Demystifying the Adversarial Robustness of Random Transformation Defenses
Authors: Chawin Sitawarin, Zachary J Golan-Strieb, David Wagner
ICML 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | First, we show that the BPDA attack (Athalye et al., 2018a) used in Ba RT s evaluation is ineffective and likely overestimates its robustness. We then attempt to construct the strongest possible RT defense through the informed selection of transformations and Bayesian optimization for tuning their parameters. Furthermore, we create the strongest possible attack to evaluate our RT defense. Our new attack vastly outperforms the baseline, reducing the accuracy by 83% compared to the 19% reduction by the commonly used Eo T attack (4.3 improvement). Our result indicates that the RT defense on Imagenette dataset (a ten-class subset of Image Net) is not robust against adversarial examples. Extending the study further, we use our new attack to adversarially train RT defense (called Adv RT), resulting in a large robustness gain. Code is available at https://github.com/wagnergroup/demystify-random-transform. |
| Researcher Affiliation | Academia | 1Department of Electrical Engineering and Computer Sciences, University of California, Berkeley, Berkeley CA, USA. |
| Pseudocode | Yes | Algorithm 1 Our best attack on RT defenses |
| Open Source Code | Yes | Code is available at https://github.com/wagnergroup/demystify-random-transform. |
| Open Datasets | Yes | Our experiments use two datasets: CIFAR-10 and Imagenette (Howard, 2021), a ten-class subset of Image Net. |
| Dataset Splits | Yes | All models are trained for 70 epochs, and we save the weights with the highest accuracy on the held-out validation data (which does not overlap with the training or test set). |
| Hardware Specification | Yes | one BO run still takes approximately two days to complete on two GPUs (Nvidia Ge Force GTX 1080 Ti). |
| Software Dependencies | No | The paper mentions software tools like "Ray Tune library" and a "Bayesian optimization tool implemented by Nogueira (2014)" but does not specify version numbers for any software dependencies. |
| Experiment Setup | Yes | In all of the experiments, we use a learning rate of 0.05, batch size of 128, and weight decay of 0.0005. We use cosine annealing schedule (Loshchilov & Hutter, 2017) for the learning rate with a period of 10 epochs which also doubles after every period. All models are trained for 70 epochs, and we save the weights with the highest accuracy on the held-out validation data (which does not overlap with the training or test set). |