BREAKING CERTIFIED DEFENSES: SEMANTIC ADVERSARIAL EXAMPLES WITH SPOOFED ROBUSTNESS CERTIFICATES
Authors: Amin Ghiasi, Ali Shafahi, Tom Goldstein
ICLR 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section we perform an ablation study on the parameters of the Shadow Attack to evaluate (i) the number of SGD steps needed, (ii) the importance of λs (or alternatively using 1-channel attacks), and (iii) the effect of λtv. The results are summarized in Table 1. |
| Researcher Affiliation | Academia | Amin Ghiasi , Ali Shafahi & Tom Goldstein University of Maryland {amin,ashafahi,tomg}@cs.umd.edu |
| Pseudocode | No | No structured pseudocode or algorithm blocks were found. The paper describes the optimization problem mathematically but does not present it in a pseudocode format. |
| Open Source Code | Yes | Source code for all experiments can be found at: https://github.com/Amin Jun/Breaking Certifiable Defenses |
| Open Datasets | Yes | Cohen et al. (2019) show the performance of the Gaussian smoothed classifier on CIFAR-10 (Krizhevsky et al.) and Image Net (Deng et al., 2009). |
| Dataset Splits | No | No specific details on how the dataset was split into training, validation, and test sets (e.g., percentages or sample counts) are provided. The paper mentions using 'the first example from each class of the CIFAR-10 validation set' for ablation studies but does not provide general split information. |
| Hardware Specification | No | No specific hardware details such as GPU/CPU models, processor types, or memory amounts used for running experiments were mentioned in the paper. |
| Software Dependencies | No | No specific software dependencies with version numbers (e.g., 'Python 3.8, PyTorch 1.9') were mentioned in the paper. |
| Experiment Setup | Yes | To attack the CIFAR-10 and Image Net smoothed classifiers, we use 400 randomly sampled Gaussian images, λtv = 0.3, λc = 1.0, and perform 300 steps of SGD with learning rate 0.1. The default parameters for all of the experiments are as follows unless explicitly mentioned: We use 30 SGD steps with learning rate 0.1 for the optimization. All experiments except part (ii) use 1-channel attacks for the sake of simplicity and efficiency (since it has less parameters). We assume λtv = 0.3, λc = 20, and use batch-size 50. We use λtv = 0.000009, λc = 0.02, C(δ) = δ 2 and set the learning rate to 200 and for the rest of the regularizers and hyper-paramters we use the same hyperparameters and regularizers as in 3. |