MANI-Pure: Magnitude-Adaptive Noise Injection for Adversarial Purification

Adversarial purification with diffusion models has emerged as a promising defense strategy, but existing methods typically rely on uniform noise injection, which indiscriminately perturbs all frequencies, corrupting semantic structures and undermining robustness. Our empirical study reveals that adversarial perturbations are not uniformly distributed: they are predominantly concentrated in high-frequency regions, with heterogeneous magnitude intensity patterns that vary across frequencies and attack types. Motivated by this observation, we introduce MANI-Pure, a magnitude-adaptive purification framework that leverages the magnitude spectrum of inputs to guide the purification process. Instead of injecting homogeneous noise, MANI-Pure adaptively applies heterogeneous, frequency-targeted noise, effectively suppressing adversarial perturbations in fragile high-frequency, low-magnitude bands while preserving semantically critical low-frequency content. Extensive experiments on CIFAR-10 and ImageNet-1K validate the effectiveness of MANI-Pure. It narrows the clean accuracy gap to within 0.59 of the original classifier, while boosting robust accuracy by 2.15, and achieves the top-1 robust accuracy on the RobustBench leaderboard, surpassing the previous state-of-the-art method.

Key Contributions

• Empirical analysis revealing adversarial perturbations concentrate in high-frequency, low-magnitude spectral bands across multiple attack types
• MANI-Pure: a magnitude-adaptive purification framework that injects heterogeneous, frequency-targeted noise guided by the input's magnitude spectrum instead of uniform noise
• State-of-the-art top-1 robust accuracy on RobustBench leaderboard for CIFAR-10 and ImageNet-1K, boosting robust accuracy by 2.15% while keeping clean accuracy within 0.59% of the original classifier

🛡️ Threat Analysis

Details

Similar Papers