Deep neural networks (DNNs) have a wide range of applications in the field of image denoising, and they are superior to traditional image denoising. However, DNNs inevitably show vulnerability, which is the weak robustness in the face of adversarial attacks. In this paper, we find some similitudes between existing deep image denoising methods, as they are consistently fooled by adversarial attacks. First, denoising-PGD is proposed which is a denoising model full adversarial method. The current mainstream non-blind denoising models (DnCNN, FFDNet, ECNDNet, BRDNet), blind denoising models (DnCNN-B, Noise2Noise, RDDCNN-B, FAN), and plug-and-play (DPIR, CurvPnP) and unfolding denoising models (DeamNet) applied to grayscale and color images can be attacked by the same set of methods. Second, since the transferability of denoising-PGD is prominent in the image denoising task, we design experiments to explore the characteristic of the latent under the transferability. We correlate transferability with similitude and conclude that the deep image denoising models have high similitude. Third, we investigate the characteristic of the adversarial space and use adversarial training to complement the vulnerability of deep image denoising to adversarial attacks on image denoising. Finally, we constrain this adversarial attack method and propose the L2-denoising-PGD image denoising adversarial attack method that maintains the Gaussian distribution. Moreover, the model-driven image denoising BM3D shows some resistance in the face of adversarial attacks.

翻译：深度神经网络（DNN）在图像去噪领域具有广泛应用，且性能优于传统图像去噪方法。然而，DNN不可避免地暴露出脆弱性，即面对对抗攻击时鲁棒性不足。本文发现现有深度图像去噪方法之间存在相似性，因为它们均会被对抗攻击持续误导。首先，我们提出了一种针对去噪模型的完全对抗方法denoising-PGD。当前主流的非盲去噪模型（DnCNN、FFDNet、ECNDNet、BRDNet）、盲去噪模型（DnCNN-B、Noise2Noise、RDDCNN-B、FAN），以及应用于灰度图像和彩色图像的即插即用型（DPIR、CurvPnP）与展开型去噪模型（DeamNet），均可被同一组方法攻击。其次，由于denoising-PGD在图像去噪任务中具有显著的可迁移性，我们设计实验探究该可迁移性背后的潜在特征。我们将可迁移性与相似性相关联，得出结论：深度图像去噪模型具有高度相似性。第三，我们研究了对抗空间的特征，并利用对抗训练来弥补深度图像去噪在对抗攻击下的脆弱性。最后，我们对这种对抗攻击方法进行约束，提出了一种保持高斯分布的L2-denoising-PGD图像去噪对抗攻击方法。此外，模型驱动的图像去噪方法BM3D在面对对抗攻击时表现出一定抵抗能力。