Hindering Adversarial Attacks with Implicit Neural Representations
Authors: Andrei A Rusu, Dan Andrei Calian, Sven Gowal, Raia Hadsell
ICML 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We introduce the Lossy Implicit Network Activation Coding (LINAC) defence, an input transformation which successfully hinders several common adversarial attacks on CIFAR-10 classifiers for perturbations up to ϵ = 8/255 in L∞ norm and ϵ = 0.5 in L2 norm. |
| Researcher Affiliation | Industry | 1Deep Mind, London, UK. Correspondence to: Andrei A. Rusu <andrei@deepmind.com>. |
| Pseudocode | Yes | We provide pseudocode for the LINAC transform in Algorithm 1 and a discussion of computational and memory requirements in Appendix A.1.4. |
| Open Source Code | No | (*) Source code will be released before acceptance. |
| Open Datasets | Yes | We introduce the Lossy Implicit Network Activation Coding (LINAC) defence, an input transformation which successfully hinders several common adversarial attacks on CIFAR-10 classifiers |
| Dataset Splits | No | The paper mentions using CIFAR-10 training and test sets but does not explicitly provide specific numerical percentages or sample counts for training, validation, and test splits, nor does it cite a predefined split. |
| Hardware Specification | No | The paper mentions 'modern SIMD devices' and references to computational cost comparable to 'Wide Res Net-70-16' inference, but does not provide specific hardware details such as GPU or CPU models, or memory specifications used for the experiments. |
| Software Dependencies | No | The paper mentions software libraries like JAX and NumPy by citing their respective papers, but it does not provide specific version numbers for these dependencies. |
| Experiment Setup | Yes | Fitting the parameters of the implicit neural network was done using Adam (Kingma & Ba, 2015), with default parameters and a learning rate µ = 0.001. We used mini-batches with M = 32 random pixels and trained for N = 10 epochs. An epoch constitutes a pass through the entire set of pixels in the input image with dimensions I J C = 32 32 3 in random order. The total number of optimisation steps performed was 320. A cosine learning rate decay schedule was used for better convergence, with the minimum value of the multiplier α = 0.0001 (Loshchilov & Hutter, 2016). (...) Training was performed with Nesterov Momentum SGD (Tieleman & Hinton, 2012) m = 0.9, using mini-batches of size 1024, for a total of 1000 epochs, or 48880 parameter updates. The initial learning rate was µ = 0.4, reduced by a factor of 10 four times, at epochs: 650, 800, 900 and 950. We performed a hyper-parameter sweep over the weight-decay scale with the following grid: {0., 0.0001, 0.0005, 0.0010}. |