Adversarial purification with score-based generative model

Jongmin Yoon (KAIST)

He is a PhD student in the Kim Jaechul Graduate School of Artificial Intelligence at Korea Advanced Institute of Science and Technology (KAIST), under supervision of Professor Juho Lee since August 2020. He got his bachelor’s and master’s degree in the department of electrical engineering at KAIST at 2015 and 2017, respectively. His research interest includes generative modelling, adversarial robustness and stochastic processes.

Short Abstract: While adversarial training is considered as a standard defense method against adversarial attacks for image classifiers, adversarial purification, which purifies attacked images into clean images with a standalone purification model, has shown promises as an alternative defense method. Recently, an Energy-Based Model (EBM) trained with Markov-Chain Monte-Carlo (MCMC) has been highlighted as a purification model, where an attacked image is purified by running a long Markov-chain using the gradients of the EBM. Yet, the practicality of the adversarial purification using an EBM remains questionable because the number of MCMC steps required for such purification is too large. In this paper, we propose a novel adversarial purification method based on an EBM trained with Denoising Score-Matching (DSM). We show that an EBM trained with DSM can quickly purify attacked images within a few steps. We further introduce a simple yet effective randomized purification scheme that injects random noises into images before purification. This process screens the adversarial perturbations imposed on images by the random noises and brings the images to the regime where the EBM can denoise well.