Saved in:
Bibliographic Details
Main Authors: Yuezhang, Liu, Wei, Xue-Xin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2505.22839
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916765385097216
author Yuezhang, Liu
Wei, Xue-Xin
author_facet Yuezhang, Liu
Wei, Xue-Xin
contents Recent findings suggest that diffusion models significantly enhance empirical adversarial robustness. While some intuitive explanations have been proposed, the precise mechanisms underlying these improvements remain unclear. In this work, we systematically investigate how and how well diffusion models improve adversarial robustness. First, we observe that diffusion models intriguingly increase, rather than decrease, the $\ell_p$ distance to clean samples--challenging the intuition that purification denoises inputs closer to the original data. Second, we find that the purified images are heavily influenced by the internal randomness of diffusion models, where a compression effect arises within each randomness configuration. Motivated by this observation, we evaluate robustness under fixed randomness and find that the improvement drops to approximately 24% on CIFAR-10--substantially lower than prior reports approaching 70%. Importantly, we show that this remaining robustness gain strongly correlates with the model's ability to compress the input space, revealing the compression rate as a reliable robustness indicator without requiring gradient-based analysis. Our findings provide novel insights into the mechanisms underlying diffusion-based purification, and offer guidance for developing more effective and principled adversarial purification systems.
format Preprint
id arxiv_https___arxiv_org_abs_2505_22839
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle How Do Diffusion Models Improve Adversarial Robustness?
Yuezhang, Liu
Wei, Xue-Xin
Machine Learning
Artificial Intelligence
Recent findings suggest that diffusion models significantly enhance empirical adversarial robustness. While some intuitive explanations have been proposed, the precise mechanisms underlying these improvements remain unclear. In this work, we systematically investigate how and how well diffusion models improve adversarial robustness. First, we observe that diffusion models intriguingly increase, rather than decrease, the $\ell_p$ distance to clean samples--challenging the intuition that purification denoises inputs closer to the original data. Second, we find that the purified images are heavily influenced by the internal randomness of diffusion models, where a compression effect arises within each randomness configuration. Motivated by this observation, we evaluate robustness under fixed randomness and find that the improvement drops to approximately 24% on CIFAR-10--substantially lower than prior reports approaching 70%. Importantly, we show that this remaining robustness gain strongly correlates with the model's ability to compress the input space, revealing the compression rate as a reliable robustness indicator without requiring gradient-based analysis. Our findings provide novel insights into the mechanisms underlying diffusion-based purification, and offer guidance for developing more effective and principled adversarial purification systems.
title How Do Diffusion Models Improve Adversarial Robustness?
topic Machine Learning
Artificial Intelligence
url https://arxiv.org/abs/2505.22839