Decision Boundary Analysis of Adversarial Examples
Authors: Warren He, Bo Li, Dawn Song
ICLR 2018 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Additionally, we report similar experimenal results on a small subset of Image Net in Appendix D. We use two popular academic image classification datasets for our experiments: MNIST, consisting of black-and-white handwritten digits (Le Cun, 1998), and CIFAR-10, consisting of small color pictures (Krizhevsky & Hinton, 2009). |
| Researcher Affiliation | Academia | Warren He, Bo Li & Dawn Song Computer Science Division University of California, Berkeley |
| Pseudocode | No | The paper describes the algorithms and network architecture in text and diagrams (Figure 4) but does not include formal pseudocode blocks. |
| Open Source Code | Yes | We have released the code we used at https://github.com/sunblaze-ucb/ decision-boundaries. |
| Open Datasets | Yes | We use two popular academic image classification datasets for our experiments: MNIST, consisting of black-and-white handwritten digits (Le Cun, 1998), and CIFAR-10, consisting of small color pictures (Krizhevsky & Hinton, 2009). Additionally, we report similar experimenal results on a small subset of Image Net (Russakovsky et al., 2015) in Appendix D. |
| Dataset Splits | No | For MNIST, we train on 8,000 examples (each example here contains both a benign image and an adversarial image) for 32 epochs, and we test on 2,000 other examples. For CIFAR-10, we train on 350 examples for 1,462 epochs, and we test on 100 other examples. |
| Hardware Specification | Yes | In our slowest attack, on the PGD adversarially trained CIFAR-10 model, our attack takes around 8 minutes per image on a Ge Force GTX 1080. In our slowest experiment, with benign images on the PGD adversarially trained wide Res Net w32-10 CIFAR-10 model, it took around 70 seconds per image to compute decision boundary information for 1,000 directions on a Ge Force GTX 1080. |
| Software Dependencies | No | The paper mentions specific methods like 'Carlini & Wagner s L2 attack' and uses an 'Adam optimizer' and 'dropout', but does not provide specific software dependency names with version numbers (e.g., TensorFlow 2.x, PyTorch 1.x). |
| Experiment Setup | Yes | In our OPTMARGIN attack, we create a surrogate model of the region classifier, which classifies a smaller number of perturbed input points. We use 20 classifiers in the attacker s ensemble... We train with an Adam optimizer with a batch size of 128 and a learning rate of 0.001. For MNIST, we train on 8,000 examples (each example here contains both a benign image and an adversarial image) for 32 epochs, and we test on 2,000 other examples. |