arxiv_cv 95% Match Research Paper AI security researchers,Computer vision engineers,Machine learning practitioners,Developers of safety-critical AI systems 3 weeks ago

NAPPure: Adversarial Purification for Robust Image Classification under Non-Additive Perturbations

ai-safety › robustness

📄 Abstract

Abstract: Adversarial purification has achieved great success in combating adversarial image perturbations, which are usually assumed to be additive. However, non-additive adversarial perturbations such as blur, occlusion, and distortion are also common in the real world. Under such perturbations, existing adversarial purification methods are much less effective since they are designed to fit the additive nature. In this paper, we propose an extended adversarial purification framework named NAPPure, which can further handle non-additive perturbations. Specifically, we first establish the generation process of an adversarial image, and then disentangle the underlying clean image and perturbation parameters through likelihood maximization. Experiments on GTSRB and CIFAR-10 datasets show that NAPPure significantly boosts the robustness of image classification models against non-additive perturbations.

Authors (5)

Junjie Nan

Jianing Li

Wei Chen

Mingkun Zhang

Xueqi Cheng

Submitted

October 15, 2025

arXiv Category

cs.CV

arXiv PDF

Key Contributions

Proposes NAPPure, an extended adversarial purification framework that effectively handles non-additive adversarial perturbations (e.g., blur, occlusion) in addition to additive ones. It achieves this by disentangling the underlying clean image and perturbation parameters through likelihood maximization, significantly boosting classifier robustness.

Business Value

Enhances the reliability and security of AI systems that rely on image recognition in real-world scenarios, such as autonomous driving or medical imaging, where perturbations are common.

Paper Metadata

Innovation Type

Algorithmic Improvement

Deployment Feasibility

Moderate. Requires integration into existing DNN pipelines, but the core method is algorithmic.

Limitations Addressed

Existing adversarial purification methods are designed for additive perturbations and are less effective against common non-additive perturbations like blur, occlusion, and distortion.

Performance Gains

Significantly boosts robustness against non-additive perturbations compared to existing methods.

Technical Tags

adversarial purificationrobust image classificationnon-additive perturbationsdeep neural networkslikelihood maximizationGTSRBCIFAR-10image perturbations

Research Topics

Adversarial RobustnessImage ClassificationDeep Learning SecurityComputer VisionRobust AI

Methods & Architectures

Adversarial purification frameworkLikelihood maximizationDisentanglement of image and perturbation Deep Neural Networks (DNNs)

Applications & Tasks

Computer Vision Machine Learning Security Autonomous Systems Image Recognition Ineffectiveness of existing purification methods against non-additive perturbationsImproving robustness of image classifiersHandling real-world image corruptions Image classificationAdversarial defenseRobustness against perturbations

Datasets & Benchmarks

Datasets

GTSRB, CIFAR-10

Robustness against non-additive perturbationsClassification accuracy under attackPurification effectiveness

Related Fields

Computer VisionMachine LearningArtificial Intelligence SecurityDeep Learning

Keywords

adversarial robustnesspurificationnon-additive perturbationsimage classificationDNNdefensesecuritycomputer visionGTSRBCIFAR-10perturbations

Academic Context

#Adversarial Robustness#Image Classification#Deep Learning Security#Computer Vision#Robust AI

Commercial Potential

Potential Products

Robust image recognition modules for critical applicationsSecurity enhancement tools for computer vision systems

Target Industries

Automotive (Autonomous Driving)Security & SurveillanceHealthcare (Medical Imaging)Robotics

Use Case Examples

Ensuring self-driving cars can still recognize traffic signs under adverse weather conditionsImproving the reliability of medical image analysis systems

Competitive Edge

Extends adversarial purification to handle a broader range of realistic image perturbations, offering superior robustness compared to methods limited to additive noise.

Market Opportunity

Growing demand for robust and secure AI systems.

Revenue Models

Licensing of the robustification techniqueintegration services.

Resource Requirements

Compute Needs

Moderate to high for training and evaluating DNNs with adversarial attacks.

Data Requirements

Standard image classification datasets (e.g., GTSRB, CIFAR-10) and adversarial perturbation generation methods.

Deployment Constraints

Computational overhead of purification might be a concern for real-time applications. Effectiveness depends on the specific types and severity of perturbations.

Scalability

The framework's scalability depends on the underlying DNN architecture and the efficiency of the purification process.

Production Readiness

Maturity Level

Research

Time to Market

2-3 years for integration into safety-critical systems.

View Full Paper Back to Papers