A Linearly Convergent GAN Inversion-based Algorithm for Reverse Engineering of Deceptions

We would like to highlight our main concern with this review. We noticed that this review is copy-pasted directly from a private review of this paper at another venue. We will respond to each comment individually below but note that several of these comments are addressed in the main paper already, so we find this review to be an unfair evaluation of our paper.

“One important contribution of this paper is that it has theoretical proof. However, the proof is based on the assumption that the activation functions in the described network are smooth and twice differentiable. However, it is not a very practical assumption.”

• First, there appears to be a confusion between the role of the assumption as a means to prove theoretical results and the practicality of the method. Our theoretical results demonstrate linear convergence guarantees under our set of assumptions. We note that the only prior works on this problem (as cited in our paper), provide convergence guarantees in the setting where the weights of the GAN are random or close to random. In contrast, our work is the first to move beyond this set of assumptions and provide a different convergence analysis. While in many cases assumptions can be too strong, one can often run the associated algorithm with or without these assumptions. In other words, theoretical assumptions need not impact the practicality of the method. Moreover, in this particular case, our assumption is weaker than existing assumptions made by relevant state-of-the-art work.

• The “Remark on Assumptions” in Section 5.2 and Appendix Section B.4 explicitly comment on the role of Assumption 1 on practical experiments and demonstrate the assumption does not affect inversion in practice. Thus, we argue our method has both theoretical and practical merits.

“From the dataset aspect, the paper only shows results on simple datasets. There is no result validating the performance on a more complicated and widely adopted dataset such as ImageNet. The comparison baselines are also limited. The authors only compare with SBSAD. The authors mentioned other RED methods without theoretical guarantees such as [10] [11] [25], but not comparisons are included. Furthermore, the paper only have results on PGD attack. It's not sure if the method can be generalized to other more recent attack types such as AutoAttack. It's also meaning to consider the adaptive attack case.

• We understand the concern the reviewer has on the datasets chosen for this paper. We would like to emphasize that our work is the first one to propose not only a nonlinear framework for this problem, but also a method with theoretical guarantees (as compared to existing black-box methods for related RED problems). Even the three nonlinear evaluation datasets in the paper highlight that prior state-of-the-art attack classification results with theoretical guarantees from Thaker et al fail at modelling the clean signal. Further, the key strength of our model is that any generative model can be used to model the clean data as long as it has favorable inversion properties. The StyleGAN-XL paper provides impressive empirical GAN inversion results on Imagenet, and it can easily be substituted as the generative model in our approach. For computational reasons, we could not perform comprehensive Imagenet extensions for the rebuttal period. However, we have some preliminary results on TinyImagenet, which show that for 100 test examples using $\ell_\infty$ and $\ell_2$PGD attacks separately on an AlexNet architecture, we have already observed a signal classification accuracy increase from 11% undefended to 39% using GAN inversion. We believe that the existing theoretical results and the current set of experiments nonetheless provide strong evidence for the merits of the proposed novel approach in reverse engineering attacks.

• We are not sure what references 10, 11, 25 in this paper are as the references are by author name.

• Our aim is provable attack classification using a dictionary model for the attacks. The work of Thaker et al provides a theoretical justification for using the dictionary model for PGD $\ell_p$ attacks (namely that attacks on test examples can be represented as linear combinations of attacks on training examples for a network that uses ReLU activations). It is not clear whether this model makes sense for more complex attacks such as AutoAttack, and so we defer a model for these classes of attacks to future work.

“How is the recovered clean signal look like? Is it close to the groundtruth clean example?”

Appendix Section B.4 provides qualitative results for reconstruction error and we observe that the reconstructed image is indeed close to the ground truth denoised image.

We thank the reviewer for their feedback and their appreciation of our thorough theoretical analysis, meticulous design of experiments, and thorough analysis of results. Below, we address each of the comments individually.

“In the introduction section of this article, authors use too much space to introducing the background, and takes too long to present the problem. The article lacks effective organization.”

Thank you for the feedback. We have condensed the introduction slightly to motivate the problem setup of RED more directly and uploaded a revision. We felt it was important to motivate the problem setup of RED in this way since it is distinctly different from standard literature in adversarial learning. Further, our approach builds closely on the prior work of Thaker et al, so we believe the discussion of the flaws in this work is crucial to understanding our contributions. We hope the reviewer finds that the current modifications to the introduction address their comments, but we would appreciate if the reviewer has more specific feedback on the presentation. Moreover, the rest of the paper is structured in a didactic manner: starting from problem setup, moving to a theoretical analysis structured in 3 settings that go in order of added complexity, and concluding with a discussion of experimental results. We respectfully disagree that the article lacks effective organization, but we would appreciate any specific feedback the reviewer has on improving readability and organization.

“The presentation of this article needs improvement, as there are many grammar issues, and it lacks readability. For example, in the third sentence of second paragraph, citing the related works between two commas.”

We respectfully disagree with the reviewer that there are many grammar issues with the article. Citing related works between two commas seems like a style choice as opposed to a grammar issue. To be consistent though, we have removed the extra comma in the three other citations in the paper which had that issue. Upon a thorough proofread, we have found no other grammar issues. We would appreciate if the reviewer has specific suggestions to further improve readability.

“The experiment is not much convincing, since it uses small datasets. 4）The results of the experiment cannot strongly support the algorithm's advantages.”

We attempted to perform experiments that convincingly showcase our theoretical results and the merits of the proposed algorithm, and we are glad that the reviewer found that we “meticulously designed experiments, thoroughly analyzed the experimental results, and demonstrated the effectiveness of the algorithm.” We understand the concern the reviewer has on the datasets chosen for this paper. We would like to emphasize that our work is the first one to propose not only a nonlinear framework for this problem, but also a method with theoretical guarantees (as compared to existing black-box methods for related RED problems). Even the three nonlinear evaluation datasets in the paper highlight that prior state-of-the-art attack classification results with theoretical guarantees from Thaker et al fail at modelling the clean signal. Further, the key strength of our model is that any generative model can be used to model the clean data as long as it has favorable inversion properties. The StyleGAN-XL paper provides impressive empirical GAN inversion results on Imagenet, and it can easily be substituted as the generative model in our approach. For computational reasons, we could not perform comprehensive Imagenet extensions for the rebuttal period. However, we have some preliminary results on TinyImagenet, which show that for 100 test examples using $\ell_\infty$ and $\ell_2$ PGD attacks separately on an AlexNet architecture, we have already observed a signal classification accuracy increase from 11% undefended to 39% using GAN inversion. We believe that the existing theoretical results and the current set of experiments nonetheless provide strong evidence for the merits of the proposed novel approach in reverse engineering attacks.

We thank the reviewer for their feedback and appreciation of the importance of the RED problem, the theoretical results that moves beyond the overly constraining assumptions of prior work, and empirical results on both synthetic and real data! Below, we address each of the comments individually.

“The paper could enhance its comparison with State-of-the-Art methods, particularly by evaluating signal accuracy in comparison to other leading works. A broader array of these methods should be taken into account for a more comprehensive comparison. The effectiveness of GAN inversion falls short compared to the performance achieved with diffusion models, which are commonly employed in current practical applications. Some studies, such as Nie et al., have explored the use of Diffusion Models for purification, resulting in enhanced performance. It might be worthwhile to incorporate these models in this context, considering their potential for estimating clean data. Additionally, comparing the results against such approaches could provide valuable insights.”

Thank you for the feedback. In the revised Appendix of the paper, we have added section B.8 and Table 6 which provide a comparison of our approach and the method that uses diffusion models for the underlying generative model instead of GANs. We show the table here as well. Using our approach, one can alternate between denoising using diffusion models and classifying the attack using the attack dictionary as we have done in this work. Specifically, let $D(x')$ be the denoised version of $x'$ by passing through the forward and reverse process of a diffusion model $D$ (DiffPure approach from Nie et al.) . Then, our modelling assumption is that $x' \approx D(x') + D_a c_a$. Our alternating algorithm then becomes in each step to perform two operations: a) compute $D(x')$ b) use proximal gradient descent steps to fit the model for $c_a$. We call this method BSD-DP and BSD-DP-AD for signal and attack classification respectively (where DP stands for DiffPure).

We find that while the diffusion model is a powerful denoiser and yields slightly improved signal classification accuracy on average over different $\ell_p$ attacks, it does not result in accurate reconstructions of the original image, which yields poor attack classification accuracy compared to our approach using GANs. Please refer to Appendix Section B.8 for more analysis. Further, a strong benefit of our approach is that it comes with theoretical guarantees on GAN inversion and attack classification, whereas provable denoising using diffusion models with complex nonlinear reverse processes is an open problem.

Adversarial image and attack classification accuracy on CIFAR-10 dataset for 100 test examples. See text above for column descriptions. DP stands for DiffPure.

“The evaluation included a comparison of performance in terms of adversarial signal classification accuracy and attack classification accuracy. In addition to assessing robust accuracy, it would be beneficial to extend the comparison to include clean accuracy.”

Thank you for pointing this out, Table 1 already contains a row for clean accuracy on the MNIST dataset, but we have modified the paper to include clean accuracy on the CIFAR-10 dataset as well.