Problem
Research questions and friction points this paper is trying to address.
adversarial purification
diffusion models
adaptive attacks
semantic preservation
temporal denoising
TARO: Temporal Adversarial Rectification Optimization Using Diffusion Models as Purifiers
career value
186K/year
🤖 AI Summary
Existing adversarial purification methods struggle to simultaneously preserve semantic fidelity and achieve robustness against adaptive attacks. This work proposes a diffusion-based purification framework operating at inference time, which introduces a novel time-guided mechanism to construct multi-scale denoising views along the diffusion trajectory. By dynamically distinguishing between high- and low-noise stages, the method balances global robust correction with fine-grained detail preservation. Additionally, it incorporates a test-time residual objective to refine score estimation. Evaluated in a zero-shot setting, the approach significantly improves robust accuracy across diverse datasets and adaptive threat models, and further enhances defense performance when combined with adversarial likelihood objectives.
📝 Abstract
Adversarial purification with diffusion models seeks to project adversarial examples back toward the data manifold, but balancing semantic preservation and robustness against adaptive attacks remains challenging. Recent work shows that standard diffusion purification can fail under adaptive evaluation, while test-time score-based optimization is more resilient. Existing optimization defenses, however, typically rely on a single diffusion noise regime or treat timesteps uniformly, overlooking the distinct roles of coarse and fine denoising scales. We propose Temporal Adversarial Rectification Optimization (TARO), an inference-time purification method that builds a temporally guided score prior from multiple denoising views along the diffusion trajectory. TARO forms a coarse-to-fine residual target: high-noise experts provide globally smoothed structure with reduced adversarial sensitivity, while low-noise experts restore image-specific, class-relevant details. A guidance strength controls this temporal correction, allowing TARO to balance robust global rectification with semantic preservation. Empirically, TARO improves robust accuracy across datasets and adaptive threat models in a zero-shot setting, while remaining compatible with complementary adversarial-likelihood objectives for further robustness gains.
Innovation
Methods, ideas, or system contributions that make the work stand out.
adversarial purification
diffusion models
temporal guidance
score-based optimization
adaptive attacks
🔎 Similar Papers
2024-08-01arXiv.orgCitations: 1
💼 Related Jobs
