基于直接引导扩散模型的对抗净化方法

doi:10.11772/j.issn.1001-9081.2025030384

《计算机应用》唯一官方网站

• • 下一篇

基于直接引导扩散模型的对抗净化方法

胡岩¹,李鹏^1,2,成姝燕¹

1.南京邮电大学计算机学院、软件学院、网络空间安全学院 2.南京邮电大学网络安全与可信计算研究所

收稿日期:2025-04-14 修回日期:2025-06-05 发布日期:2025-07-01 出版日期:2025-07-01
通讯作者: 李鹏
作者简介:胡岩(2001—)，男，江苏泰州人，硕士研究生，主要研究方向：深度学习、对抗攻击与防御；李鹏(1979—)，男，福建长汀人，教授，博士生导师，博士，CCF会员(NO.48573M)，主要研究方向：计算机通信网络、无线传感器网络、信息安全；成姝燕(1999—)，女，山西临汾人，博士研究生，主要研究方向：深度学习、对抗攻击与防御。
基金资助:
国家自然科学基金资助项目(62102194)；江苏省六大人才高峰高层次人才项目(RJFW-111)

Adversarial purification method based on directly guided diffusion model#br#
#br#

HU Yan ¹, LI Peng^1,2, CHENG Shuyan¹

1.School of Computer Science, Nanjing University of Posts and Telecommunication 2.Institute of Network Security and Trusted Computing, Nanjing University of Posts and Telecommunication

Received:2025-04-14 Revised:2025-06-05 Online:2025-07-01 Published:2025-07-01
About author:HU Yan, born in 2001, M. S. candidate. His research interests include deep learning, adversarial attack and defense. LI Peng, born in 1979, Ph. D., professor. His research interests include computer communication networks, wireless sensor networks, information security. CHENG Shuyan, born in 1999, Ph. D. candidate. Her main research interests include deep learning, adversarial attack and defense.
Supported by:
National Natural Science Foundation of P.R. China (62102194); Six Talent Peaks Project of Jiangsu Province(RJFW-111)

摘要/Abstract

摘要： 深度神经网络（DNN）容易受到对抗扰动的影响，因此攻击者会通过向图像中添加难以察觉的对抗扰动以欺骗DNN。基于扩散模型的对抗净化方法使用扩散模型生成干净样本来防御此类攻击，但扩散模型本身也会受到对抗扰动的影响。因此，提出了新颖的对抗净化方法StraightDiffusion，使用对抗样本直接引导扩散模型的净化过程。首先，探讨了现有方法在使用扩散模型进行对抗净化时存在的关键问题与局限性；其次，提出了一种新的采样方式，在去噪过程中使用两阶段引导方式——头引导和尾引导，即在去噪过程的初期和末期进行引导，其他阶段不使用引导。在CIFAR-10和ImageNet数据集以及3个分类器WideResNet-70-16、WideResNet-28-10、ResNet50上的实验结果表明，StraightDiffusion具有超过基线方法的防御性能，在CIFAR-10和ImageNet数据集上相较于去噪模型用于对抗净化（Diffpure）、净化引导扩散模型（GDMP）等方法取得了最好的标准准确率和鲁棒准确率。实验结果验证了所提方法能够提升净化效果从而提高分类模型面对对抗样本的鲁棒准确率，实现了多攻击场景下的有效防御。

关键词: 对抗扰动, 对抗净化, 扩散模型, 鲁棒准确率, 神经网络, 引导

Abstract: Deep Neural Networks (DNNs) are susceptible to adversarial perturbations, so attackers may deceive DNNs by adding imperceptible adversarial perturbations to the image. The adversarial purification method based on diffusion model uses diffusion model to generate clean samples to defend against such attacks, but the diffusion model itself is also affected by adversarial perturbations. To combat such attacks, diffusion models were used for adversarial purification, where clean samples were generated to restore model robustness. However, diffusion models themselves were also influenced by adversarial perturbations. Therefore, a novel adversarial purification approach named StraightDiffusion was proposed, in which the diffusion process was directly guided by adversarial samples. Firstly, key problems and limitations of existing methods that used diffusion models for adversarial purification were discussed. Secondly, a new sampling method was proposed, which used a two-stage guidance approach in the denoising process — head guidance and tail guidance. Guidance was applied only in the early and late stages of denoising, and not in other stages. Experiments were conducted on CIFAR-10 and ImageNet datasets using three classifiers—WideResNet-70-16, WideResNet-28-10, and ResNet50. The results showed that StraightDiffusion outperformed baseline methods in defense performance. Compared to diffusion models for adversarial purification (Diffpure) and guided diffusion model for purification (GDMP), the best standard and robust accuracy was achieved on both CIFAR-10 and ImageNet datasets. The experimental results verified that the proposed method could improve purification performance, thereby enhancing the robust accuracy of classification models against adversarial samples and achieving effective defense under multiple attack scenarios.

Key words: adversarial perturbation, adversarial purification, diffusion model, robust accuracy, neural network, guidance

中图分类号:

TP389.1

胡岩李鹏成姝燕. 基于直接引导扩散模型的对抗净化方法[J]. 计算机应用, DOI: 10.11772/j.issn.1001-9081.2025030384.

HU Yan, LI Peng, CHENG Shuyan. Adversarial purification method based on directly guided diffusion model#br#

#br#

[J]. Journal of Computer Applications, DOI: 10.11772/j.issn.1001-9081.2025030384.

[1]	刘超, 余岩化. 融合降噪策略与多视图对比学习的知识感知推荐模型[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 2827-2837.
[2]	卢燕群, 赵奕奕. 基于层次图神经网络和差异化特征学习的客户流失预测模型[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 3057-3066.
[3]	张宏俊, 潘高军, 叶昊, 陆玉彬, 缪宜恒. 结合深度学习和张量分解的多源异构数据分析方法[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 2838-2847.
[4]	梁永濠, 李金龙. 用于神经布尔可满足性问题求解器的新型消息传递网络[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 2934-2940.
[5]	石超, 周昱昕, 扶倩, 唐万宇, 何凌, 李元媛. 基于骨架和3D热图的注意缺陷多动障碍患者动作识别算法[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 3036-3044.
[6]	吕景刚, 彭绍睿, 高硕, 周金. 复频域注意力和多尺度频域增强驱动的语音增强网络[J]. 《计算机应用》唯一官方网站, 2025, 45(9): 2957-2965.
[7]	彭鹏, 蔡子婷, 刘雯玲, 陈才华, 曾维, 黄宝来. 基于CNN和双向GRU混合孪生网络的语音情感识别方法[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2515-2521.
[8]	赵彪, 秦玉华, 田荣坤, 胡月航, 陈芳锐. 依赖类型及距离增强的方面级情感分析模型[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2507-2514.
[9]	林进浩, 罗川, 李天瑞, 陈红梅. 基于跨尺度注意力网络的胸部疾病分类方法[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2712-2719.
[10]	蒋权, 黄文清, 苟志勇. 基于等变图神经网络的拉格朗日粒子流模拟[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2666-2671.
[11]	涂银川, 郭勇, 毛恒, 任怡, 张建锋, 李宝. 基于分布式环境的图神经网络模型训练效率与训练性能评估[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2409-2420.
[12]	冯兴杰, 卞兴鹏, 冯小荣, 王兴隆. 基于扩散模型的增量式时间序列缺失值填充算法[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2582-2591.
[13]	王义, 马应龙. 基于项图动态适应性生成的多任务社交项推荐方法[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2592-2599.
[14]	向尔康, 黄荣, 董爱华. 开放生成与特征优化的开集识别方法[J]. 《计算机应用》唯一官方网站, 2025, 45(7): 2195-2202.
[15]	梁辰, 王奕森, 魏强, 杜江. 基于Transformer-GCN的源代码漏洞检测方法[J]. 《计算机应用》唯一官方网站, 2025, 45(7): 2296-2303.

基于直接引导扩散模型的对抗净化方法

Adversarial purification method based on directly guided diffusion model#br#
#br#

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics