Towards Understanding the Robustness of Diffusion-Based Purification: A Stochastic Perspective

Q4: Pre-training of "ADDT w/o RGBM" and "ADDT" models.

Both "ADDT w/o RGBM" and "ADDT" models are fine-tuned from the same pre-trained diffusion models. We will clarify this point better in the paper.

Q6: Experiments for adversarial perturbation with $\ell _ {2}$ normalization.

We acknowledge that mapping perturbations to a spherical shell is a beneficial aspect of RBGM. However, we contend that RBGM encompasses more than this, as discussed in our General Response.

We compare DP_DDPM adopting models trained with $\ell _ {2}$-normalized perturbations and those with RBGM-mapped perturbations as you suggest. The results in the table below reveal that although models trained with $\ell _ {2}$-normalized perturbations perform better in some circumstances under $\ell _ {2}$ attacks (potentially because these perturbations are more similar to the perturbations produced by $\ell _ {2}$ attack during testing), ADDT exhibits consistently higher robustness under $\ell_{\infty}$ attacks. Furthermore, ADDT achieves comparable performance under $\ell_{2}$ attacks and achieves higher performance in scenes with more NFEs. In addition, ADDT exhibits a lower FID value, indicating better preservation of generative capability.

To explain these results, we propose that the conventional training of diffusion models is predicated on the assumption:

$x _ t = \sqrt{\overline{\alpha} _ t} x _ 0 + \sqrt{1 - \overline{\alpha} _ t} \epsilon$.

whereas ADDT can be represented as:

$x _ t = \sqrt{\overline{\alpha} _ t} x_0 + \sqrt{1 - \lambda _ t^2} \sqrt{1 - \overline{\alpha} _ t} \epsilon + \lambda _ t \sqrt{1 - \overline{\alpha} _ t} \epsilon _ {\delta}(\delta)$.

During ADDT training, our goal is to design perturbations that mimic the characteristics of traditional diffusion models. Both RBGM and $\ell _ {2}$ normalization should be considered as certain approximations in this context. As discussed in our General Response, RBGM may emerge as a more accurate approximation.

We're truly grateful for your constructive comments and appreciate the opportunity to clarify and expand on the points you have raised.

W1: Clarification on the diffusion discretization forms and model architecture.

Thank you for your valuable feedback. We sincerely apologize for any confusion caused by the lack of formality in our statement.

We fully agree with your points regarding diffusion frameworks. VPSDE (DDPM++) is a continuous diffusion process. It has multiple discretization forms, one of which is DDPM. Specifically, VPSDE in DiffPure adopts the same discretization form as DDPM (Appendix C in ScoreSDE [1]). To clarify, when we state "Note that DDPM is mathematically equivalent to the DDPM++ (VPSDE) model used in DiffPure" in line 162-163, we intend to emphasize that the mathematical differences between these frameworks are minimal and have little influence on the defense performance.

We also acknowledge your point that DDPM constitutes a mathematical framework that is distinct from any neural network architecture. In our statement that "DDPM ... employs a smaller UNet architecture" in line 162-163, our reference to DDPM and DDPM++ was intended to encompass both the mathematical framework and the implementation aspects. We aim to highlight that the performance differences between DP_DDPM and DiffPure are primarily due to variations in network architecture rather than the mathematical framework.

We appreciate your recommendations and will address these informal expressions in our revisions.

[1]Song Y, Sohl-Dickstein J, Kingma D P, et al. Score-based generative modeling through stochastic differential equations. ICLR, 2021.

Q1: Clarification for the trajectory in Figure 1.

The points in Figure 1 are indeed obtained by sampling at each step of the PGD-20 attack. In this plot, the $xy$-plane represents the input space, and the $z$-axis represents the loss. At the beginning of the attack process, the points start from the same zero points (torch.zeros_like(images)) and are sparsely distributed along the trajectory, indicating relatively large steps and rapid increases in loss. As the attack progresses, the movements become smaller, and the points become denser, signifying finer adjustments to the perturbations.

We believe this behavior is characteristic of the adversarial perturbation optimization process in PGD. During the initial steps, adversarial perturbations make larger, uniform-length movements, resulting in significant changes in the loss. After several optimization steps, the perturbations approach the attack constraints, resulting in smaller refinements in subsequent steps. While the loss continues to increase, the rate of growth slows compared to the initial stages.

We hope this clarifies the dynamics depicted in Figure 1 and provides a better understanding of the attack trajectory.

Q2 & Q5: The motivation and the purpose of RBGM.

In short, RBGM was inspired by the need to incorporate adversarial perturbations into diffusion model training. Traditional diffusion models rely on Gaussian noise to guide the process, and we want to emulate the Gaussian properties in the transformation of adversarial perturbations. For more details, please refer to our General Response.

Q3: Exploring training with adversarial perturbations using Gaussian noise order.

We agree that reshaping the distribution of values is an important aspect of RBGM. As you suggest, we have run the experiment of using the order of Gaussian noise but the values of adversarial perturbations on DP_DDPM. The results are presented in the table below. Note that for a fair comparison, we normalize the adversarial perturbations by adjusting its mean and variance, since the magnitude of their original values (accumulated gradients via EoT) are much smaller than that of standard Gaussian noise.

Our results indicate that using the order of the Gaussian noise with the values of the adversarial perturbations achieves lower accuracy than vanilla models on both clean and robust samples.

Dear Reviewer mx31:

We sincerely appreciate your thorough and constructive review. Your detailed feedback has been invaluable in helping us refine and strengthen our research paper.

In response to your feedback, we have provided detailed explanations and made revisions to our paper. Should you have any further questions or need additional clarification, please do not hesitate to discuss with us.

Q1: Whether diffusion models are necessary for stochasticity-based adversarial defense.

Thank you for your insightful question.

We appreciate your interest in exploring alternative stochasticity-based defense methods without using diffusion models. Indeed, DBP is not the only randomized defense method, and several different approaches exist, such as denoising autoencoders [1] and randomized masking [2]. However, among these approaches, DBP stands out by demonstrating better robustness against adaptive attacks.

As you suggest, we explore whether using an off-the-shelf image denoising network without an iterative reverse process can also produce relatively good defensive performance. Here we introduce a consistency model [3] which only requires one denoising step for each inference. It uses the same UNet as DiffPure and is distilled from a diffusion model. We set the forward noise strength to 0.5, which is higher than DiffPure for more stochasticity. It could be represented as

$x _ \text{purified} = \text{UNet}(x _ 0 + 0.5 \times \epsilon)$.

We apply this purification method to the same pre-trained WRN-28 classifier as in our paper, and it achieves 49.32% under $\ell _ {\infty}$ attack with PGD20+EoT10, as shown in the table below. However, its performance still lags behind DiffPure. This can be explained by the stronger stochasticity of DiffPure due to its iterative random reverse processes, as indicated by the comparison of DDPM and DDIM in Sec. 4.1.

We would like to further emphasize that not all image denoising networks work well. As an example, we keep the noise strength and the UNet architecture identical and only change the training method of the denoising network. Specifically, we study two models: (1) a denoising UNet trained with $\ell _ {2}$ reconstruction loss, and (2) a UNet jointly trained with the classifier using cross-entropy loss. The results in the table below suggest that applying these two models for defense can also provide non-trivial robust accuracy, but the performance is significantly lower than using diffusion or consistency models.

Given these preliminary results, we believe that the question you raised is valuable and worthy of further exploration in the future.

[1] Gu S, Rigazio L. Towards deep neural network architectures robust to adversarial examples. ICLR, 2015.
[2] Ughini G, Samele S, Matteucci M. Trust-no-pixel: A remarkably simple defense against adversarial attacks based on massive inpainting. IJCNN, 2022.
[3] Song Y, Dhariwal P, Chen M, et al. Consistency models. ICML, 2023.

Dear Reviewer nzsE:

Thank you for the time and expertise you've dedicated to reviewing our work. We are deeply grateful for your continued support. Your encouragement and feedback are invaluable.

We are grateful for your detailed feedback, which is invaluable in improving the clarity and depth of our paper.

W1：More results under DW-box attack.

We perform further experiments on the VPSDE and EDM models under the proposed Deterministic White-Box (DW-box) attack. These additional results show that ADDT provides a consistent improvement.

Additionally, we have also provided a comparison between Vanilla and ADDT models under different NFEs for DP_DDPM in White-box and DW-box attacks in Figure 11 of Appendix N. These results also demonstrate the consistent improvement.

W2: Clarification on Figure 3.

We apologize for any misunderstanding caused by the initial representation. The trajectory depicted in Figure 3 actually averages over 128 images, as mentioned in the caption and detailed in Appendix F. To create this plot, we project the attack trajectories onto the plane defined by the deterministic white-box attack direction and the orthogonal direction. We then average the attack trajectories on 128 images to obtain a clear and reliable representation.

W3 & Q1: The differences between RBGM-mapped perturbations and pure Gaussian noise.

Intuitively speaking, the RBGM-mapped perturbation could be seen as "picked from a Gaussian distribution"; however, its distribution is no longer purely Gaussian and is "more adversarial" than Gaussian noise. Hence, ADDT is more akin to adversarial training (AT) rather than simply training with additional data. Further discussions on RBGM can be found in the General Response.

Here we provide an additional experiment justifying the difference between RBGM-mapped perturbations and Gaussian noise. We mix clean images with 0.03 times Gaussian noise and RBGM-mapped perturbations. The results are as follows, showing that RBGM-mapped perturbations are indeed adversarial to the model.

Hence, through ADDT and RBGM, we integrate adversarial perturbations into the training of DBP models, equipping them with the power to directly counter adversarial perturbations. We hope this clarification resolves your confusion, and we will also provide clearer explanations in the final revision.

Q2: Reason for choosing the range of the modulation term in Lines 362-264.

In traditional adversarial attacks, perturbations are directly added to the image, resulting in an adversarially modified image $x_{adv} = x_0 + \delta$, where $x_0$ denotes the original input image, and $\delta$ represents the adversarial perturbation. In our approach ADDT, we integrate this concept into the diffusion process, yielding $x_t = \sqrt{\overline{\alpha}_t} (x_0 + \delta) + \sqrt{1 - \overline{\alpha}_t} \epsilon$. To train a diffusion model capable of purifying such perturbations, we combine the perturbation and noise, reformulating the equation as: $x_t = \sqrt{\overline{\alpha} _ t} x_0 + \sqrt{1 - \overline{\alpha} _ t} (\epsilon + \frac{\sqrt{\overline{\alpha} _ t}}{\sqrt{1 - \overline{\alpha} _ t}} \delta)$, where the term $\frac{\sqrt{\overline{\alpha} _ t}}{\sqrt{1 - \overline{\alpha} _ t}}$ is denoted as $\gamma _ t$. Given that $\alpha _ t$ ranges from 0 to 1, $\gamma _ t$ spans from 0 to $\infty$. To ensure the adversarial perturbation remains within a manageable intensity, we constrain its value to lie between $\lambda _ {\text{min}}$ and $\lambda _ {\text{max}}$.

The selection of the modulation term $\lambda_{\text{unit}}$ is based on our experimental findings. As shown in Table 23 in Appendix O, the performance of ADDT is relatively insensitive to the specific value of $\lambda _ {\text{unit}}$ within the tested range, showing consistent improvement across different attack settings. We choose $\lambda _ {\text{unit}} = 0.03$ as it achieves generally better performance on both $\ell _ \infty$ and $\ell _ 2$ attacks.

Thank you again for your thorough and thoughtful feedback. We will improve the paper according to our replies above.

Dear Reviewer TLr9:

Thank you for your support. We are deeply grateful for your positive feedback on our paper. Your constructive comments have been invaluable in refining our work, and we have carefully addressed them in the revised version.

We sincerely appreciate your recognition of our efforts and your encouragement throughout the discussion.

Thank you for your constructive feedback, which provided us with valuable directions for revising our paper.

W1: Complexity analysis and comparison.

Prior work [1] provides a discussion on the inference costs associated with Diffusion-Based Purification (DBP) methods. We cite some of the results in the table below, which shows the inference time (seconds), with the increase of $t^* = 0.1$ over $t^* = 0$ indicated in parentheses.

While sharing a complexity profile with standard DBP, our method significantly reduces computational overhead through the use of ADDT. As shown in Table 3 in our paper, with just 20 NFEs, we achieve performance on par with DP_DDPM at 100 NFEs, reducing computational time by up to 80%.

W2: Comparison with AT adopting diffusion models for data augmentation.

We compare the robust accuracy of DBP models and AT models that adopt diffusion models for data augmentation [2]. The evaluation was conducted on WRN-28-10 under the PGD20 attack (with PGD20+EoT10 for DiffPure and ADDT). The results are summarized in the table below.

While AT performs better under the same norm as training, ADDT shows improved performance on adversarial examples under different norms, suggesting better generalization against unseen attacks.

W1&W2: Broader discussion of DBP and AT adopting diffusion models for data augmentation.

DBP and AT methods fundamentally differ in their mechanisms and applications. Mechanistically, DBP leverages stochasticity to avoid the most effective attack directions. In contrast, diffusion models adopted by AT enhance robustness indirectly by generating synthetic images to expand the training dataset. From the perspective of computation cost, DBP does not alter the training of the classifier, and a single diffusion model can be used to protect multiple classifiers, offering adaptability across various tasks. However, it incurs higher inference costs due to its iterative purification process. In contrast, AT adopting diffusion models for data augmentation requires independent and resource-intensive training for each classifier, while no additional inference cost is needed.

In this paper, the effectiveness of ADDT highlights the potential synergy between DBP and established AT methods for further performance enhancement. It is also important to note that DBP is still in its early stages of exploration, and techniques such as model distillation [3][4] and latent space diffusion[5] hold great potential for further accelerating DBP. Hence, we believe that further studies on DBP are worthwhile.

W3: Why replacement is required for RBGM.

While it is possible to adjust the distribution of perturbation values to align their mean and variance, this does not ensure that the overall distribution of the values exhibits Gaussian characteristics. Specifically, even if the mean and variance are aligned, the underlying distribution of perturbation values can vary significantly, e.g., some may be more clustered, while others might display a broader and more uniform spread. In addition, the distribution of perturbation values across different images and timesteps $t$ may have various characteristics, as illustrated in our General Response.

By adopting RBGM, we ensure that the values of these perturbations consistently follow a Gaussian distribution, regardless of the images or timesteps. Meanwhile, it brings stochasticity and reduces the risk of overfitting specific images. More details can be found in our General Response.

We hope this response addresses your concerns.

[1] Nie, Weili, et al. Diffusion Models for Adversarial Purification. ICML, 2022.
[2] Wang, Zekai, et al. Better diffusion models further improve adversarial training. ICML, 2023.
[3] Song Y, Dhariwal P, Chen M, et al. Consistency models. ICML, 2023.
[4] Salimans T, Ho J. Progressive Distillation for Fast Sampling of Diffusion Models. ICLR, 2022.
[5] Rombach R, Blattmann A, Lorenz D, et al. High-resolution image synthesis with latent diffusion models. CVPR, 2022.

Dear Reviewer gEWD:

We sincerely appreciate your thorough and constructive review. Your detailed feedback has been invaluable in helping us refine and strengthen our paper.

In response to your feedback, we have provided detailed explanations and made revisions to our paper. Should you have any further questions or need additional clarification, please do not hesitate to discuss with us.