Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Adversary Aware Optimization for Robust Defense
Authors: Daniel Wesego, Pedram Rooshenas
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experiments performed on CIFAR-10 and CIFAR-100 demonstrate strong robust accuracy against a range of common adversarial attacks. Our work offers a principled test-time defense grounded in probabilistic inference using score-based generative models. |
| Researcher Affiliation | Academia | Daniel Wesego Department of Computer Science University of Illinois Chicago Chicago, IL 60607 EMAIL Pedram Rooshenas Department of Computer Science University of Illinois Chicago Chicago, IL 60607 EMAIL |
| Pseudocode | Yes | Algorithm 1 shows how we perform test-time adversarial purification by iteratively refining the given image ˆx toward its MAP estimate x . To avoid propagating the gradients through the parameters of the score-based diffusion models during the optimization, we use stop-gradient (sg) operations when evaluating the score-based diffusion models, which will make the optimization efficient. |
| Open Source Code | Yes | Our code can be found at https://github.com/rooshenasgroup/aaopt. |
| Open Datasets | Yes | We use CIFAR-10 and CIFAR-100 [Krizhevsky et al., 2009], each comprising 50 000 training and 10 000 test images at 32 32 resolution; CIFAR-10 spans 10 classes, while CIFAR-100 covers 100 classes. These datasets are publicly available from https://www.cs.toronto.edu/~kriz/cifar.html, though no explicit license is specified by the authors. To assess robustness under common corruptions, we employ CIFAR-10-C [Hendrycks and Dietterich, 2019], which augments the original CIFAR-10 test set with different types of corruptions at five severity levels. CIFAR-10-C is released under a CC BY 4.0 International license (DOI: https: //doi.org/10.5281/zenodo.2535967). Finally, we include Tiny Image Net200, a 200-class subset of Image Net containing 100 000 training and 10 000 validation images resized to 64 64. While the Stanford CS231N release (available at http://cs231n.stanford.edu/tiny-imagenet-200.zip) does not list its own license, it inherits the Image Net terms of use, which permit non-commercial research and educational use only [Deng et al., 2009]. |
| Dataset Splits | Yes | All experimental results are reported on the test splits, and we report both the clean (standard) accuracy and the robust accuracy when the model is under attack. We use CIFAR-10 and CIFAR-100 [Krizhevsky et al., 2009], each comprising 50 000 training and 10 000 test images at 32 32 resolution... Finally, we include Tiny Image Net200, a 200-class subset of Image Net containing 100 000 training and 10 000 validation images resized to 64 64. |
| Hardware Specification | Yes | We use NVIDIA A100 GPU to train the models and perform the inference. |
| Software Dependencies | No | we implement a custom differentiable Adam optimizer in Py Torch rather than relying on the built-in version, which uses in-place operations and is not differentiable. |
| Experiment Setup | Yes | We first list the hyperparameters in the model, then we go over optimization, training, and compute details. We have also attached the code used to generate the outputs, which can be found in the attached supplementary material for more details. We run the main experiments in the paper 5 times and report the mean and standard deviation. We use 512 samples for each trial because of the heavy computation requirements to generate adversarial examples. Table 13: Details of hyperparameters used for our proposed model AAOpt |