A2: Efficient Automated Attacker for Boosting Adversarial Training
Authors: Zhuoer Xu, Guanghui Zhu, Changhua Meng, shiwen cui, Zhenzhe Ying, Weiqiang Wang, Ming GU, Yihua Huang
NeurIPS 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments across different datasets demonstrate that A2 generates stronger perturbations with low extra cost and reliably improves the robustness of various AT methods against different attacks. |
| Researcher Affiliation | Collaboration | 1State Key Laboratory for Novel Software Technology, Nanjing University 2Tiansuan Lab, Ant Group |
| Pseudocode | Yes | Algorithm 1 Adversarial Training with Automated Attacker (AT-A2) |
| Open Source Code | Yes | Did you include the code, data, and instructions needed to reproduce the main experimental results (either in the supplemental material or as a URL)? [Yes] |
| Open Datasets | Yes | We conduct extensive experiments on public datasets to answer the following questions: 1) Can A2 generate stronger adversarial perturbations? ... All trained models are open-source checkpoints. We conduct experiments on the baseline AT and the SOTA AWP with A2 across three benchmark datasets to verify the generalization of A2. We follow the settings in AWP: Pre Act Res Net18 trained for 200 epochs, ε= 8/255 and γ= 10−2 for AWP. The step size is 1/255 for SVHN and 2/255 for CIFAR-10 and CIFAR-100. |
| Dataset Splits | No | The paper uses well-known public datasets (CIFAR-10, SVHN, CIFAR-100) but does not explicitly provide specific training/validation/test split percentages or sample counts. |
| Hardware Specification | Yes | All experiments are run using GeForce RTX 3090 (GPU) and Intel(R) Xeon(R) Silver 4210 (CPU) instances. |
| Software Dependencies | No | The paper mentions using Adam [Kingma and Ba, 2015] but does not list specific software dependencies with version numbers (e.g., Python, PyTorch, TensorFlow versions or other libraries). |
| Experiment Setup | Yes | We follow the settings in AWP: Pre Act Res Net18 trained for 200 epochs, ε= 8/255 and γ= 10−2 for AWP. The step size is 1/255 for SVHN and 2/255 for CIFAR-10 and CIFAR-100. For AT and AWP, the attacker used in training is PGD10. The 10-step A2 is trained with the same setting as in RQ1. PGD20 is used for testing, and the test robustness is reported in Table 2. It shows that A2, as a component focusing on the inner maximization, achieves better results on most datasets. Moreover, A2 is generic and can boost the robustness of both baseline and SOTA AT methods. Furthermore, we train WRN-34-10 on CIFAR-10 with various AT methods (i.e., AT, TRADES, MART, and AWP) following their original papers and open-source codes2. All defense models are trained using SGD with momentum 0.9, weight decay 5×10−4, and an initial learning rate of 0.1 that is divided by 10 at the 50%-th and 75%-th epoch. Except for 200 epochs in AWP, other AT methods train the model for 120 epochs. |