First-Order Adversarial Vulnerability of Neural Networks and Input Dimension
Authors: Carl-Johann Simon-Gabriel, Yann Ollivier, Leon Bottou, Bernhard Schölkopf, David Lopez-Paz
ICML 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Section 4 empirically verifies the validity of the first-order Taylor approximation made in (2) and the correspondence between gradient regularization and adversarial augmentation (Fig.1). Section 4.2 analyzes the di-mension dependence of the average gradient-norms and adversarial vulnerability after usual and robust training. |
| Researcher Affiliation | Collaboration | 1Empirical Inference Department, Max Planck Institute for Intelligent Systems, Tübingen, Germany 2Facebook AI Research, Paris/New York. |
| Pseudocode | No | The paper describes methods and formulas but does not include structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Code available at https://github.com/facebookresearch/Adversarial And Dimensionality. |
| Open Datasets | Yes | We train several CNNs with same architecture to classify CIFAR-10 images (Krizhevsky, 2009). |
| Dataset Splits | No | The paper mentions training on CIFAR-10 images and evaluating on a 'held-out test-set', but does not explicitly describe a separate validation set split or its details. |
| Hardware Specification | No | The paper does not provide specific hardware details such as GPU models, CPU models, or memory specifications used for running experiments. |
| Software Dependencies | No | The paper mentions software like 'Foolbox-package' and 'scipy', but does not provide specific version numbers for these or other software dependencies. |
| Experiment Setup | Yes | Section 4.1 uses an attack-threshold ϵ = 0.5% of the pixel-range (invisible to humans), with PGD-attacks from the Foolbox-package (Rauber et al., 2017). Section 4.2 uses self-coded PGD-attacks with random start with ϵ = 0.08%. As a safety-check, other attacks were tested as well (see App.4.1 & Fig.4), but results remained essentially unchanged. Note that the ϵ -thresholds should not be confused with the regularization-strengths ϵ appearing in (4) and (5), which will be varied. The datasets were normalized (σ .2). All regularization values ϵ are reported in these normalized units (i.e. multiply by .2 to compare with 0-1 pixel values). All nets had the same amount of parameters and very similar structure across input-resolutions (see Appendix G.1). |