Adversarial Robustness Through the Lens of Causality
Authors: Yonggang Zhang, Mingming Gong, Tongliang Liu, Gang Niu, Xinmei Tian, Bo Han, Bernhard Schölkopf, Kun Zhang
ICLR 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments demonstrate the efficacy of the proposed method. Our work is the first attempt towards using causality to understand and mitigate the adversarial vulnerability. |
| Researcher Affiliation | Academia | Yonggang Zhang1,2 Mingming Gong3 Tongliang Liu4 Gang Niu5 Xinmei Tian1 Bo Han2, Bernhard Sch olkopf6 Kun Zhang7,8 1University of Science and Technology of China 2Hong Kong Baptist University 3The University of Melbourne 4The University of Sydney 5RIKEN Center for Advanced Intelligence Project 6Max Planck Institute for Intelligent Systems 7Carnegie Mellon University 8Mohamed bin Zayed University of Artificial Intelligence |
| Pseudocode | No | The paper does not contain structured pseudocode or algorithm blocks. It provides mathematical derivations and descriptions of the method. |
| Open Source Code | Yes | To ensure the reproducibility of experimental results, we open source our code https:// github.com/Yonggang Zhang USTC/Causal Adv.git. |
| Open Datasets | Yes | We validate the efficacy of the proposed method on MNIST, CIFAR10, and CIFAR100 (Krizhevsky et al., 2009) datasets under various adversarial attacks such as FGSM (Goodfellow et al., 2015), PGD (Madry et al., 2018), CW attack (Carlini & Wagner, 2017), and Auto Attack (Croce & Hein, 2020). |
| Dataset Splits | No | The paper mentions training and testing but does not explicitly provide specific train/validation/test dataset splits (e.g., percentages or exact counts) for the datasets used. It refers to general training details and hyperparameters. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU model, CPU type, memory) used for running the experiments. It only refers to general model training and evaluation. |
| Software Dependencies | No | The paper does not provide specific ancillary software details with version numbers (e.g., Python version, PyTorch version, library versions). It describes the models and training process but not the software stack. |
| Experiment Setup | Yes | For MNIST, we set the maximum perturbation bound ϵ = 0.3, perturbation step size η = 0.01, and the number of iterations K = 40 for PGD and C&W attacks. Following (Rice et al., 2020), we set perturbation bound ϵ = 8/255, perturbation step size η = ϵ/10, and the number of iterations K = 20 for CIFAR-10 dataset. The network is trained using SGD with 0.9 momentum for 50 epochs with an initial learning rate 0.01, and the batch size is set to 128. These two networks share the same hyper-parameters: we use SGD with 0.9 momentum, weight decay 2e-4, batch size 128, and an initial learning rate of 0.1. The maximum epoch is 120, and the learning rate is divided by 10 at epoch 60 and 90, respectively. To generate adversarial examples for training, we set the maximal perturbation ϵ = 8/255, the perturbation step size η = 2/255, and the number of iterations K = 10. In all of our experiments β is set to 1.0. For Causal Adv-M, λ is set to 1.0 and 0.5 for CIFAR-10 and CIFAR-100 datasets, respectively. For Causal Adv-T, λ is set to 0.5 and 1.0 for CIFAR-10 and CIFAR-100 datasets, respectively. |