Assessing Robustness via Score-based Adversarial Image Generation

We would like to thank the reviewer for their constructive and valuable feedback. In the following, we address their remarks and questions.

Comment: Could you elaborate on the relationship between different tasks such as GAS, GAT, and purification within the ScoreAG framework? Can they be integrated into an ensemble for attack or defense?
Response: In our framework, GAS and GAT are different forms of diffusion-based attacks, and GAP is a diffusion-based defense. The purification task GAP can be applied to defend against attacks generated by GAS and GAT. In Tab. 2, we show the performance of GAT on GAP. For convenience, we show it in the following table with the accuracy of GAS on GAP.

GAP is capable of successfully defending against both attacks, GAT and GAS.

Comment: How does ScoreAG ensure that the generated adversarial examples maintain semantic coherence and relevance?
Response: ScoreAG ensures the semantic coherence and relevance of generated adversarial images through two key mechanisms. Firstly, we employ a class-conditional score function, i.e., $\nabla\_{\mathbf{x}\_t}\log p\_{t,y^*} (\mathbf{x}\_t)$ (see Eq. 7), ensuring that the adversarial images retain the semantic attributes of the target class $y^*$. Secondly, the guidance term, i.e., $\nabla\_{\mathbf{x}\_t}\log p\_{t,y^*}(\mathbf{x}^*,f(\mathbf{x}\_0)=\tilde{y}|\mathbf{x}\_t)$ (see Eq. 7) ensures that the generated image preserves core-semantics of $x^*$ and is classified as $\tilde{y}$. Together, these two mechanisms generate semantic-preserving adversarial images of $x^*$.

Comment: Could you provide results and discussions comparing ScoreAG to other baseline methods in the human study section?
Response: To ensure semantic preservation, we extended the evaluation of ScoreAG with a human evaluation. While we agree that these results would be interesting for other methods, human studies have significant financial costs, and thus, we think it is the responsibility of the corresponding authors to provide these. Hence, due to financial constraints, it is not feasible for us to include other baselines.

Comment: Could you elaborate on the perceptual shifts or changes in the naturalness of adversarial images from ScoreAG compared to other methods?
Response: Existing works show that diffusion models are able to capture the diversity of the training distribution [1, 2]. Furthermore, we show that our synthetic adversarial attacks have a competitive FID, indicating a high similarity between the adversarial synthetic images and real images. We can also observe a high degree of realism and diversity in our qualitative examples.

We thank the reviewer again for their comments and feedback. We hope that we have satisfactorily answered the reviewer's questions. If you have any open concerns, please let us know.

[1] Bayat, Reza. "A Study on Sample Diversity in Generative Models: GANs vs. Diffusion Models." (2023).

[2] Dhariwal, Prafulla, and Alexander Nichol. "Diffusion models beat gans on image synthesis." Advances in neural information processing systems 34 (2021): 8780-8794.

We want to thank the reviewer for their feedback and questions. In the following, we address their comments.

Comment: Notion of "unrestricted" needs more discussion. Samples are still constrained to the manifold learned by the generative model. Analyzing the diversity/range of examples is important.
Response: We use the term "unrestricted" to emphasize that the adversarial attacks generated by ScoreAG are not bounded by any common $\ell_p$-norm. Thereby, we maintain a consistent terminology with related work [1, 2]. As correctly pointed out by the reviewer, it is important to clarify that while ScoreAG transcends traditional $\ell_p$-norm constraints, it still operates within the learned manifold of the generative model. This approach aligns with our goal of creating adversarial examples that are semantically meaningful and realistic rather than strictly adhering to normative limitations. We clarified this in the updated manuscript.

Comment: Why does ScoreAG outperform DiffAttack?
Response: While the ScoreAG and DiffAttack have many differences, we assume ScoreAG's key advantage is the ability to go through the whole latent space by utilizing diffusion guidance, while DiffAttack is limited to the last few steps. To verify this empirically, we compare how the performance of ScoreAG changes in the GAT setting when only denoising the last few steps.

The table shows the accuracy after applying GAT on the first 100 images of Cifar-10. As expected, 5 and 10 reverse steps, i.e., the values used by DiffAttack, are not sufficient for a successful attack.

Comment: Lack of certifiable robustness is a limitation.
Response: We now calculated certifiable robustness using randomized smoothing. See the general comment for more information.

Comment: The human study is limited in scope. Expanding this to quantify semantic similarity and diversity of examples would strengthen the evaluation.
Response: We agree with the reviewer that quantifying semantic similarity and diversity of the adversarial examples are important but not trivial as well. In our human study, we implicitly quantify similarity by capturing the semantic preservation through the human accuracy. For the GAT task, the human accuracy reaches 94%, implying semantic preservation of the images. The diversity, however, is correlated with the capabilities of the generative model and the dataset itself. We quantify the diversity of the generative model using the FID score in Fig.4 (left).

Comment: Missing references to unrestricted methods.
Response: We thank the reviewer for that reference. We added it in the updated manuscript.

We thank the reviewer again for their comments and feedback. We hope that we have satisfactorily answered the reviewer's comments. If you have any open concerns, please let us know.

[1] Chen, Jianqi, Hao Chen, Keyan Chen, Yilan Zhang, Zhengxia Zou, and Zhenwei Shi. "Diffusion Models for Imperceptible and Transferable Adversarial Attack." arXiv preprint arXiv:2305.08192 (2023).

[2] Song, Yang, Rui Shu, Nate Kushman, and Stefano Ermon. "Constructing unrestricted adversarial examples with generative models." Advances in Neural Information Processing Systems 31 (2018).

We thank the reviewer for their reply and the reference.

The mentioned work by Chen et al. (2023) was only recently published at NeurIPS 2023 and is thereby categorized as concurrent under ICLR guidelines:

We consider papers contemporaneous if they are published (available in online proceedings) within the last four months. That means, since our full paper deadline is September 28, if a paper was published (i.e., at a peer-reviewed venue) on or after May 28, 2023, authors are not required to compare their own work to that paper.

Furthermore, we cannot make an empirical comparison as the authors have not published their code yet. Nevertheless, we see several differences between their and our work. Most importantly,

• They perform a forward DDIM process to find the latent representation of an intermediate step, while we start from noise and do not require a latent mapping of the images.
• While we iteratively denoise our adversarial image using guided diffusion, Chen et al. (2023) refine their adversarial perturbation staying in the same latent step.
• Finally, ScoreAG leverages the whole diffusion process and latent space.

We will include a detailed discussion about the differences in the related work of the final manuscript.

We want to thank the reviewer for their constructive and valuable feedback. In the following, we address their remarks and questions.

Comment: Equation 7 is incorrect.
Response: We corrected the typo in the new manuscript.

Comment: Table 2 does not include Cifar-100 and TinyImagenet. Architectures are different for various methods; is the comparison fair?
Response: Our method uses the WRN-28-10, a widely used architecture for adversarial attacks and robustness. To make a fair comparison, we selected the best models using the same architecture and the best models overall, which use the WRN-70-16 architecture. Therefore, this is a biased comparison in favor of the WRN-70-16 architectures and the baselines. Note that the purification experiments require unconditional generative models as the ground-truth class labels are unknown. Therefore, our purification experiments are focused on the CIFAR-10 dataset, given the availability of unconditional pre-trained EDM models and extensive prior work [1, 2].

Comment: Why not use higher-resolution datasets for the human study?
Response: While selecting the dataset for the human trial, we prioritized maintaining the participant's accessibility, attention, and engagement. Moreover, datasets such as ImageNet contain classes that require specialized domain knowledge, e.g., "barn spider" and "garden spider". Although selecting a subset of ImageNet classes is an option, we ultimately decided against it to avoid introducing selection bias, which could skew the study's outcomes. This led us to select a dataset with a limited number of classes.

Edit (20.11):

Comment: Lack of details of the experimental implementation environment.
Response: We added a reproducibility statement and uploaded the code of ScoreAG. See the general comment for more information.

Comment: What is the runtime of ScoreAG?
Response: We added a runtime comparison to the appendix. For more details, see the general comment.

We thank the reviewer again for their comments and feedback. We hope that we have satisfactorily answered the reviewer's questions. If you have any open concerns, please let us know.

[1] Wang, Zekai, Tianyu Pang, Chao Du, Min Lin, Weiwei Liu, and Shuicheng Yan. "Better diffusion models further improve adversarial training." arXiv preprint arXiv:2302.04638 (2023).

[2] Karras, Tero, Miika Aittala, Timo Aila, and Samuli Laine. "Elucidating the design space of diffusion-based generative models." Advances in Neural Information Processing Systems 35 (2022): 26565-26577.

Comment: Table 1 and Table 2 should contain more baselines, classifiers, and standard deviations.
Response: We added standard deviations to Table 1 and Table 2. Furthermore, we now added two more attacks to Table 1, resulting in a total of 13 (excluding ScoreAG) evaluated attacks. Additionally, we also added four more classifiers evaluated on ScoreAG (GAT) to further demonstrate its efficacy. The following table shows the adversarial accuracy of GAT in % using the same hyperparameters as for the WRN-28-10 architecture.

Note that the models are obtained from PyTorch Hub. Therefore, we cannot report standard deviations. As we can observe, ScoreAG successfully generates adversarial attacks using different classifiers. We added these results to the updated manuscript.

In Table 2, we already compare ScoreAG to six state-of-the-art defenses and purification methods. However, we added an additional comparison to evaluate the certified robustness of GAP and randomized smoothing (see general comment). Note that the purification experiments require unconditional generative models as the ground-truth class labels are unknown. Therefore, our purification experiments are focused on the CIFAR-10 dataset, given the availability of unconditional pre-trained EDM models and extensive prior work [1, 2].

Comment: Authors claim that $\ell_p$-bounded methods display noticeable noisy fragments. Was it cherry-picking? Also, where does the the removal of a small fish statement come from?
Response: The images were not cherry-picked, and we observed the same noisy fragments across all samples. We uploaded more randomly chosen example images for APGD, APGDT, Square, and ScoreAG to Figshare. The importance of the removal of the small fish refers to Fig. 1a and 1b, meaning the observation that many of the images generated by ScoreAG remove or modify the fish next to the shark (representing the image class) in the image.

Comment: Practical application of ScoreAG.
Response: ScoreAG only requires a pre-trained score-based generative model and the gradients of a classifier. Therefore, it can be applied in any scenario where other attacks are currently used. Furthermore, traditional $\ell_p$-threat models often do not capture important semantics-preserving corruption relevant to real-world applications [3, 4, 5]. As ScoreAG effectively overcomes this limitation, it can be highly interesting for evaluating robustness in real-world scenarios.

Comment: Why are there no experimental results on ImageNet?
Response: Many methods in our comparison already reach a near-perfect success rate on TinyImageNet, which is a subset of ImageNet. As ImageNet contains five times as many labels and a higher resolution, it is an easier target. However, we included ImageNet in our qualitative evaluation due to its high resolution.

Comment: What is the Runtime of ScoreAG?
Response: We added a runtime comparison to other baselines and the EDM generative model itself. See the general comment for more information.

We again thank the reviewer for their comments and hope that we satisfactorily addressed them. If not, we are happy to address any remaining concerns.

[1] Wang, Zekai, Tianyu Pang, Chao Du, Min Lin, Weiwei Liu, and Shuicheng Yan. "Better diffusion models further improve adversarial training." arXiv preprint arXiv:2302.04638 (2023).

[2] Karras, Tero, Miika Aittala, Timo Aila, and Samuli Laine. "Elucidating the design space of diffusion-based generative models." Advances in Neural Information Processing Systems 35 (2022): 26565-26577.

[3] Eykholt, Kevin, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. "Robust physical-world attacks on deep learning visual classification." In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1625-1634. 2018.

[4] Kar, Oğuzhan Fatih, Teresa Yeo, Andrei Atanov, and Amir Zamir. "3d common corruptions and data augmentation." In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 18963-18974. 2022.

[5] Hendrycks, Dan, Nicholas Carlini, John Schulman, and Jacob Steinhardt. "Unsolved problems in ml safety." arXiv preprint arXiv:2109.13916 (2021).

We would like to thank the reviewer for their valuable feedback. In the following, we address their raised concerns.

Comment: Human accuracy on the adversarial synthetic images is only 70%.
Response: The generative adversarial transformations (GAP) achieve an almost perfect human accuracy of 94%, equal to the accuracy on the non-adversarial synthetic images. This indicates that the adversarial attack does not degrade the semantic coherence for humans. We respectfully disagree with the reviewer that humans fail to classify the synthetic adversarial images. This is a novel task, and the human accuracy is 70%, which is 60% higher than guessing, implying a success. We expect future work to further improve these results with the development of better generative models.

Comment: Lack of quantitative results for the claim of a more comprehensive robustness assessment.
Response: GAS and GAT conceptually provide a more comprehensive robustness assessment than $\ell_p$-bounded adversarial attacks, as (i) all semantic-preserving adversarial examples within the $\ell_p$-balls are part of GAS and GAT given a reasonably trained generative model, and (ii) further incorporate semantic-preserving adversarial examples not captured by common $\ell_p$-threat models. Therefore, our claim of a more comprehensive robustness assessment stems from the inherent capability of GAS and GAT to cover a wider spectrum of adversarial examples, including those restricted by $\ell_p$-norm constraints. We want to note that we do not necessarily see GAS and GAT as a replacement for traditional attack methods but as complementary to explore semantic-preserving areas that are not included in common $\ell_p$-balls.

Comment: Comparison with similar work should be provided.
Response: We would like to thank the reviewer for the interesting reference. However, as the referenced paper was only recently published at ICCV2023, we would like to remind the reviewer that this work is categorized as concurrent under ICLR guidelines:

We consider papers contemporaneous if they are published (available in online proceedings) within the last four months. That means, since our full paper deadline is September 28, if a paper was published (i.e., at a peer-reviewed venue) on or after May 28, 2023, authors are not required to compare their own work to that paper.

However, we include a discussion of it in the related work section. Unfortunately, we are not able to include it in our experiments, as the code is not publicly available yet.

Comment: Unclear what Table 2 represents.
Response: The column labeled "ScoreAG" represents the attack GAT, while the corresponding row represents the purification GAP. We added this information to the table. While GAT aims to achieve a low robust accuracy, GAP aims to achieve a high accuracy. GAT achieves a slightly better accuracy than APGD and APGDT in many cases, implying a more comprehensive robustness assessment.