Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations
Authors: Florian Tramer, Jens Behrmann, Nicholas Carlini, Nicolas Papernot, Joern-Henrik Jacobsen
ICML 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We introduce new algorithms to craft p-bounded invariance-based adversarial examples, and illustrate the above tradeoff on MNIST. We show that state-of-the-art robust models disagree with human labelers on many of our crafted invariance-based examples, and that the disagreement rate is higher the more robust a model is. We conducted a human study to evaluate whether our invariance adversarial examples are indeed successful, i.e., whether humans agree that the label has been changed. |
| Researcher Affiliation | Collaboration | 1Stanford University 2University of Bremen 3Google Brain 4Vector Institute and University of Toronto. |
| Pseudocode | Yes | The high-level algorithm we use is in Algorithm 1 and described below. It is simple, albeit tailored to datasets where comparing images in pixel space is meaningful, like MNIST. T . Gen Inv (x, y, X, T ) S = {ˆx : (ˆx, ˆy) 2 X, ˆy 6= y} X = {t(ˆx) : t 2 T , ˆx 2 S} return x = arg minˆx2X kˆx xk |
| Open Source Code | Yes | Code to reproduce our attacks is available at https://github.com/ftramer/Excessive-Invariance. |
| Open Datasets | Yes | We elect to study MNIST, the only dataset for which strong robustness to various p-bounded perturbations is attainable with current techniques (Madry et al., 2017; Schott et al., 2019). |
| Dataset Splits | No | The paper mentions the use of the MNIST test set but does not provide specific details on training, validation, or test dataset splits (e.g., percentages, sample counts, or predefined split citations) needed for full reproduction of data partitioning. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., exact GPU/CPU models, memory amounts, or detailed computer specifications) used for running its experiments. |
| Software Dependencies | No | The paper does not provide specific ancillary software details (e.g., library or solver names with version numbers) needed to replicate the experiment. |
| Experiment Setup | No | The paper does not contain specific experimental setup details such as concrete hyperparameter values (e.g., learning rate, batch size, number of epochs) or detailed training configurations in the main text. |