Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
AEVA: Black-box Backdoor Detection Using Adversarial Extreme Value Analysis
Authors: Junfeng Guo, Ang Li, Cong Liu
ICLR 2022 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Evidenced by extensive experiments across multiple popular tasks and backdoor attacks, our approach is shown effective in detecting backdoor attacks under the black-box hard-label scenarios. |
| Researcher Affiliation | Academia | Junfeng Guo, Ang Li, Cong Liu Department of Computer Science The University of Texas at Dallas EMAIL |
| Pseudocode | Yes | Algorithm 1 Aggregated Global Adversarial Peak (GAP) Algorithm 2 Visualize ยต |
| Open Source Code | Yes | Code :https://github.com/Junfeng Go/AEVA-Blackbox-Backdoor-Detection-main In addition, we have released the implementation of AEVA in https://github.com/Junfeng Go/ AEVA-Blackbox-Backdoor-Detection-main. |
| Open Datasets | Yes | Datasets. We evaluate our approach on CIFAR-10, CIFAR-100, and Tiny-Image Net datasets. |
| Dataset Splits | No | The paper mentions using a "hold-out validation set of infected and benign models" for choosing the MAD detector threshold, but it does not provide specific train/validation/test dataset splits (percentages or counts) for the main datasets (CIFAR-10, CIFAR-100, Tiny-Image Net) used for model training and evaluation. |
| Hardware Specification | No | The paper does not provide specific details about the hardware (e.g., CPU, GPU models) used to run the experiments. |
| Software Dependencies | No | The paper does not provide specific software dependencies with version numbers. |
| Experiment Setup | Yes | For each task, we use 200 samples for the gradient estimation, and the batch size for each {Xi}n i=1 is set to 40 in Algorithm 1. Around 10% poison data is injected in training. Each model is trained for 200 epochs with data augmentation. We set the threshold value ฯ = 4 for our MAD detector, which means we identify the class whose corresponding anomaly index larger than 4 as infected. |