Countering Adversarial Images using Input Transformations
Authors: Chuan Guo, Mayank Rana, Moustapha Cisse, Laurens van der Maaten
ICLR 2018 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experiments on Image Net show that total variance minimization and image quilting are very effective defenses in practice, in particular, when the network is trained on transformed images. The strength of those defenses lies in their non-differentiable nature and their inherent randomness, which makes it difficult for an adversary to circumvent the defenses. Our best defense eliminates 60% of strong gray-box and 90% of strong black-box attacks by a variety of major attack methods. |
| Researcher Affiliation | Collaboration | Chuan Guo Cornell University Mayank Rana & Moustapha Ciss e & Laurens van der Maaten Facebook AI Research |
| Pseudocode | No | The paper does not contain structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Code to reproduce our results is available at https://github.com/facebookresearch/adversarial_image_defenses. |
| Open Datasets | Yes | We performed experiments on the Image Net image classification dataset. |
| Dataset Splits | No | The dataset comprises 1.2 million training images and 50,000 test images, but no explicit count or percentage for a validation set is provided in the paper. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory, or cloud instance specifications) used for running experiments. |
| Software Dependencies | No | The paper mentions using the Adam optimizer and a special-purpose solver, but does not provide specific version numbers for these or any other software dependencies like programming languages or libraries. |
| Experiment Setup | Yes | To produce adversarial images like those in Figure 1, we set the normalized L2-dissimilarity for each of the attacks as follows: FGSM. Increasing the step size ϵ increases the normalized L2-dissimilarity. I-FGSM. We fix M =10, and increase ϵ to increase the normalized L2-dissimilarity. Deep Fool. We fix M =5, and increase ϵ to increase the normalized L2-dissimilarity. CW-L2. We fix κ=0 and λf =10, and multiply the resulting perturbation by an appropriately chosen ϵ 1 to alter the normalized L2-dissimilarity. We perform the minimization over x using the Adam optimizer (Kingma & Ba, 2014) for 100 iterations with an initial learning rate of 0.001. We fixed the hyperparameters of our defenses in all experiments: specifically, we set pixel dropout probability p=0.5 and the regularization parameter of the total variation minimizer λTV =0.03. We use a quilting patch size of 5x5 and a database of 1,000,000 patches that were randomly selected from the Image Net training set. We use the nearest neighbor patch (i.e., K = 1) for experiments in Sections 5.2 and 5.3, and randomly select a patch from one of K =10 nearest neighbors in all other experiments. In the cropping defense, we sample 30 crops of size 90x90 from the 224x224 input image, rescale the crops to 224x224, and average the model predictions over all crops. |