Batchnorm Allows Unsupervised Radial Attacks
Authors: Amur Ghose, Apurv Gupta, Yaoliang Yu, Pascal Poupart
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We carry out an extensive set of experiments on Imagenet [Russakovsky et al., 2015], utilizing several Res Net [He et al., 2016] models Res Net-{18, 34, 50, 101, 152} and Efficient Net models [Tan and Le, 2019] B-1 to B-5. ... Core results are summarized in Figure 2. On the batchnorm-free Fixup Resnet, the FGSM attack greatly outperforms our angular attack. On the other two architectures, this is not the case. |
| Researcher Affiliation | Academia | Amur Ghose 1,2, Apurv Gupta3, Yaoliang Yu1,2, Pascal Poupart1,2 1David R. Cheriton School of Computer Science, University of Waterloo, 2Vector Institute, 3Columbia University |
| Pseudocode | Yes | Algorithm 1 Angular attack algorithm |
| Open Source Code | Yes | we also attach our training and inference codebases. |
| Open Datasets | Yes | We carry out an extensive set of experiments on Imagenet [Russakovsky et al., 2015]... on CIFAR-10 and CIFAR-100 [Krizhevsky et al., 2009]. |
| Dataset Splits | No | The paper mentions training, testing, and validation in general terms (e.g., 'test/validation sets', 'standard normalization pre-processing'), but does not explicitly provide specific dataset split percentages or sample counts for training, validation, and test sets. |
| Hardware Specification | Yes | Everything was run on a single Tesla V100 GPU |
| Software Dependencies | Yes | on Torch 1.6, torchvision 0.7.0. |
| Experiment Setup | Yes | For the choice of ϵ for the adversarial attack, we chose 0.03, 0.06, 0.1 and carried out all attacks using an α = 0.01 over 40 iterations. ... We utilize 20 such iterations before switching, at α = α/40. Hence, in total, our angular PGD attack consists of 20 iterations of finding an unsupervised radial direction of moving to the antipodal point in latent space, and 20 iterations of maximizing the angular deviation given the initial movement. ... For training, we utilize SGD. |