Existing defenses against distributed and localized physical-world adversarial patch attacks (e.g., DorPatch) suffer from insufficient robustness and high computational overhead, failing to meet the real-time requirements of cyber-physical systems. This paper proposes an efficient and robust collaborative purification framework. It introduces a novel pixel-level adaptive masking mechanism to precisely localize and suppress distributed perturbations, coupled with a lightweight super-resolution GAN (SR-GAN) for progressive image purification. By jointly optimizing adversarial patch modeling and mask-purification, the method significantly enhances model robustness: on ImageNet, it improves ResNet/EfficientNet robustness against localized attacks by over 20% and achieves 58% robustness against distributed attacks—surpassing the prior state-of-the-art (0%). Moreover, end-to-end latency is reduced by 98%, striking an unprecedented balance between security and real-time performance.

As vision-based machine learning models are increasingly integrated into autonomous and cyber-physical systems, concerns about (physical) adversarial patch attacks are growing. While state-of-the-art defenses can achieve certified robustness with minimal impact on utility against highly-concentrated localized patch attacks, they fall short in two important areas: (i) State-of-the-art methods are vulnerable to low-noise distributed patches where perturbations are subtly dispersed to evade detection or masking, as shown recently by the DorPatch attack; (ii) Achieving high robustness with state-of-the-art methods is extremely time and resource-consuming, rendering them impractical for latency-sensitive applications in many cyber-physical systems. To address both robustness and latency issues, this paper proposes a new defense strategy for adversarial patch attacks called SuperPure. The key novelty is developing a pixel-wise masking scheme that is robust against both distributed and localized patches. The masking involves leveraging a GAN-based super-resolution scheme to gradually purify the image from adversarial patches. Our extensive evaluations using ImageNet and two standard classifiers, ResNet and EfficientNet, show that SuperPure advances the state-of-the-art in three major directions: (i) it improves the robustness against conventional localized patches by more than 20%, on average, while also improving top-1 clean accuracy by almost 10%; (ii) It achieves 58% robustness against distributed patch attacks (as opposed to 0% in state-of-the-art method, PatchCleanser); (iii) It decreases the defense end-to-end latency by over 98% compared to PatchCleanser. Our further analysis shows that SuperPure is robust against white-box attacks and different patch sizes. Our code is open-source.