Adversarial Robustness with Non-uniform Perturbations
Authors: Ecenaz Erdemir, Jeffrey Bickford, Luca Melis, Sergul Aydore
NeurIPS 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Here, we present experimental results to evaluate robustness of DNNs against adversarial attacks for binary classification problems on three applications: malware detection, credit risk prediction, and spam detection. |
| Researcher Affiliation | Collaboration | Ecenaz Erdemir Imperial College London e.erdemir17@imperial.ac.uk Jeffrey Bickford Amazon Web Services jbick@amazon.com Luca Melis Amazon Web Services lucmeli@amazon.com Sergül Aydöre Amazon Web Services saydore@amazon.com |
| Pseudocode | No | The paper does not contain structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | 1Code is available at https://github.com/amazon-research/adversarial-robustness-withnonuniform-perturbations |
| Open Datasets | Yes | First, we consider a binary classification problem for malware detection using the EMBER dataset [28]. We use the extracted features of the PDF malware classification dataset and its attacked samples provided in [33]. For this scenario, we use the well-known German Credit dataset [40]. We use a dataset from Twitter, where data from legitimate users and spammers is harvested from social honeypots over seven months [41]. |
| Dataset Splits | Yes | EMBER is a feature-based public dataset which is considered a benchmark for Windows malware detection. It contains 2381 features extracted from Windows PE files: 600K labeled training samples and 200K test samples. ... Moreover, we extract 41,354 samples where the training set has 17,744 bad" and 15,339 good" samples, and the testing set has 3885 bad" and 4386 good" samples. |
| Hardware Specification | Yes | We use a machine with an Intel Xeon E5-2686 v4 @ 2.3 GHz CPU, and 4 Nvidia Tesla V100 GPUs. |
| Software Dependencies | Yes | We utilize the adversarial robustness toolbox (ART) [44] to craft AEs by using the default parameters for the AE generators of Carlini-Wagner (CW), JSMA and Deep Fool Methods. [44] is 'Maria-Irina Nicolae, Mathieu Sinn, Minh Ngoc Tran, Beat Buesser, Ambrish Rawat, Martin Wistuba, Valentina Zantedeschi, Nathalie Baracaldo, Bryant Chen, Heiko Ludwig, Ian M. Molloy, and Ben Edwards. Adversarial robustness toolbox v1.0.0, 2019.' |
| Experiment Setup | Yes | Adversarial training (AT): We perform AT in all use-cases by applying ℓ2-norm PGD for uniform perturbation sets, i.e., ϵ1,2 = {δ : δ 2 ϵ1}, and non-uniform perturbation sets, i.e., ϵ2,2 = {δ : Ωδ 2 ϵ2}. ... adversarial perturbations are applied to 90% of the positive samples during training. ... AT is performed for ϵ = 0.3. Certification is done by solving the LP for ϵ = 0.3 over 1000 spammers. |