SuperPure: Efficient Purification of Localized and Distributed Adversarial Patches via Super-Resolution GAN Models

• URL: http://arxiv.org/abs/2505.16318v1
• Date: Thu, 22 May 2025 07:21:04 GMT
• Title: SuperPure: Efficient Purification of Localized and Distributed Adversarial Patches via Super-Resolution GAN Models
• Authors: Hossein Khalili, Seongbin Park, Venkat Bollapragada, Nader Sehatbakhsh,
• Abstract summary: This paper proposes a new defense strategy for adversarial patch attacks called SuperPure.<n>The masking involves leveraging a GAN-based super-resolution scheme to gradually purify the image from adversarial patches.<n>Our evaluations show that SuperPure advances the state-of-the-art in three major directions.
• Score: 0.5906031288935515
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: As vision-based machine learning models are increasingly integrated into autonomous and cyber-physical systems, concerns about (physical) adversarial patch attacks are growing. While state-of-the-art defenses can achieve certified robustness with minimal impact on utility against highly-concentrated localized patch attacks, they fall short in two important areas: (i) State-of-the-art methods are vulnerable to low-noise distributed patches where perturbations are subtly dispersed to evade detection or masking, as shown recently by the DorPatch attack; (ii) Achieving high robustness with state-of-the-art methods is extremely time and resource-consuming, rendering them impractical for latency-sensitive applications in many cyber-physical systems. To address both robustness and latency issues, this paper proposes a new defense strategy for adversarial patch attacks called SuperPure. The key novelty is developing a pixel-wise masking scheme that is robust against both distributed and localized patches. The masking involves leveraging a GAN-based super-resolution scheme to gradually purify the image from adversarial patches. Our extensive evaluations using ImageNet and two standard classifiers, ResNet and EfficientNet, show that SuperPure advances the state-of-the-art in three major directions: (i) it improves the robustness against conventional localized patches by more than 20%, on average, while also improving top-1 clean accuracy by almost 10%; (ii) It achieves 58% robustness against distributed patch attacks (as opposed to 0% in state-of-the-art method, PatchCleanser); (iii) It decreases the defense end-to-end latency by over 98% compared to PatchCleanser. Our further analysis shows that SuperPure is robust against white-box attacks and different patch sizes. Our code is open-source.

Related papers

• PatchBlock: A Lightweight Defense Against Adversarial Patches for Embedded EdgeAI Devices [5.082257334702858]
  Adrial attacks pose a significant challenge to the reliable deployment of machine learning models in EdgeAI applications.<n>We present PatchBlock, a framework designed to detect and neutralize adversarial patches in images.<n>We show that PatchBlock consistently improves robustness, recovering up to 77% of model accuracy under strong patch attacks.
  arXiv  Detail & Related papers  (2026-01-01T15:04:16Z)
• Concept-Based Masking: A Patch-Agnostic Defense Against Adversarial Patch Attacks [2.449909275410288]
  Adrial patch attacks pose a practical threat to deep learning models.<n>We propose a patch-agnostic defense that leverages concept-based explanations to identify and suppress the most influential concept activation vectors.
  arXiv  Detail & Related papers  (2025-10-05T15:26:03Z)
• Optimization-Free Patch Attack on Stereo Depth Estimation [51.792201754821804]
  We present PatchHunter, the first adversarial patch attack against Stereo Depth Estimation (SDE)<n>PatchHunter formulates patch generation as a reinforcement learning-driven search over a structured space of visual patterns crafted to disrupt SDE assumptions.<n>We validate PatchHunter across three levels: the KITTI dataset, the CARLA simulator, and real-world vehicle deployment.
  arXiv  Detail & Related papers  (2025-06-21T08:23:02Z)
• DiffPAD: Denoising Diffusion-based Adversarial Patch Decontamination [5.7254228484416325]
  DiffPAD is a novel framework that harnesses the power of diffusion models for adversarial patch decontamination. We show that DiffPAD achieves state-of-the-art adversarial robustness against patch attacks and excels in recovering naturalistic images without patch remnants.
  arXiv  Detail & Related papers  (2024-10-31T15:09:36Z)
• Enhancing Object Detection Robustness: Detecting and Restoring Confidence in the Presence of Adversarial Patch Attacks [2.963101656293054]
  This study evaluates defense mechanisms for the YOLOv5 model against adversarial patches.<n>We tested several defenses, including Segment and Complete (SAC), Inpainting, and Latent Diffusion Models.<n>Results indicate that adversarial patches reduce average detection confidence by 22.06%.
  arXiv  Detail & Related papers  (2024-03-04T13:32:48Z)
• Anomaly Unveiled: Securing Image Classification against Adversarial Patch Attacks [3.6275442368775512]
  Adversarial patch attacks pose a significant threat to the practical deployment of deep learning systems. In this paper, we investigate the behavior of adversarial patches as anomalies within the distribution of image information. Our proposed defense mechanism utilizes a clustering-based technique called DBSCAN to isolate anomalous image segments.
  arXiv  Detail & Related papers  (2024-02-09T08:52:47Z)
• Towards Robust Semantic Segmentation against Patch-based Attack via Attention Refinement [68.31147013783387]
  We observe that the attention mechanism is vulnerable to patch-based adversarial attacks. In this paper, we propose a Robust Attention Mechanism (RAM) to improve the robustness of the semantic segmentation model.
  arXiv  Detail & Related papers  (2024-01-03T13:58:35Z)
• RADAP: A Robust and Adaptive Defense Against Diverse Adversarial Patches on Face Recognition [13.618387142029663]
  Face recognition systems powered by deep learning are vulnerable to adversarial attacks. We propose RADAP, a robust and adaptive defense mechanism against diverse adversarial patches. We conduct comprehensive experiments to validate the effectiveness of RADAP.
  arXiv  Detail & Related papers  (2023-11-29T03:37:14Z)
• PatchCURE: Improving Certifiable Robustness, Model Utility, and Computation Efficiency of Adversarial Patch Defenses [46.098482151215556]
  State-of-the-art defenses against adversarial patch attacks can now achieve strong certifiable robustness with a marginal drop in model utility. This impressive performance typically comes at the cost of 10-100x more inference-time computation compared to undefended models. We propose a defense framework named PatchCURE to approach this trade-off problem.
  arXiv  Detail & Related papers  (2023-10-19T18:14:33Z)
• Defensive Patches for Robust Recognition in the Physical World [111.46724655123813]
  Data-end defense improves robustness by operations on input data instead of modifying models. Previous data-end defenses show low generalization against diverse noises and weak transferability across multiple models. We propose a defensive patch generation framework to address these problems by helping models better exploit these features.
  arXiv  Detail & Related papers  (2022-04-13T07:34:51Z)
• Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection [142.24869736769432]
  Adversarial patch attacks pose a serious threat to state-of-the-art object detectors. We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
  arXiv  Detail & Related papers  (2021-12-08T19:18:48Z)
• A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
  Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems. This paper proposes a self-supervised adversarial training mechanism in the input space. It provides significant robustness against the textbfunseen adversarial attacks.
  arXiv  Detail & Related papers  (2020-06-08T20:42:39Z)
• PatchGuard: A Provably Robust Defense against Adversarial Patches via Small Receptive Fields and Masking [46.03749650789915]
  Localized adversarial patches aim to induce misclassification in machine learning models by arbitrarily modifying pixels within a restricted region of an image. We propose a general defense framework called PatchGuard that can achieve high provable robustness while maintaining high clean accuracy against localized adversarial patches.
  arXiv  Detail & Related papers  (2020-05-17T03:38:34Z)
• (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
  We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
  arXiv  Detail & Related papers  (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.