Holistic Adversarially Robust Pruning
Authors: Qi Zhao, Christian Wressnegger
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We evaluate HARP on two small-scale datasets, CIFAR-10 (Krizhevsky et al.) and SVHN (Netzer et al., 2011). While the first is balanced, the second is not. Consequently, we use accuracy (ACC) as performance measure for the former, and the balanced accuracy (BACC) for the latter (Brodersen et al., 2010). Each dataset is learned with a VGG16 (Simonyan & Zisserman, 2015) and Res Net18 (He et al., 2016) model. Additionally, we show the performance on the large-scale, balanced Image Net dataset (Deng et al., 2009) trained with a Res Net50 network. |
| Researcher Affiliation | Academia | Qi Zhao and Christian Wressnegger KASTEL Security Research Labs, Karlsruhe Institute of Technology, Germany |
| Pseudocode | Yes | Algorithm 1 presents the complete implementation of HARP. |
| Open Source Code | Yes | The implementation of HARP is publicly available at https://intellisec.de/research/harp. For the sake of reproducibility and to foster future research, we make the implementations of HARP for holistic adversarially robust pruning publicly available at: https://intellisec.de/research/harp |
| Open Datasets | Yes | We evaluate HARP on two small-scale datasets, CIFAR-10 (Krizhevsky et al.) and SVHN (Netzer et al., 2011). Additionally, we show the performance on the large-scale, balanced Image Net dataset (Deng et al., 2009) trained with a Res Net50 network. |
| Dataset Splits | No | The paper details its training and testing procedures, including 'All attacks are carried out on the respective complete test dataset.' However, it does not explicitly mention the use of a distinct validation set or specify a train/validation/test split. |
| Hardware Specification | Yes | We have conducted all our experiments on Nvidia RTX-3090 GPU cards and have consumed about 10,198 GPU hours in total. |
| Software Dependencies | No | The paper describes various adversarial training methods (PGD-AT, TRADES-AT, MART-AT) and optimization techniques (stochastic gradient descent with a cosine learning-rate schedule, weight decay). However, it does not specify exact version numbers for any software libraries, frameworks (e.g., PyTorch, TensorFlow), or programming languages used. |
| Experiment Setup | Yes | We apply γ = 0.01 for small-scale datasets, and increase γ to 0.1 for Image Net to guarantee the arrival at the target compression rate at. In the pruning and fine-tuning phase of HARP, we train for 20 epochs and 100 epochs, respectively. For each, we use l PGD-10 attacks with random initialization and a perturbation strength ϵ = 8/255 with step size α = 2/255. We adopt stochastic gradient descent with a cosine learning-rate schedule (Loshchilov & Hutter, 2016) and a weight decay of 0.0005 (Pang et al., 2021). For TRADES and MART, we follow the originally proposed regularization of λ = 6.0 and λ = 5.0, respectively. |