An adversarial sample purification method and system based on spatial adaptive diffusion
By employing a pixel-level adaptive diffusion method, the problem of spatially ignoring heterogeneity in existing diffusion-based adversarial purification is solved, achieving improved robustness and fidelity in highly sensitive scenarios while reducing computational costs.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING UNIV OF CIVIL ENG & ARCHITECTURE
- Filing Date
- 2026-02-09
- Publication Date
- 2026-06-19
Smart Images

Figure CN122243789A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to an adversarial sample cleanup method and system based on spatial adaptive diffusion. Background Technology
[0002] For highly sensitive scenarios such as autonomous driving, smart security, financial risk control, medical imaging, and industrial quality inspection, deep learning models frequently encounter adversarial perturbations in the real world, leading to unstable recognition results and making security and reliability a deployment bottleneck. Deep neural networks are prone to significant performance degradation under adversarial perturbations. Generative decanting, as a defense paradigm that does not require modification of the classifier, first injects noise into adversarial examples and then uses the inverse process of the generative model to project it back to an approximately clean data manifold. Diffusion models, due to their stable training mechanism and strong representation capabilities, have become the mainstream approach for adversarial decanting in recent years, and improved methods that integrate classification and representation supervision into the denoising process and more stringent robustness evaluation protocols have emerged.
[0003] Existing diffusion cleansing methods mostly employ a uniform time step and noise scheduling, that is, selecting a single start time for the entire image. Noise is injected, and a fixed number of reverse denoising steps are performed. This approach presents several practical difficulties: on the one hand, excessively small noise is insufficient to remove adversarial remnants; on the other hand, excessively large noise can destroy semantic details, leading to significant semantic drift. More importantly, unified scheduling implicitly assumes "spatial homogeneity"—all pixels suffer from the same Gaussian budget; however, adversarial energy is often sparsely concentrated in high-frequency hotspots, while class-discriminative regions are more vulnerable, thus unified scheduling... Often, in certain areas, some pixels are over-cleaned while others are under-cleaned.
[0004] To alleviate this contradiction, recent work has begun to explore adaptive time steps. For example, sample-based noise injection estimates the degree to which samples deviate from the manifold using the fractional norm and assigns different noise levels to different samples; other methods construct rewards based on classifier confidence and adaptively select denoising depth using reinforcement learning strategies. These strategies can be combined with accelerated samplers such as DDIM and DPM-Solver to balance computational efficiency and robustness. However, most of them still remain at the level of a single scalar for each sample, failing to capture the significant spatial heterogeneity within the image.
[0005] To address spatial heterogeneity, heterogeneous noise injection at both the regional and frequency domain levels has been implemented. Examples include applying strong noise only to vulnerable regions and selectively mixing amplitude and phase information in the frequency domain. These approaches suggest that the location and amount of noise injected are more critical than uniform noise injection. Meanwhile, more robust adaptive attacks and rigorous evaluation practices have revealed vulnerabilities in early-stage decontamination defenses, prompting researchers to further balance robustness, fidelity, and efficiency without altering the classifier.
[0006] Against this backdrop, introducing pixel-level noise scheduling becomes a natural choice. Parameterization centered on logarithmic signal-to-noise ratio (SNR) possesses clear physical meaning and favorable numerical properties: the monotonically decreasing logarithmic SNR simultaneously characterizes the signal-to-noise energy ratio and error weighting, facilitating the design of start-stop criteria and ensuring compatibility with standard diffusion modeling. Theoretically, decomposing global risk into pixels yields the lower envelope heuristic, i.e., allocating the noise budget at the pixel level, which is expected to outperform any unified scalar schedule. In engineering, combining it with few-step stochastic recovery can constrain each computation step to a network evaluation, significantly reducing inference costs; constructing start-stop rules around the zero-crossing of logarithmic SNR provides robust start-time selection. Facing adaptive gradient attacks such as substitution attacks, it is also necessary to decouple latent variables and randomness and design gradient suppression paths to improve adversarial robustness while maintaining clean accuracy. Overall, the development trend of diffusion cleanup is shifting from unified scheduling and fixed trajectories to a new generation of defense paradigms characterized by adaptive input, spatial heterogeneity, and controllable efficiency. Pixel-level logarithmic signal-to-noise ratio scheduling is a key technology path that follows this trend and strives to achieve a better compromise among robustness, fidelity and efficiency.
[0007] In summary, most existing diffusion-based adversarial denoising methods rely on the assumption of spatial homogeneity, applying noise to the entire image using a uniform noise schedule or a single time step, followed by reverse denoising. This approach ignores the strong spatial heterogeneity of adversarial perturbations. Actual attacks are often sparsely concentrated in high-frequency fine structures, while semantically critical regions are extremely vulnerable to excessive noise. Consequently, the same global noise budget may result in under-denoising at hotspots and over-denoising at semantical points, affecting robustness and fidelity while wasting computational resources. While the later-developed sample-adaptive time step can select a more suitable starting point for each image, it is still a scalar decision and cannot accurately describe pixel-level differences within the image. Although region-frequency selective noise addition introduces spatial differences, it relies on heuristic masks or frequency band thresholds, resulting in limited granularity, ambiguous interpretable boundaries, and potential incompatibility with the scalar time conditions of standard diffusion models, making it difficult to seamlessly integrate the reverse chain. Furthermore, many denoising processes lack a computationally robust starting point selection criterion, often relying on grid search or empirical thresholds, which is both time-consuming and difficult to reproduce under strong adaptive attacks. Inverse solving often relies on multiple network evaluations of ODEs (Ordinary Differential Equations) or SDEs (Stochastic Differential Equations), resulting in high step counts and significant latency. More seriously, when the purification process depends on latent variables directly encoded from the attacked input, substitution attacks can directly target the diffusion model, constructing approximate gradients along this differentiable path, leading to a significant decrease in robustness in true white-box adaptive scenarios. Summary of the Invention
[0008] The purpose of this invention is to provide an adversarial sample cleanup method and system based on spatial adaptive diffusion, which aims to solve the above-mentioned problems in the prior art.
[0009] This invention provides an adversarial sample cleanup method based on spatial adaptive diffusion, comprising: Obtain adversarial samples to be processed, perform pixel-level heterogeneous forward diffusion scheduling on the adversarial samples, and generate a pixel-level noise scheduling field; The global initial diffusion time is determined based on the noise scheduling field through zero-crossing detection; Based on the initial diffusion time, the adversarial sample is forward-noised to obtain a noisy sample; The noisy sample is subjected to backdiffusion to obtain a cleaned sample; wherein the backdiffusion adopts a discrete Gaussian transition that approximately matches the edge distribution of the forward diffusion.
[0010] This invention provides an adversarial sample cleanup system based on spatial adaptive diffusion, comprising: The scheduling module is used to acquire adversarial samples to be processed, perform pixel-level heterogeneous forward diffusion scheduling on the adversarial samples, and generate a pixel-level noise scheduling field. A stopping module is used to determine the global start diffusion time based on the noise scheduling field through zero-crossing detection; The forward execution module is used to perform forward noise addition on the adversarial sample based on the initial diffusion time to obtain a noisy sample; The reverse denoising module is used to perform reverse diffusion on the noisy sample to obtain a purified sample; wherein the reverse diffusion adopts a discrete Gaussian transition that approximately matches the forward diffusion edge distribution.
[0011] This invention also provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the above-described adversarial sample cleanup method based on spatial adaptive diffusion.
[0012] This invention also provides a computer-readable storage medium storing an information transmission implementation program, which, when executed by a processor, implements the steps of the above-described adversarial sample cleanup method based on spatial adaptive diffusion.
[0013] The embodiments of this invention can achieve the following beneficial effects: Based on pixel-level adaptive diffusion, this invention performs purification at the input side before inference by the existing classifier. This avoids modifying downstream systems and stably improves robustness and cleanliness accuracy in practical tests, aligning with the industry's common demand for plug-and-play functionality and verifiable improvements. Specifically, the adversarial example purification method proposed in this invention for diffusion-based generative models is a scheduling technique that adaptively configures the injection noise intensity and time step at the pixel level, effectively eliminating adversarial perturbations while maintaining semantic fidelity. Attached Figure Description
[0014] To more clearly illustrate the technical solutions in one or more embodiments of this specification or in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0015] Figure 1 This is a flowchart of the adversarial sample cleanup method based on spatial adaptive diffusion according to an embodiment of the present invention; Figure 2 This is a schematic diagram illustrating how the diffusion model of this invention can remove adversarial perturbations; Figure 3 This is a schematic diagram of the overall modular architecture of an embodiment of the present invention; Figure 4 This is a schematic diagram of the scheduling module according to an embodiment of the present invention; Figure 5 This is a schematic diagram of the reverse module according to an embodiment of the present invention; Figure 6 This is the stop module corresponding to the embodiment of the present invention. Heat map; Figure 7 This is a schematic diagram illustrating how the decoupling module of this invention obtains preliminary samples in an embodiment of the invention. Figure 8 This is a schematic diagram of an adversarial sample purification system based on spatial adaptive diffusion, according to an embodiment of the present invention. Detailed Implementation
[0016] To enable those skilled in the art to better understand the technical solutions in one or more embodiments of this specification, the technical solutions in one or more embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this specification, and not all of the embodiments. Based on one or more embodiments of this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the protection scope of this document.
[0017] Method Implementation Examples According to embodiments of the present invention, an adversarial sample cleanup method based on spatial adaptive diffusion is provided. Figure 1 This is a flowchart of the adversarial sample cleanup method based on spatial adaptive diffusion according to an embodiment of the present invention, as follows: Figure 1 As shown, the adversarial sample cleanup method based on spatial adaptive diffusion according to an embodiment of the present invention specifically includes: Step S101: Obtain the adversarial sample to be processed, and perform pixel-level heterogeneous forward diffusion scheduling on the adversarial sample to generate a pixel-level noise scheduling field, specifically including: Extract semantic latent variables associated with the adversarial examples, and input the semantic latent variables and the time information of the diffusion process into a pre-trained scheduling network to generate a pixel-level noise scheduling field. The scheduling network is parameterized using an integral squared polynomial and configured to learn the optimal noise scheduling strategy. The noise scheduling field includes a pixel-level logarithmic signal-to-noise ratio field, a signal attenuation coefficient, and a noise injection coefficient; the signal attenuation coefficient and the noise injection coefficient are calculated from the logarithmic signal-to-noise ratio field. The logarithmic signal-to-noise ratio field outputs a logarithmic signal-to-noise ratio value for each spatial location and channel in the image; and for a fixed semantic latent variable, the logarithmic signal-to-noise ratio value is monotonically non-increasing with respect to time within preset upper and lower bounds.
[0018] Step S102, determining the global initial diffusion time based on the noise scheduling field through zero-crossing detection, specifically includes: The logarithmic signal-to-noise ratio field in the noise scheduling field is evaluated on a preset discrete-time grid to obtain the field value sequence corresponding to each time point; Based on the field value sequence, detect the adjacent time points when the log signal-to-noise ratio of each pixel in the image first changes from positive to negative, and estimate the zero-crossing time corresponding to that pixel by interpolation; The zero-crossing times of all pixels are aggregated to obtain the global initial diffusion time; If a pixel does not undergo a sign change within the discrete-time grid, then that pixel is ignored during aggregation.
[0019] Step S103, based on the initial diffusion time, forward noise is added to the adversarial sample to obtain a noisy sample, specifically including: Obtain the signal attenuation coefficient and noise injection coefficient corresponding to the initial diffusion time from the noise scheduling field; The adversarial sample is weighted pixel-by-pixel based on the signal attenuation coefficient, and corresponding Gaussian noise is generated based on the noise injection coefficient. The weighted adversarial sample is added to the Gaussian noise to obtain the noisy sample.
[0020] Step S104: Perform backdiffusion on the noisy sample to obtain the cleaned sample; wherein, the backdiffusion adopts a discrete Gaussian transition that approximately matches the forward diffusion edge distribution; specifically including: Starting from the initial diffusion time, perform multiple iterations decreasing towards time zero; For each iteration, a scalarized noise variance parameter is determined from the noise injection coefficient in the noise scheduling field based on the time corresponding to the current iteration step. The current noise state, the current time, and the scalarized noise variance parameter are input into the denoising network, which then predicts the denoised mean for the current step. The denoising network is a U-Net neural network. The current noise-adding state is sampled and updated based on the denoised mean and the scalarized noise variance parameter to obtain the next noise-adding state. When the iteration reaches time zero, the corresponding noisy state is output as the purified sample.
[0021] The method further includes performing a decoupling defense step before performing pixel-level heterogeneous forward diffusion scheduling, the decoupling defense step including: The adversarial samples are subjected to a first round of coarse cleaning using prior latent variables that are unrelated to the adversarial samples, resulting in intermediate samples; Extract conditional latent variables from the intermediate samples and block the gradient backpropagation path of the conditional latent variables; The original semantic latent variables are replaced by conditional latent variables after gradient blocking, and used as input to the scheduling network to generate the subsequent noisy scheduling field.
[0022] The following describes in detail the above-mentioned technical solutions of the present invention with reference to the specific circumstances of the adversarial sample cleanup method based on spatial adaptive diffusion in the embodiments of the present invention.
[0023] This invention extends adaptive learning from the sample and region granularity to the pixel granularity. Specifically, it learns a monotonic, boundary-constrained pixel-level logarithmic signal-to-noise ratio field: This is used to allocate signal and noise energy pixel by pixel; in, Indicated by neural network Predicted pixel-level log-SNR; Represent semantic latent variables and encode the global semantics of the image; The function assigns different noise intensities to each pixel to inject more noise into the perturbation region and retain more signal in the semantic region.
[0024] The forward process employs diagonal Gaussian, spatially heterogeneous noise injection, while the backward process uses an approximate Markov sampling chain to approximately reproduce the edge behavior of forward diffusion while maintaining compatibility with standard diffusion-time coding. Each step involves only one network evaluation, achieving stable robustness in 30-50 steps without altering the downstream classifier. Instead of empirically based starting point selection, this embodiment provides a principle-based criterion using the first zero-crossing of the logarithmic signal-to-noise ratio for evaluation on a discrete-time grid. For each pixel, linear interpolation with sign change is used to obtain the root. Then, a single scalar starting point is aggregated using the global unweighted mean. This injects spatial heterogeneity into the forward noise while fully preserving the standard temporal encoding, facilitating the use of mature diffusion reverse chains. To resist adaptive gradients, a two-stage latent variable debiasing is introduced: first, a coarse cleanup is performed using prior latent variables to decouple the input; then, the coarse result is re-encoded into latent variables, and gradient use is stopped, thereby cutting off the differentiable path of substitution attacks while maintaining effective semantic conditionalization. During training, - (Logarithmic signal-to-noise ratio) Over time The rate of change is used as a pixel-wise weight, combined with v-parameterization or score matching, to focus the network's learning on more critical pixels and time periods.
[0025] The purpose of this invention is to provide a feasible solution, from pixel-level forward noise injection and zero-crossing starting point to matched low-step backward inversion and latent variable debiasing, without altering the practical constraints of existing classifiers. It reduces the structural tension between robustness and fidelity with finer spatial granularity, avoids brute-force parameter search with an interpretable and computable starting point mechanism, significantly reduces latency and computational cost with a low-step, single-evaluation backward inversion chain, and maintains reproducible experimental gains under strong evaluations such as substitution attacks, PGD attacks, and AutoAttack attacks, ultimately achieving a joint optimal balance between robustness, clean accuracy, and inference efficiency.
[0026] like Figure 2 As shown, Figure 2This demonstrates how the diffusion model can remove adversarial perturbations. The diffusion model comprises a pair of complementary processes: forward diffusion (forward SDE) progressively injects Gaussian noise into the input, "smoothing out" local details; reverse generation (reverse SDE) utilizes a time-dependent fractional function. (Data distribution) Denoising is achieved stepwise using the logarithmic gradient of the input x at time t, pulling the samples back to a high-density data distribution. Adversarial perturbations are essentially small-scale local structures attached to clean samples; by first using a small amount of diffusion to break up these local structures, and then using fraction-guided reverse denoising to return to the data distribution, the adversarial components are washed away while the global semantics are preserved. Theoretically, the ability of diffusion denoising to remove adversarial perturbations can be uniformly described by two theorems: Firstly, distribution proximity: along the forward diffusion SDE, the clean distribution p and the antagonistic distribution q are at the edge. satisfy ,in, This represents the KL divergence, which measures the difference between two distributions; This constraint guarantees that the KL divergence monotonically decreases with time during the diffusion process, ensuring that the reverse process gradually approximates the clean data distribution; and if and only if The fact that forward diffusion monotonically shrinks the difference between the two in an information theory sense indicates that it dilutes the local adversarial components attached to the sample.
[0027] Secondly, reconstruct the upper bound of the error: assume that the fractional network is bounded (i.e., This limits the output range of the scoring network, ensures the stability of the reverse process, and prevents errors from amplifying indefinitely. For the output of the fractional network, (is a positive constant), from time (The critical time point when the forward diffusion process stops and reverse denoising begins), the purification results of starting reverse SDE. With clean sample x The error can be bounded to the sum of three terms—the original disturbance. Based on diffusion intensity Controlled random items ; indicates " There exists a precise compromise between "too small to clean properly, too large to render meaningfully," thus finding an optimal solution. The interval. Among them, the diffusion intensity. Determine the arrival of the forward process The signal-to-noise ratio at that time, where Let be the noise scheduling function for time s, which varies with s. Decreasing, the signal is gradually drowned out by noise; random terms This measures the reconstruction error introduced by the diffusion process, and this term is particularly relevant in the low signal-to-noise ratio region. When the number of large numbers increases exponentially, it indicates that excessive diffusion should be avoided. In the formula... The diffusion intensity factor, For fractional networks The constants related to the boundedness.
[0028] At the same time, the starting point after forward diffusion satisfies: ; in, It is an intermediate state that mixes the original image signal with Gaussian noise, serving as the starting point for inverse denoising; Adversarial examples are input images that have been subjected to minor, malicious perturbations. After being injected with noise, it became Then, reverse denoising is performed starting from this point. Indicates the noise injection coefficient; This represents random noise sampled from a standard Gaussian (normal) distribution. , It is the identity matrix; This indicates that during the forward process of the diffusion model at a specific time step The signal attenuation coefficient, the formula can be found in the reference. , Indicates time The proportion of the original signal retained. This explains why breaking down adversarial components in the previous process and then gradually returning to the high-density data region along the fractional guide can achieve effective purification.
[0029] This invention employs a closed-loop mechanism—"pixel-level logarithmic SNR scheduling—zero-crossing starting point—matched low-step reverse engineering—latent variable debiasing"—to combat the spatial sparsity and high-frequency concentration characteristics of perturbations. First, the pixel-level logarithmic SNR field learned by the scheduling module allocates a higher noise budget to high-risk pixels and maintains lower noise for semantically critical pixels during the forward noise injection phase, thus weakening local high-frequency adversarial components at the source and avoiding the structural contradiction of under-cleaning of hotspots and over-cleaning of semantic regions caused by a one-size-fits-all approach. Then, starting with the first zero-crossing, the reverse chain is initiated near the boundary where signal and noise energy are roughly balanced, empirically achieving a stable compromise between perturbation reduction and semantic preservation, ensuring sufficient perturbation dilution while minimizing semantic damage. Next, the reverse engineering module uses a discrete Gaussian transition strictly matched to the forward edge, gradually pushing samples back to a high-density manifold under multi-level fractional guidance, prioritizing global semantic reconstruction and suppressing local remnants. Finally, the decoupling module cuts off the differentiable path from the attacked input to the cleansing conditions through two-stage latent variable debiasing and gradient stopping, combined with EOT randomness suppression of alternative attacks. This closed loop tightly couples the scrambling of spatially heterogeneous noise injection with the matching reverse restoration. While maintaining time compatibility and implementation simplicity, it can usually achieve stability, robustness and high fidelity in 30-50 steps, balancing robustness, clean accuracy and inference efficiency.
[0030] The entire algorithm framework of this invention adopts a modular design, consisting of four parts working collaboratively: scheduling, reversal, stopping, and decoupling. Figure 3 As shown, the scheduling module generates time steps and denoising coefficients based on image content and noise levels, and provides a suitable start time through zero-crossing detection, thereby shortening the iteration interval. The reverse module gradually restores the signal on the compressed timeline, suppressing interference and preserving details as much as possible. The stopping module uses indicators such as residual changes and energy trends to determine whether to terminate early, avoiding overprocessing and information loss. The decoupling module is performed in two stages: first, coarse-layer cleaning is performed to remove the main noise, and then the texture and structure are refined under constraints to improve the restoration quality. The four parts are sequentially connected and cooperate with each other, controlling the amount of computation while ensuring processing effect, which facilitates stable deployment.
[0031] Specifically, the scheduling module's responsibility is to allocate the signal and noise budget for forward noise injection at the pixel level, such as... Figure 4 As shown. Learn a time-varying algorithm for each pixel. Field with output logarithmic signal-to-noise ratio ,in, These are semantic latent variables used to carry global / class conditional information about the image; It is constrained to be monotonically non-increasing with respect to t and with controlled endpoints. This represents the minimum permissible value for the logarithmic signal-to-noise ratio. This represents the maximum permissible value for the logarithmic signal-to-noise ratio. These represent the image's height, width, and number of channels, respectively. To balance trainability and physical consistency, Parameterization using integral squared polynomials: First, construct a polynomial with non-negative derivatives: ; in, This indicates that the latent variables are derived from the MLP network. The predicted three sets of coefficients have the same dimension as the image; the integrand is in square form, ensuring that the integral is monotonically increasing.
[0032] Then normalize it to (in =-13.30, corresponding to the high signal-to-noise ratio endpoint (t=0, almost pure signal); =5.0, corresponding to the low signal-to-noise ratio endpoint (t=1, almost pure noise); anchoring the two boundaries of the scheduler to ensure coverage of the complete spread from pure signal to pure noise), that is, through normalization Get pixel-level Achieve spatial adaptive noise scheduling; and make This ensures a controllable shape and stable gradient throughout the entire time domain. Pixel-by-pixel calculation ,in, The variance coefficient of the signal at time t represents the proportion of energy of the original signal retained. The noise variance coefficient at time t represents the proportion of energy injected into the noise. This is the pixel-level log-SNR value.
[0033] because + =1, automatically satisfying the variance preservation constraint. Based on this, the pixelated forward distribution is defined. (Using a diagonal Gaussian distribution instead of a scalar Gaussian allows for different noise levels per pixel, achieving spatial heterogeneity), thus achieving spatially heterogeneous noise injection. During training, except for the reconstruction and KL terms, the diffusion loss employs pixel-weighted score matching or a v-parameterized objective, where the weights... (At moments when the signal-to-noise ratio changes drastically) Larger values assign higher weights, allowing the model to focus more on critical denoising moments. This automatically concentrates learning on time periods and pixels with high information density; numerically, this weight stabilizes the gradient scale and reduces sensitivity to large step sizes. The input to this module is... (Both the denoising network and the scheduler use this triple as a condition to achieve the content-aware diffusion process), the output is pixel-wise. (Difference from traditional methods: Traditional diffusion uses scalars) Full pixel consistency (the embodiments of the present invention extend to pixel-level tensors, allowing spatially heterogeneous noise allocation) and cacheability. Grid; time-grid evaluation complexity is (This means calculating the log-SNR value of all pixels at all time points to find zero-crossing points) Memory usage can be controlled through half-precision and straddle reuse buffers.
[0034] like Figure 5 As shown, the reverse module is mainly responsible for converting the starting point... Along scalar time condition Gradual denoising To avoid latency caused by multiple network evaluations of ODE and SDE, a discrete Gaussian transition that strictly matches the forward edge is adopted. Gradually from a noisy state Restore to a clean image ; In the formula, Indicates at the given current time Noisy images Under the conditions, the previous moment Image The probability distribution; It is a multivariate Gaussian distribution. The mean vector of this Gaussian distribution is represented by a parameter. The neural network prediction was obtained; Let represent the covariance matrix of the Gaussian distribution.
[0035] The covariance is directly inherited from the scheduling module. The mean is calculated by a single forward pass of the network and can be used for noise prediction. Alternatively, a more robust v-parameterization can be used; only one network evaluation is required per time step, significantly reducing the number of backward steps.
[0036] Although the forward pass involves pixel-based noise injection, this embodiment of the invention maintains standard scalar time conditions in the backward pass through pixel root-to-scalar aggregation (in the stopping module), thus ensuring full compatibility with general U-Net or diffusion model training and inference stacks. This module achieves steady-state robustness within 30-50 steps; its computational complexity is approximately O(log n). (Total inference cost is proportional to the number of denoising steps; PANS reduces unnecessary steps by stopping in the balanced SNR region), where S is the number of inverse steps; since the covariance is fixed and isotropic. (The simplified reverse process assumes all pixels share the same noise level), and sampling and reparameterization incur no additional overhead. The key to strict matching with pixelated forward is that the variance is consistent with the scheduling over time, and the mean prediction corresponds to the optimal Gaussian regression at the diagonal forward edge, thereby reducing model bias and improving convergence speed and stability with small steps.
[0037] like Figure 6 As shown, in the stop module, the starting point The choice of [the parameter] directly determines the balance between purification intensity and semantic fidelity. This module provides a principled and computable scheme based on the first zero-crossing of the logarithmic signal-to-noise ratio: In a uniform time grid (Calculate the log-SNR curve on the discrete-time grid and find the zero-crossing point as the purification time step) for a one-time evaluation. The entire image tensor; That is, storing the log-SNR values at each time point, which is used to quickly locate the zero-crossing time of each pixel through linear interpolation. In the formula, Indicates the first discrete time points The pixel-level logarithmic signal-to-noise ratio field is calculated for the entire image.
[0038] Detect sign changes pixel by pixel and estimate roots using linear interpolation That is, by using linear interpolation, the precise time point at which the log-SNR of each pixel crosses the threshold is found; In the formula, Indicates the first line, number Column, No. The logarithmic signal-to-noise ratio of the pixels in the channel. The precise time when it first equals 0; For two adjacent discrete time points, This represents the logarithmic signal-to-noise ratio of the pixel at two time points, obtained in the aforementioned one-time evaluation. value.
[0039] All pixel roots are then aggregated using the global unweighted mean to obtain the scalar starting point. (This formula represents the arithmetic mean of the zero-crossing times of all pixels to obtain a single scalar) To maintain compatibility with standard diffusion samplers, this module addresses spatial heterogeneity through forward noise injection while strictly preserving the scalar time conditions of the inverse module, avoiding disruption of the time coding and Markov structure of the standard diffusion model. Considering that slight under-cleaning and over-cleaning in practical measurements can be compensated for by fine-tuning the starting point, this module supports adding a small bias to zero-crossing. The algorithm performs an early or late determination; it ignores some pixels that are rootless, and if the entire dataset is rootless, it backtracks to a safe fixed value t. The advantage of this scheme is that it is a one-time, linear time complexity. It is simple to implement and easy to cache; theoretically, with Approaching zero, equivalent scalar As the log-SNR (the pixel with the highest signal-to-noise ratio in the entire image) decreases, the upper bound of the diffusion cleanup error tightens, thus providing an interpretable basis for starting and stopping near the first zero crossover. In engineering, the mean can be replaced with the median or truncated mean to enhance robustness to extreme pixels.
[0040] Decoupling modules such as Figure 7 As shown, in white-box adaptive attacks, if the purification conditions depend on the latent variables directly encoded from the received attack input, the substitution attack can construct an approximate gradient along this path and weaken robustness. This module resolves this coupling by using two-stage latent variable debiasing.
[0041] Phase 1: Sampling from Prior Knowledge (Independent of adversarial inputs, avoiding encoder contamination by adversarial perturbations. TSLO Phase 1: using...) Generate coarse cleansing results (cutting off the attacker's gradient control over latent variables), and evaluate them on the grid using a scheduling module. (using random sampling) Calculate pixel-level log-SNR, generate unbiased noise scheduling in the first stage (unaffected by adversarial perturbations), and obtain the root result in a single step and aggregate the results. Based on this, the following structure is constructed: ; Adversarial examples are injected into noise on a pixel-by-pixel basis to obtain intermediate diffusion states. In the formula... This indicates the starting point for noise addition in the first stage (coarse purification). Indicates the signal preservation coefficient. Indicates the noise injection coefficient. This represents the Hadamard product, which is element-wise multiplication. It is random noise; Then, the reverse module is called to perform short-chain denoising to obtain a coarse result. .
[0042] Phase Two: Using an encoder Re-estimation ; in, For the semantic latent variables of the second stage, Most of the adversarial disturbances have been removed. More accurately reflects the true semantics and prevents adaptive attacks from backpropagating gradients through the encoder; This represents the conditional probability distribution. Indicates a parameter as encoder neural network, Indicates that in a given Under the condition of latent variables The probability distribution; And on After applying the stopping gradient, perform the root calculation again in one go to obtain the final result. ,by The final purification is completed with the reverse module. This strategy of first decoupling and then refining reduces the bias of latent variables by the original attack noise, and cuts off the differentiable paths that attackers can exploit from the computation graph by stopping gradients; combined with the stochasticity of EOT, it effectively improves stability and robustness under strong adversarial attacks.
[0043] In summary, the key aspects of this invention's embodiments are pixel-level scheduling, zero-crossing starting point, matched low-step reverse engineering, latent variable debiasing, and a closed-loop scheme for pixel weight training. First, a pixel-level logarithmic signal-to-noise ratio scheduler is proposed. Under the constraints of monotonicity and endpoint control, signal and noise energy are directly allocated to each pixel, and through... ensure The physical consistency and numerical stability of the data are ensured; that is, the total variance of the data does not change at any time during the diffusion process, thus maintaining numerical stability. This pixel field is parameterized using integral squared polynomials to construct non-negative derivatives across the entire time domain and normalized to the upper and lower bounds of the diffusion model. It combines trainability, interpretability, and simplicity of implementation, representing a fundamental breakthrough compared to existing sample-level and region-level schemes. Secondly, a starting point selection mechanism based on the first zero-crossing of the logarithmic signal-to-noise ratio is established, and the method for selecting the entire image on a discrete-time grid is given. Evaluation, pixel-by-pixel detection of sign changes and linear interpolation estimation of root. (The time point when the log-SNR of this pixel first drops below the threshold), and then aggregated using the global unweighted mean as a single scalar starting point. This process injects spatial heterogeneity into the forward noise while strictly preserving the scalar time conditions of the diffusion model; the process includes zero-crossing bias. Optional variations of adjustment and robust aggregation are central to the methodological steps and framework modules. Furthermore, a diffusion model backchain that strictly matches the pixelated forward edge is designed. (from By progressively denoising to t=0 to restore a clean image, a low-step sampling process with only one network evaluation per step is achieved, resulting in stable robustness and convergence speed in approximately 30-50 steps without modifying the classifier. Furthermore, a two-stage latent variable debiasing approach is proposed: Stage 1 uses prior latent variables... A coarse cleanup is performed to remove coupling to the attacked input; stage two recodes the coarse result to obtain... By halting gradient usage, the mechanism is fundamentally cut off the differentiable path to alternative attacks, significantly improving robustness in adaptive white-box scenarios. This is accompanied by pixel-level training weights. and - Parameterization and score matching targets ensure greater learning intensity at key pixels and key time periods, improving numerical stability and convergence efficiency.
[0044] This invention, verified through rigorous testing protocols on established benchmarks such as CIFAR-10, CIFAR-100, WRN-28-10, and WRN-70-16, demonstrates significantly improved robust accuracy under strong adversarial attack conditions compared to uniform or coarse-grained adaptive cleansing, without altering downstream classifiers, while maintaining or improving clean accuracy. Utilizing a discrete Gaussian transition strictly matched to the forward edge and a single-evaluation reverse chain, the inference process is performed once per step, with network computation reaching a steady state within 30 to 50 steps, significantly reducing latency and computational cost, and providing real-time availability for engineering applications. Furthermore, the starting point is chosen based on the first zero-crossing of the logarithmic signal-to-noise ratio, ensuring a clear computation process and ease of reproducibility. Two-stage latent variable debiasing cuts off differentiable paths for alternative attacks, significantly enhancing robustness in adaptive scenarios without sacrificing clean accuracy. Experiments have achieved a balance between robustness, accuracy, and efficiency, providing stable and reliable adversarial protection capabilities for key industries such as autonomous driving, smart security, financial risk control, medical imaging, and industrial quality inspection.
[0045] System Implementation Examples According to embodiments of the present invention, an adversarial sample cleanup system based on spatial adaptive diffusion is provided. Figure 8 This is a schematic diagram of an adversarial sample cleanup system based on spatial adaptive diffusion, as described in an embodiment of the present invention. Figure 8 As shown, the adversarial sample cleanup system based on spatial adaptive diffusion according to an embodiment of the present invention specifically includes: The scheduling module 80 is used to acquire adversarial samples to be processed, perform pixel-level heterogeneous forward diffusion scheduling on the adversarial samples, and generate a pixel-level noise scheduling field. Stop module 82 is used to determine the global start diffusion time based on the noise scheduling field through zero-crossing detection; Forward execution module 84 is used to forward noise the adversarial sample based on the initial diffusion time to obtain a noisy sample; The reverse denoising module 86 is used to perform reverse diffusion on the noisy sample to obtain a purified sample; wherein the reverse diffusion adopts a discrete Gaussian transition that approximately matches the forward diffusion edge distribution.
[0046] The embodiments of the present invention are system embodiments corresponding to the above method embodiments. The specific operation of each module can be understood by referring to the description of the method embodiments, and will not be repeated here.
[0047] Device Example 1 This invention provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the computer program is executed by the processor, it performs the steps described in the method embodiment.
[0048] Device Example 2 This invention provides a computer-readable storage medium storing an information transmission implementation program, which, when executed by a processor, performs the steps described in the method embodiment.
[0049] The computer-readable storage media described in this embodiment include, but are not limited to, ROM, RAM, disk, or optical disk.
[0050] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for adversarial sample cleanup based on spatial adaptive diffusion, characterized in that, include: Obtain adversarial samples to be processed, perform pixel-level heterogeneous forward diffusion scheduling on the adversarial samples, and generate a pixel-level noise scheduling field; The global initial diffusion time is determined based on the noise scheduling field through zero-crossing detection; Based on the initial diffusion time, the adversarial sample is forward-noised to obtain a noisy sample; The noisy sample is subjected to backdiffusion to obtain a cleaned sample; wherein the backdiffusion adopts a discrete Gaussian transition that approximately matches the edge distribution of the forward diffusion.
2. The method according to claim 1, characterized in that, Performing pixel-level heterogeneous forward diffusion scheduling on the adversarial examples to generate a pixel-level noise scheduling field specifically includes: Extract semantic latent variables associated with the adversarial examples, and input the semantic latent variables and the time information of the diffusion process into a pre-trained scheduling network to generate a pixel-level noise scheduling field. The scheduling network is parameterized using an integral squared polynomial and configured to learn the optimal noise scheduling strategy. The noise scheduling field includes a pixel-level logarithmic signal-to-noise ratio field, a signal attenuation coefficient, and a noise injection coefficient; the signal attenuation coefficient and the noise injection coefficient are calculated from the logarithmic signal-to-noise ratio field.
3. The method according to claim 2, characterized in that, The logarithmic signal-to-noise ratio field outputs a logarithmic signal-to-noise ratio value for each spatial location and channel in the image; and for a fixed semantic latent variable, the logarithmic signal-to-noise ratio value is monotonically non-increasing with respect to time within preset upper and lower bounds.
4. The method according to claim 2, characterized in that, The determination of the global initial diffusion time based on the noise scheduling field through zero-crossing detection specifically includes: The logarithmic signal-to-noise ratio field in the noise scheduling field is evaluated on a preset discrete-time grid to obtain the field value sequence corresponding to each time point; Based on the field value sequence, detect the adjacent time points when the log signal-to-noise ratio of each pixel in the image first changes from positive to negative, and estimate the zero-crossing time corresponding to that pixel by interpolation; The zero-crossing times of all pixels are aggregated to obtain the global initial diffusion time; If a pixel does not undergo a sign change within the discrete-time grid, then that pixel is ignored during aggregation.
5. The method according to claim 4, characterized in that, Based on the initial diffusion time, forward noise is added to the adversarial sample to obtain the noisy sample, specifically including: Obtain the signal attenuation coefficient and noise injection coefficient corresponding to the initial diffusion time from the noise scheduling field; The adversarial sample is weighted pixel-by-pixel based on the signal attenuation coefficient, and corresponding Gaussian noise is generated based on the noise injection coefficient. The weighted adversarial sample is added to the Gaussian noise to obtain the noisy sample.
6. The method according to claim 5, characterized in that, Performing backdiffusion on the noisy sample to obtain the purified sample specifically includes: Starting from the initial diffusion time, perform multiple iterations decreasing towards time zero; For each iteration, a scalarized noise variance parameter is determined from the noise injection coefficient in the noise scheduling field based on the time corresponding to the current iteration step. The current noise state, the current time, and the scalarized noise variance parameter are input into the denoising network, and the denoising network predicts the denoised mean of the current step; wherein, the denoising network is a neural network with a U-Net structure. The current noise-adding state is sampled and updated based on the denoised mean and the scalarized noise variance parameter to obtain the next noise-adding state. When the iteration reaches time zero, the corresponding noisy state is output as the purified sample.
7. The method according to claim 2, characterized in that, The method further includes performing a decoupling defense step before performing pixel-level heterogeneous forward diffusion scheduling, the decoupling defense step including: The adversarial samples are subjected to a first round of coarse cleaning using prior latent variables that are unrelated to the adversarial samples, resulting in intermediate samples; Extract conditional latent variables from the intermediate samples and block the gradient backpropagation path of the conditional latent variables; The original semantic latent variables are replaced by conditional latent variables after gradient blocking, and used as input to the scheduling network to generate the subsequent noisy scheduling field.
8. An adversarial sample cleanup system based on spatial adaptive diffusion, characterized in that, include: The scheduling module is used to acquire adversarial samples to be processed, perform pixel-level heterogeneous forward diffusion scheduling on the adversarial samples, and generate a pixel-level noise scheduling field. A stopping module is used to determine the global start diffusion time based on the noise scheduling field through zero-crossing detection; The forward execution module is used to perform forward noise addition on the adversarial sample based on the initial diffusion time to obtain a noisy sample; The reverse denoising module is used to perform reverse diffusion on the noisy sample to obtain a purified sample; wherein the reverse diffusion adopts a discrete Gaussian transition that approximately matches the forward diffusion edge distribution.
9. An electronic device, characterized in that, include: The memory, the processor, and the computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the spatially adaptive diffusion-based adversarial sample cleanup method as described in any one of claims 1-7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores an implementation program for information transmission, which, when executed by a processor, implements the steps of the adversarial sample cleanup method based on spatial adaptive diffusion as described in any one of claims 1-7.