Certified Defenses for Adversarial Patches
Authors: Ping-yeh Chiang*, Renkun Ni*, Ahmed Abdelkader, Chen Zhu, Christoph Studor, Tom Goldstein
ICLR 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | This paper studies certified and empirical defenses against patch attacks. We begin with a set of experiments showing that most existing defenses, which work by pre-processing input images to mitigate adversarial patches, are easily broken by simple white-box adversaries. Furthermore, we experiment with different patch shapes for testing, obtaining surprisingly good robustness transfer across shapes, and present preliminary results on certified defense against sparse attacks. |
| Researcher Affiliation | Academia | University of Maryland, College Park {pchiang,rn9zm,akader,chenzhu}@cs.umd.edu Christoph Studer Cornell University studer@cornell.edu Tom Goldstein University of Maryland, College Park tomg@cs.umd.edu |
| Pseudocode | No | No pseudocode or clearly labeled algorithm blocks were found in the paper. |
| Open Source Code | Yes | Our complete implementation can be found on: https://github.com/Ping-C/certifiedpatchdefense. |
| Open Datasets | Yes | 400 randomly picked images from Image Net (Deng et al., 2009) on VGG19 (Simonyan & Zisserman, 2014). In this section, we compare our certified defenses with exiting algorithms on two datasets and three model architectures of varying complexity. |
| Dataset Splits | No | The paper does not explicitly provide specific training/test/validation dataset splits with percentages, sample counts, or citations to predefined splits. It mentions training epochs and evaluating on '400 random images' but does not detail the partitioning of the main datasets (MNIST, CIFAR-10) for reproducibility beyond implicit standard splits. |
| Hardware Specification | Yes | Most training times are measured on a single 2080Ti GPU, with the exception of all-patch training which is run on four 2080Ti GPUs. |
| Software Dependencies | No | The paper mentions using 'Adam (Kingma & Ba, 2014)' as an optimizer but does not specify version numbers for any software, libraries, or programming languages used for implementation. |
| Experiment Setup | Yes | For all experiments, we are using Adam (Kingma & Ba, 2014) with a learning rate of 5e 4 for MNIST and 1e 3 for CIFAR10, and with no weight decay. We also adopt a warm-up schedule in all experiments like (Zhang et al., 2019b), where the input interval bounds start at zero and grow to [-1,1] after 61/121 epochs for MNIST/CIFAR10 respectively. We train the models for a total of 100/200 epochs for MNIST/CIFAR10, where in the first 61/121 epochs the learning rate is fixed and in the following epochs, we reduce the learning rate by one half every 10 epochs. |