We Are Making Large AI Models You Can Trust

For years, researchers have been searching for defense schemes. Initial attempts focused on adversarial training, essentially showing the model thousands of poisoned inputs to teach it to resist. While effective within their training limits, these methods are computationally expensive and struggle to generalize to unseen types of attacks. 

Stopping Attacks at the Door: The Rise of Adversarial Purification 

A more elegant solution has emerged: adversarial purification. Instead of constantly retraining the large models, this "plug-in" approach cleans the malicious input before it reaches the model, acting like a digital decontamination. Generative models, especially diffusion models, have proven highly effective in this scenario. However, they suffer from substantial slowdowns in real-time deployments, since they require a fixed and long "purification time".

DiffCAP: Dynamic Defense with Semantic Stability

New research at RISE, DiffCAP (Diffusion-based Cumulative Adversarial Purification), introduces a novel solution by solving the scalability-reliability trade-off. The core contribution of DiffCAP is its ability to dynamically determine the minimal necessary purification time for each individual image.

Here’s how it works:

1. Noise Injection: 
   An adversarial image is exposed to a forward diffusion process, where Gaussian noise is incrementally added. The theory behind this is that adversarial effects monotonically fade as diffusion unfolds, gradually being drowned out by the noise.
2. Semantic Stabilization: 
   At each small step, DiffCAP checks the cosine similarity between the current image's latent embedding and the previous step's embedding. Once the similarity stabilizes above a predefined threshold, it signals that the image's semantic representation is no longer being shifted by the diffusion process. Crucially, this stability indicates that the adversarial noise has been neutralized.
3. Denoising: 
   Once stabilization is achieved, the process stops. A pre-trained diffusion model then denoises the image, recovering a clean and reliable representation for the inference of vision-language models (VLMs).

By not relying on a one-size-fits-all duration, DiffCAP uses significantly fewer diffusion steps than prior methods, resulting in an average purification time of only around 1 second per image.

A New State-of-the-Art for Trust

The empirical evidence is compelling. Evaluated on various large VLMs, datasets, perturbation strengths, and tasks, DiffCAP consistently outperforms existing defenses by a substantial margin. Furthermore, it remains highly functional even against adaptive attacks, where the adversary has full knowledge of the defense mechanism. DiffCAP's success in mitigating the tension between robustness, efficiency, and image quality is a major benefit for the AI community. The original manuscript of DiffCAP can be found at https://arxiv.org/pdf/2506.03933.

Looking ahead, we'll push toward joint defenses across modalities (image, text, audio, etc.) for large AI models. Our researchers from Computer Science at RISE and the unit for Data Analysis together with the efforts by The Center for Applied AI at RISE are also focused on broader trustworthiness challenges beyond adversarial attacks. This includes guaranteeing performance with open sets (test-time classes unseen in training), domain shifts (deployment data out of distribution from training), and noisy labels (imperfect or inconsistent data annotations). 

Our ambition is clear. We want to build AI that deploys efficiently, runs safely, and operates sustainably.

Please do reach out if you would like to discuss this further.

Image 1: Model output is misled by adversarial perturbations.

Image 2: DiffCAP removes adversarial noise, and the model responds correctly.