Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Sample-specific Noise Injection for Diffusion-based Adversarial Purification
Authors: Yuhao Sun, Jiacheng Zhang, Zesheng Ye, Chaowei Xiao, Feng Liu
ICML 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Through extensive evaluations on benchmark image datasets such as CIFAR-10 (Krizhevsky et al., 2009) and Image Net-1K (Deng et al., 2009), we demonstrate the effectiveness of SSNI in Section 5. Specifically, combined with different DBP methods (Nie et al., 2022; Xiao et al., 2023; Lee & Kim, 2023), SSNI can boost clean accuracy and robust accuracy simultaneously by a notable margin against the well-designed adaptive white-box attack (see Section 5.2). |
| Researcher Affiliation | Academia | 1School of Computing and Information Systems, The University of Melbourne 2University of Wisconsin, Madison. Correspondence to: Feng Liu <EMAIL>. |
| Pseudocode | Yes | Algorithm 1 Diffusion-based Purification with SSNI. Algorithm 2 Adaptive white-box PGD+EOT attack for SSNI. Algorithm 3 Adaptive white-box BPDA+EOT attack. |
| Open Source Code | Yes | Our code is available at: https: //github.com/tmlr-group/SSNI. |
| Open Datasets | Yes | Through extensive evaluations on benchmark image datasets such as CIFAR-10 (Krizhevsky et al., 2009) and Image Net-1K (Deng et al., 2009) |
| Dataset Splits | Yes | Following Lee & Kim (2023), we use a fixed subset of 512 randomly sampled images for all evaluations due to high computational cost of applying adaptive white-box attacks to DBP methods. |
| Hardware Specification | Yes | We conduct each of the experiments on up to 4 NVIDIA A100 GPUs (see https://github.com/tmlr-group/SSNI). |
| Software Dependencies | Yes | We implemented our code on Python version 3.8, CUDA version 12.2.0, and Py Torch version 2.0.1 with Slurm Workload Manager. |
| Experiment Setup | Yes | Diff Pure chooses optimal t = 100 and t = 75 on CIFAR-10 against threat models ℓ (ϵ = 8/255) and ℓ2(ϵ = 0.5), respectively. It also tests on high-resolution dataset like Image Net-1K with t = 150 against threat models ℓ (ϵ = 4/255). ... following Lee & Kim (2023), we mainly use adaptive white-box PGD+EOT attack with 200 PGD iterations for CIFAR-10 and 20 PGD iterations for Image Net-1K. We use 20 EOT iterations for all experiments to mitigate the stochasticity introduced by the diffusion models. ... We investigate how the temperature coefficient τ in Eq. (8) affects the performance of SSNI-N against adaptive white-box PGD+EOT ℓ (ϵ = 8/255) attack on CIFAR-10 in Figure 4. ... we choose τ = 20 for the non-linear reweighting function to optimize the accuracy-robustness trade-off for DBP methods. |