Eliminating Adversarial Noise via Information Discard and Robust Representation Restoration
Authors: Dawei Zhou, Yukun Chen, Nannan Wang, Decheng Liu, Xinbo Gao, Tongliang Liu
ICML 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experimental results show that our method has competitive performance against white-box attacks and effectively reverses the negative effect of denoising models. Quantitative experiments on white-box and adaptive attacks were performed. The results showed that the proposed method effectively defended against adversarial noise and handled the robustness degradation effect. Multiple ablation studies were conducted to comprehensively demonstrate the effectiveness of information discard and robust representation restoration. |
| Researcher Affiliation | Academia | 1School of Telecommunications Engineering, State Key Laboratory of Integrated Services Networks, Xidian University, Xian, Shaanxi, China 2Chongqing Key Laboratory of Image Cognition, Chongqing University of Posts and Telecommunications, Chongqing, China 3Mohamed bin Zayed University of Artificial Intelligence, Masdar City, Abu Dhabi, United Arab Emirates 4University of Sydney, Darlington, NSW, Australia. |
| Pseudocode | Yes | Algorithm 1 Defensive denoising model based on information discarding and robust representation restoration (DIR). |
| Open Source Code | Yes | The code can be found in https://github.com/chenyyyykun/DIR. |
| Open Datasets | Yes | In this work, we conducted experiments on the SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky et al., 2009) datasets. |
| Dataset Splits | No | The paper mentions training and testing, but does not explicitly detail validation splits. It states: "We used standard AT strategy to train the target model and utilized this target model to participate in the training of the denoising model." |
| Hardware Specification | No | The paper does not specify the hardware used for experiments, such as GPU models, CPU types, or memory. |
| Software Dependencies | No | The paper mentions using SGD and standard AT strategies but does not provide specific version numbers for software dependencies or libraries. |
| Experiment Setup | Yes | The learning rate was initially set to 10^−2, which is divided by 10 at the 75th and 90th epoch. The epoch for the pre-processing process was 20. Referring to the early stopping strategy (Rice et al., 2020), the epoch number was set to 90 and the hyperparameter α is set to 2.0. The attack used in all methods was PGD attack (Madry et al., 2018) with a perturbation budget of 8/255, a step number of 5 (for faster training), and a step size of 2/255. |