Deep neural networks (DNNs) are vulnerable to adversarial perturbation, where an imperceptible perturbation is added to the image that can fool the DNNs. Diffusion-based adversarial purification focuses on using the diffusion model to generate a clean image against such adversarial attacks. Unfortunately, the generative process of the diffusion model is also inevitably affected by adversarial perturbation since the diffusion model is also a deep network where its input has adversarial perturbation. In this work, we propose MimicDiffusion, a new diffusion-based adversarial purification technique, that directly approximates the generative process of the diffusion model with the clean image as input. Concretely, we analyze the differences between the guided terms using the clean image and the adversarial sample. After that, we first implement MimicDiffusion based on Manhattan distance. Then, we propose two guidance to purify the adversarial perturbation and approximate the clean diffusion model. Extensive experiments on three image datasets including CIFAR-10, CIFAR-100, and ImageNet with three classifier backbones including WideResNet-70-16, WideResNet-28-10, and ResNet50 demonstrate that MimicDiffusion significantly performs better than the state-of-the-art baselines. On CIFAR-10, CIFAR-100, and ImageNet, it achieves 92.67\%, 61.35\%, and 61.53\% average robust accuracy, which are 18.49\%, 13.23\%, and 17.64\% higher, respectively. The code is available in the supplementary material.

翻译：深度神经网络（DNN）易受对抗扰动攻击，攻击者可在图像中添加人眼难以察觉的扰动从而欺骗DNN。基于扩散模型的对抗净化技术旨在利用扩散模型生成干净图像以抵御此类攻击。然而，由于扩散模型本身作为深度网络，其输入同样可能携带对抗扰动，导致生成过程不可避免地受到影响。为此，本文提出MimicDiffusion——一种新型扩散模型对抗净化技术，该方法直接以干净图像为输入近似扩散模型的生成过程。具体而言，我们分析了使用干净图像和对抗样本时引导项的差异，并基于曼哈顿距离首次实现MimicDiffusion。随后，我们提出两种净化对抗扰动并近似干净扩散模型的引导策略。在CIFAR-10、CIFAR-100和ImageNet三个图像数据集上，结合WideResNet-70-16、WideResNet-28-10和ResNet50三种分类器骨干网络的广泛实验表明，MimicDiffusion显著优于现有最优基线方法。在CIFAR-10、CIFAR-100和ImageNet上，平均鲁棒准确率分别达到92.67%、61.35%和61.53%，较基线分别提升18.49%、13.23%和17.64%。相关代码已放入补充材料中。