Effective and Efficient Vote Attack on Capsule Networks
Authors: Jindong Gu, Baoyuan Wu, Volker Tresp
ICLR 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments demonstrate the superior attack performance of our vote attack on Caps Nets. |
| Researcher Affiliation | Collaboration | Jindong Gu1,4, Baoyuan Wu2,3, Volker Tresp1,4 University of Munich, Germany1 The Chinese University of Hong Kong, Shenzhen, China2 Shenzhen Research Institute of Big Data, Shenzhen, China3 Corporate Technology, Siemens AG, Munich, Germany4 |
| Pseudocode | No | The paper includes mathematical equations for processes like voting and routing (e.g., Equation 1 and 2), but it does not provide any explicitly labeled pseudocode or algorithm blocks. |
| Open Source Code | No | The paper does not contain any explicit statements or links indicating that source code for the described methodology is publicly available. |
| Open Datasets | Yes | Datasets: The popular datasets CIFAR10 (Krizhevsky et al., 2009) and SVHN (Netzer et al., 2011) are used in this experiment. [...] We also conduct experiments on Aff NIST dataset. In this experiment, the original Caps Net architecture and the original CNN baseline in (Sabour et al., 2017) are used. The modes are trained on standard MNIST dataset and tested on Aff NIST dataset. |
| Dataset Splits | Yes | Following (Qin et al., 2020), we set θ as 95th percentile of reconstruction errors of benign validation images, namely, 5% False postive rate. |
| Hardware Specification | Yes | A single Nvidia V100 GPU is used. |
| Software Dependencies | No | The hyper-parameters mainly follow the Foolbox tool (Rauber et al., 2017). (No version specified for Foolbox or other software). |
| Experiment Setup | Yes | We train CNNs and Caps Nets with the same standard training scheme where the models are trained with a batch size of 256 for 80 epochs using SGD with an initial learning rate of 0.1 and moment 0.9. The learning rate is set to 0.01 from the 50-th epoch. [...] For ℓ -based attacks, the perturbation range is 0.031 (CIFAR10) and 0.047 (SVHN) for pixels ranging in [0, 1]. For ℓ2-based attacks, the ℓ2 norm of the allowed maximal perturbation is 1.0 for both datasets. |