Iterative Window Mean Filter: Thwarting Diffusion-based Adversarial Purification

Hanrui Wang,Ruoxi Sun,Cunjian Chen,Minhui Xue,Lay-Ki Soon,Shuo Wang,Zhe Jin
DOI: https://doi.org/10.1109/TDSC.2024.3472569
2024-10-29
Abstract:Face authentication systems have brought significant convenience and advanced developments, yet they have become unreliable due to their sensitivity to inconspicuous perturbations, such as adversarial attacks. Existing defenses often exhibit weaknesses when facing various attack algorithms and adaptive attacks or compromise accuracy for enhanced security. To address these challenges, we have developed a novel and highly efficient non-deep-learning-based image filter called the Iterative Window Mean Filter (IWMF) and proposed a new framework for adversarial purification, named IWMF-Diff, which integrates IWMF and denoising diffusion models. These methods can function as pre-processing modules to eliminate adversarial perturbations without necessitating further modifications or retraining of the target system. We demonstrate that our proposed methodologies fulfill four critical requirements: preserved accuracy, improved security, generalizability to various threats in different settings, and better resistance to adaptive attacks. This performance surpasses that of the state-of-the-art adversarial purification method, DiffPure.
Cryptography and Security
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is the security risks brought by adversarial attacks in current facial authentication systems. Specifically, these problems include: 1. **Limitations of existing defense methods**: - Existing defense methods show weaknesses when facing various attack algorithms and adaptive attacks. - Some defense methods sacrifice the accuracy of the system in order to enhance security. - Methods relying on deep - learning models have problems such as high computational complexity and poor performance against specific attacks. 2. **The harm of adversarial attacks**: - Adversarial attacks can deceive facial authentication systems through tiny and imperceptible perturbations, leading to unauthorized access. - These attacks may cause the system to reject legitimate users or accept illegal users, thus undermining the reliability and security of the system. 3. **Requirements for ideal adversarial defense**: - **Accuracy**: Maintain the recognition accuracy for non - adversarial images. - **Security**: Be able to effectively resist adversarial samples and ensure that the system will not be misled. - **Generalization ability**: Be able to deal with various threat models (such as white - box, gray - box, black - box attacks) and attack algorithms under different settings. - **Resistance to adaptive attacks**: Be able to resist adaptive attacks designed to bypass existing defense mechanisms. In order to solve these problems, the author proposes a new non - deep - learning - based image filter - the Iterative Window Mean Filter (IWMF), and a framework (IWMF - Diff) that integrates IWMF and the denoising diffusion model. These methods can be used as pre - processing modules to eliminate adversarial perturbations without modifying or retraining the target system. ### Main contributions - **Defined four ideal criteria for evaluating adversarial defense** and provided experimental results to prove their importance. - **Proposed IWMF**, an efficient non - deep - learning image filter that can enhance security while maintaining accuracy. - **Proposed the IWMF - Diff framework**, which combines IWMF and the denoising diffusion model, further improving the robustness against various attacks, especially the defense ability against adaptive attacks. Through these methods, the author shows how to significantly improve the security of facial authentication systems without affecting system performance.