Adversarial Robustification via Text-to-Image Diffusion Models
Adversarial robustness has been conventionally believed as a challenging property to encode for neural networks, requiring plenty of training data. In the recent paradigm of adopting off-the-shelf models, however, access to their training data is often infeasible or not practical, while most of such...
Gespeichert in:
| Hauptverfasser: | , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Choi, Daewon Jeong, Jongheon Jang, Huiwon Shin, Jinwoo |
| description | Adversarial robustness has been conventionally believed as a challenging
property to encode for neural networks, requiring plenty of training data. In
the recent paradigm of adopting off-the-shelf models, however, access to their
training data is often infeasible or not practical, while most of such models
are not originally trained concerning adversarial robustness. In this paper, we
develop a scalable and model-agnostic solution to achieve adversarial
robustness without using any data. Our intuition is to view recent
text-to-image diffusion models as "adaptable" denoisers that can be optimized
to specify target tasks. Based on this, we propose: (a) to initiate a
denoise-and-classify pipeline that offers provable guarantees against
adversarial attacks, and (b) to leverage a few synthetic reference images
generated from the text-to-image model that enables novel adaptation schemes.
Our experiments show that our data-free scheme applied to the pre-trained CLIP
could improve the (provable) adversarial robustness of its diverse zero-shot
classification derivatives (while maintaining their accuracy), significantly
surpassing prior approaches that utilize the full training data. Not only for
CLIP, we also demonstrate that our framework is easily applicable for
robustifying other visual classifiers efficiently. |
| doi_str_mv | 10.48550/arxiv.2407.18658 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2407_18658</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2407_18658</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2407_186583</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjEw1zO0MDO14GSwc0wpSy0qTizKTMxRCMpPKi0uyUzLTE4syczPUyjLTFQISa0o0S3J1_XMTUxPVXDJTEsrLQbJ-eanpOYU8zCwpiXmFKfyQmluBnk31xBnD12wTfEFRZm5iUWV8SAb48E2GhNWAQCewDZA</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Adversarial Robustification via Text-to-Image Diffusion Models</title><source>arXiv.org</source><creator>Choi, Daewon ; Jeong, Jongheon ; Jang, Huiwon ; Shin, Jinwoo</creator><creatorcontrib>Choi, Daewon ; Jeong, Jongheon ; Jang, Huiwon ; Shin, Jinwoo</creatorcontrib><description>Adversarial robustness has been conventionally believed as a challenging
property to encode for neural networks, requiring plenty of training data. In
the recent paradigm of adopting off-the-shelf models, however, access to their
training data is often infeasible or not practical, while most of such models
are not originally trained concerning adversarial robustness. In this paper, we
develop a scalable and model-agnostic solution to achieve adversarial
robustness without using any data. Our intuition is to view recent
text-to-image diffusion models as "adaptable" denoisers that can be optimized
to specify target tasks. Based on this, we propose: (a) to initiate a
denoise-and-classify pipeline that offers provable guarantees against
adversarial attacks, and (b) to leverage a few synthetic reference images
generated from the text-to-image model that enables novel adaptation schemes.
Our experiments show that our data-free scheme applied to the pre-trained CLIP
could improve the (provable) adversarial robustness of its diverse zero-shot
classification derivatives (while maintaining their accuracy), significantly
surpassing prior approaches that utilize the full training data. Not only for
CLIP, we also demonstrate that our framework is easily applicable for
robustifying other visual classifiers efficiently.</description><identifier>DOI: 10.48550/arxiv.2407.18658</identifier><language>eng</language><subject>Computer Science - Computer Vision and Pattern Recognition ; Computer Science - Learning</subject><creationdate>2024-07</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2407.18658$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2407.18658$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Choi, Daewon</creatorcontrib><creatorcontrib>Jeong, Jongheon</creatorcontrib><creatorcontrib>Jang, Huiwon</creatorcontrib><creatorcontrib>Shin, Jinwoo</creatorcontrib><title>Adversarial Robustification via Text-to-Image Diffusion Models</title><description>Adversarial robustness has been conventionally believed as a challenging
property to encode for neural networks, requiring plenty of training data. In
the recent paradigm of adopting off-the-shelf models, however, access to their
training data is often infeasible or not practical, while most of such models
are not originally trained concerning adversarial robustness. In this paper, we
develop a scalable and model-agnostic solution to achieve adversarial
robustness without using any data. Our intuition is to view recent
text-to-image diffusion models as "adaptable" denoisers that can be optimized
to specify target tasks. Based on this, we propose: (a) to initiate a
denoise-and-classify pipeline that offers provable guarantees against
adversarial attacks, and (b) to leverage a few synthetic reference images
generated from the text-to-image model that enables novel adaptation schemes.
Our experiments show that our data-free scheme applied to the pre-trained CLIP
could improve the (provable) adversarial robustness of its diverse zero-shot
classification derivatives (while maintaining their accuracy), significantly
surpassing prior approaches that utilize the full training data. Not only for
CLIP, we also demonstrate that our framework is easily applicable for
robustifying other visual classifiers efficiently.</description><subject>Computer Science - Computer Vision and Pattern Recognition</subject><subject>Computer Science - Learning</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjEw1zO0MDO14GSwc0wpSy0qTizKTMxRCMpPKi0uyUzLTE4syczPUyjLTFQISa0o0S3J1_XMTUxPVXDJTEsrLQbJ-eanpOYU8zCwpiXmFKfyQmluBnk31xBnD12wTfEFRZm5iUWV8SAb48E2GhNWAQCewDZA</recordid><startdate>20240726</startdate><enddate>20240726</enddate><creator>Choi, Daewon</creator><creator>Jeong, Jongheon</creator><creator>Jang, Huiwon</creator><creator>Shin, Jinwoo</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20240726</creationdate><title>Adversarial Robustification via Text-to-Image Diffusion Models</title><author>Choi, Daewon ; Jeong, Jongheon ; Jang, Huiwon ; Shin, Jinwoo</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2407_186583</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer Science - Computer Vision and Pattern Recognition</topic><topic>Computer Science - Learning</topic><toplevel>online_resources</toplevel><creatorcontrib>Choi, Daewon</creatorcontrib><creatorcontrib>Jeong, Jongheon</creatorcontrib><creatorcontrib>Jang, Huiwon</creatorcontrib><creatorcontrib>Shin, Jinwoo</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Choi, Daewon</au><au>Jeong, Jongheon</au><au>Jang, Huiwon</au><au>Shin, Jinwoo</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Adversarial Robustification via Text-to-Image Diffusion Models</atitle><date>2024-07-26</date><risdate>2024</risdate><abstract>Adversarial robustness has been conventionally believed as a challenging
property to encode for neural networks, requiring plenty of training data. In
the recent paradigm of adopting off-the-shelf models, however, access to their
training data is often infeasible or not practical, while most of such models
are not originally trained concerning adversarial robustness. In this paper, we
develop a scalable and model-agnostic solution to achieve adversarial
robustness without using any data. Our intuition is to view recent
text-to-image diffusion models as "adaptable" denoisers that can be optimized
to specify target tasks. Based on this, we propose: (a) to initiate a
denoise-and-classify pipeline that offers provable guarantees against
adversarial attacks, and (b) to leverage a few synthetic reference images
generated from the text-to-image model that enables novel adaptation schemes.
Our experiments show that our data-free scheme applied to the pre-trained CLIP
could improve the (provable) adversarial robustness of its diverse zero-shot
classification derivatives (while maintaining their accuracy), significantly
surpassing prior approaches that utilize the full training data. Not only for
CLIP, we also demonstrate that our framework is easily applicable for
robustifying other visual classifiers efficiently.</abstract><doi>10.48550/arxiv.2407.18658</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2407.18658 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2407_18658 |
| source | arXiv.org |
| subjects | Computer Science - Computer Vision and Pattern Recognition Computer Science - Learning |
| title | Adversarial Robustification via Text-to-Image Diffusion Models |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-23T09%3A23%3A30IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Adversarial%20Robustification%20via%20Text-to-Image%20Diffusion%20Models&rft.au=Choi,%20Daewon&rft.date=2024-07-26&rft_id=info:doi/10.48550/arxiv.2407.18658&rft_dat=%3Carxiv_GOX%3E2407_18658%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |