, the adversarial perturbation as $\delta$ and $F$ represents the Fast Fourier Transform.
The power spectrum characteristics of natural images follow the distribution as follows, where $\alpha>1$:

$$|F_x(w)|^2\propto \frac{1}{w^{\alpha}}\\$$

The definition of the noise to signal ratio (NSR) is as follows:

$$NSR(w)=\frac{|F_{\delta(w)}|^2}{|F_x(w)|^2}$$

Combining the above two formulas leads to the following relation:

$$NSR(w)\propto w^{\alpha}|F_{\delta}(w)|^2$$

We choose $\alpha=2$ , and we assume that the attack objective is to maximize the NSR:

$$\max\sum_{w}NSR(w)=\max\sum_{w} w^{2}|F_{\delta}(w)|^2$$

The above optimization objective should be satisfied when it is maximized:

$$|F_{\delta}(w)|^2\propto w^2$$

We find that the power of the perturbation in the frequency domain is proportional to the square of the frequency, meaning that the perturbation tends to disrupt the high-frequency information of the image.

Q2 A principled way to select optimal hyperparameters

We first observe Figure 1 to determine the approximate range where adversarial perturbations cause minimal damage. Within this range, for smaller datasets, we tend to use grid search to find the optimal hyperparameters. For larger datasets, such as ImageNet, we proportionally expand the optimal hyperparameters found on the smaller datasets to search for the optimal hyperparameters. Specifically, directly multiply by 2 or 3 at the same time and then perform a grid search around it.

Q3 Generalization to real-world scenarios

To demonstrate the generalizability of our method, we conduct relevant experiments in the context of adversarial patch. The method for constructing adversarial patch is described in [1]. The dataset is ImageNet, and the classifier is ResNet50. Since different attack methods do not affect standard accuracy, we only test robust accuracy. The results are as follows:

[1] Brown T B, Mané D, Roy A, et al. Adversarial patch[J]. arXiv preprint arXiv:1712.09665, 2017.

Thank you for your careful review and valuable feedback. We have made every effort to address your concerns. We believe that investigating diffusion model-based adversarial purification from a frequency-domain perspective enables further research.

Q1 Results for ASE+PSE without PSP

Thank you for your careful review. We indeed overlook this situation, and we have added the relevant experiments. The complete ablation experiment table is as follows:

The last line, ASE+PSE, represents our complete method.

Q2 Meaning of t*

In our paper, $t^*$ does not refer to the optimal value but rather to a hyperparameter. The adversarial purification based on diffusion models can be roughly divided into two stages. The first stage is the forward process, where noise is added; the role of $t^*$ is to control the intensity of the noise added. The second stage is the denoising process. Here, we select three different values for DiffPure on the ImageNet dataset to explore the best performance of the method under different hyperparameters for comparison.

Q2 A detailed explanation of evaluation metrics

The purpose of adversarial purification is to remove the adversarial perturbations from adversarial samples so that these samples can be classified correctly as much as possible, while minimizing the impact on the classification of normal samples. Let normal samples be represented by $x$ and adversarial samples by $x_{\text{adv}}$. The purification method is denoted as $\text{AP}$, and the classifier is represented by $f$.
For Standard Accuracy, we select a batch of normal samples and calculate whether the predicted labels $f(x)$ and $f(\text{AP}(x))$ are consistent. The Standard Accuracy is then computed as the number of consistent predictions divided by the total number of normal samples.
For Robust Accuracy, we select a batch of adversarial samples and calculate whether the predicted labels $f(x_{\text{adv}})$ and $f(\text{AP}(x_{\text{adv}}))$ are consistent. The Robust Accuracy is computed as the number of consistent predictions divided by the total number of adversarial samples. The number of samples we select is consistent with previous methods, and we conduct multiple rounds of experiments while calculating the errors.

Q3 Number of iterations about Baietal.,2024

The more iterations there are, the stronger the attack effect becomes, which leads to a decrease in robust accuracy. For the method proposed by Bai et al. (2024), the robust accuracy with half the number of iterations is lower than that of other methods. Therefore, the robust accuracy with the complete number of iterations will be even lower. In Table 1, the robust accuracy decreases from 49.22% to 48.92% under the full number of iterations.

Q4 Memory and computational overhead

Compared to other methods, our approach introduces an additional discrete Fourier transform and inverse discrete Fourier transform only once at each time step, and the time introduced by the Fourier transform is almost negligible. The inference times and memory used for various methods are as follows:

Suggestions: false reference number

Thank you for noticing this issue. We have made corrections and will check and correct other typos.