Adversarial Robustness via Runtime Masking and Cleansing
Authors: Yi-Hsuan Wu, Chia-Hung Yuan, Shan-Hung Wu
ICML 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct experiments on realworld datasets and the results demonstrate the effectiveness of RMC empirically. In this section, we evaluate the performance of RMC using the robust classification task defined in Problem 1 on the MNIST (Le Cun & Cortes, 2010), CIFAR-10 (Krizhevsky et al., 2009), and Image Net (Deng et al., 2009) datasets. |
| Researcher Affiliation | Academia | Yi-Hsuan Wu 1 Chia-Hung Yuan 1 Shan-Hung Wu 1 1Department of Computer Science, National Tsing Hua University, Taiwan. Correspondence to: Shan-Hung Wu <shwu@cs.nthu.edu.tw>. |
| Pseudocode | Yes | Algorithm 1 Runtime Masking and Cleansing (RMC). Algorithm 2 The PREDICT procedure of RMC+. |
| Open Source Code | Yes | Our code is available at https://github.com/nthu-datalab/ Runtime-Masking-and-Cleansing. |
| Open Datasets | Yes | on the MNIST (Le Cun & Cortes, 2010), CIFAR-10 (Krizhevsky et al., 2009), and Image Net (Deng et al., 2009) datasets. |
| Dataset Splits | Yes | To prevent overfitting, we separate a validation set from N0(ˆx) and early stop the local adaptation when the validation loss does not decrease over time. To prevent the local adaptation in RMC from overfitting, we separate the top-20% nearest neighboring examples from N0(ˆx) as the validation set and early stop the local adaptation when the validation loss does not decrease over time. |
| Hardware Specification | Yes | We test the delay incurred by the RMC at runtime on a machine with an NVIDIA V100 GPU. |
| Software Dependencies | No | The paper mentions using "the Adam optimizer (Kingma & Ba, 2014)" and "the open-source Clever Hans library (Papernot et al., 2018)," but it does not provide specific version numbers for these or any other software components. |
| Experiment Setup | Yes | We set K= 1024 and 2048 for CIFAR-10 and Image Net respectively. We set the maximum allowable perturbation, , to 8/255 for gradient-based attacks (FGSM, BIM and PGD). The learning rate of CW-L2 attack is 0.002. The initial learning rate for local adaptation is set to 25% of that used by a model during the training time. We set the batch size for adaptation to 128 and 1024 on CIFAR-10 and Image Net, respectively. |