Official implementation of the paper:
FlowPure: Continuous Normalizing Flows for Adversarial Purification
TL;DR: This work proposes a novel approach to defend against advesarial examples through purification using continuous normalizing flows.
We recommend setting up the environment with Conda. The codebase currently uses Python 3.9.20 and PyTorch 2.3.1.
conda create -n FlowPure python==3.9.20
conda activate FlowPure
pip install -r requirements.txt
- CIFAR: The CIFAR datasets will automatically be downloaded to
./resources/datasets/CIFAR10/by pytorch
- Use this code to train a WideResNet-28 and save the checkpoint to
./resources/checkpoints/victims/ - Diffusion (CIFAR10, DiffPure and GDMP): Download Score SDE to
./resources/checkpoints/score_sde/ - Diffusion (CIFAR10, LM): Download EDM to
./resources/checkpoints/EDM/ - Use this code to train an ADBM and save the checkpoint to
./resources/checkpoints/ADBM/
Train a Continuous Normalizing Flow model using trainer_flowpure.py, specifying the dataset (CIFAR10 or CIFAR100) and noise type (pgd, cw, gauss):
python trainer_flowpure.py --dataset [CIFAR10/CIFAR100] --noise_type [pgd/cw/gauss]
To evaluate the baselines and FlowPure, use either eval_ppb.py for preprocessor-blind attacks or eval_DH.py for the white-box DiffHammer attack. The parameters of the defenses and attacks can be adjusted in config.py. This evaluation code extends the implementation from DiffHammer.
If you find this work useful, consider giving the repository a star and citing our paper:
@misc{collaert2025flowpurecontinuousnormalizingflows,
title={FlowPure: Continuous Normalizing Flows for Adversarial Purification},
author={Elias Collaert and Abel Rodríguez and Sander Joos and Lieven Desmet and Vera Rimmer},
year={2025},
eprint={2505.13280},
archivePrefix={arXiv},
primaryClass={cs.LG},
url={https://arxiv.org/abs/2505.13280},
}