Unrestricted adversarial attacks present a serious threat to deep learning
models and adversarial defense techniques. They pose severe security problems
for deep learning applications because they can effectively bypass defense
mechanisms. However, previous attack methods often utilize Generative
Adversarial Networks (GANs), which are not theoretically provable and thus
generate unrealistic examples by incorporating adversarial objectives,
especially for large-scale datasets like ImageNet. In this paper, we propose a
new method, called AdvDiff, to generate unrestricted adversarial examples with
diffusion models. We design two novel adversarial guidance techniques to
conduct adversarial sampling in the reverse generation process of diffusion
models. These two techniques are effective and stable to generate high-quality,
realistic adversarial examples by integrating gradients of the target
classifier interpretably. Experimental results on MNIST and ImageNet datasets
demonstrate that AdvDiff is effective to generate unrestricted adversarial
examples, which outperforms GAN-based methods in terms of attack performance
and generation quality.

提出了一种新方法 AdvDiff，使用扩散模型生成无限制的对抗样本，并通过两种新的对抗引导技术在扩散模型的逆生成过程中进行对抗采样，实现了高质量、逼真的对抗样本生成。实验证明，AdvDiff 在攻击性能和生成质量方面优于基于 GAN 的方法。

AdvDiff：使用扩散模型生成无限制的对抗样本

AdvDiff: Generating Unrestricted Adversarial Examples using Diffusion  Models

Do all adversarial examples have the same consequences? An autonomous driving
system misclassifying a pedestrian as a car may induce a far more dangerous --
and even potentially lethal -- behavior than, for instance, a car as a bus. In
order to better tackle this important problematic, we introduce the concept of
hierarchical adversarial robustness. Given a dataset whose classes can be
grouped into coarse-level labels, we define hierarchical adversarial examples
as the ones leading to a misclassification at the coarse level. To improve the
resistance of neural networks to hierarchical attacks, we introduce a
hierarchical adversarially robust (HAR) network design that decomposes a single
classification task into one coarse and multiple fine classification tasks,
before being specifically trained by adversarial defense techniques. As an
alternative to an end-to-end learning approach, we show that HAR significantly
improves the robustness of the network against $\ell_2$ and $\ell_{\infty}$
bounded hierarchical attacks on the CIFAR-10 and CIFAR-100 dataset.

介绍了一种分类网络设计 -- 分层敌对强韧网络（HAR），将分类任务分解成一个粗分类和多个细分类任务，在经过敌对防御技术的有针对性训练后，极大地提高了神经网络对层次攻击的强度，实验表明对 CIFAR 数据集 L2 和 L∞有显著改进。