DensePure: Understanding Diffusion Models for Adversarial Robustness
Authors: Chaowei Xiao, Zhongzhu Chen, Kun Jin, Jiongxiao Wang, Weili Nie, Mingyan Liu, Anima Anandkumar, Bo Li, Dawn Song
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct extensive experiments to demonstrate the effectiveness of Dense Pure by evaluating its certified robustness given a standard model via randomized smoothing. We show that Dense Pure is consistently better than existing methods on Image Net, with 7% improvement on average. |
| Researcher Affiliation | Collaboration | Chaowei Xiao ,1,3 Zhongzhu Chen ,2 Kun Jin ,2 Jiongxiao Wang ,1 Weili Nie 3 Mingyan Liu 2 Anima Anandkumar3,4 Bo Li5 Dawn Song6 1ASU, 2 University of Michigan, Ann Arbor, 3 NVIDIA, 4 Caltech, 5 UIUC, 6 UC Berkeley |
| Pseudocode | Yes | We provide the pseudo code of Dense Pure in Algo. 1 and Alg. 2 |
| Open Source Code | Yes | Project page:https://densepure.github.io/. |
| Open Datasets | Yes | We conduct extensive experiments on Image Net and CIFAR-10 datasets under different settings to evaluate the certifiable robustness of Dense Pure. In particular, we follow the setting from Carlini et al. (2022) and rely on randomized smoothing to certify the robustness of the adversarial perturbations bounded in the L2-norm. |
| Dataset Splits | Yes | We select Vi T-B/16 model Dosovitskiy et al. (2020) pretrained on Image Net-21k and finetuned on CIFAR-10 as the classifier, which could achieve 97.9% accuracy on CIFAR-10. For Image Net, we use the unconditional 256 256 guided diffusion model from Dhariwal & Nichol (2021) as the diffusion model and pretrained BEi T large model (Bao et al., 2021) trained on Image Net-21k as the classifier, which could achieve 88.6% top-1 accuracy on validation set of Image Net-1k. |
| Hardware Specification | No | The paper does not provide specific details about the hardware (e.g., CPU, GPU models) used for running the experiments. |
| Software Dependencies | No | The paper does not provide specific version numbers for software dependencies or libraries used in the experiments. |
| Experiment Setup | Yes | We select three different noise levels σ {0.25, 0.5, 1.0} for certification. For the parameters of Dense Pure , we set K = 40 and b = 10 except the results in ablation study. The sampling numbers when computing the certified radius are n = 100, 000 for CIFAR-10 and n = 10, 000 for Image Net. |