Improved Gradient-Based Adversarial Attacks for Quantized Networks
Authors: Kartik Gupta, Thalaiyasingam Ajanthan6810-6818
AAAI 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | experiments on multiple image classification datasets with multiple network architectures demonstrate that our temperature scaled attacks obtain near-perfect success rate on quantized networks while outperforming original attacks on adversarially trained models as well as floating-point networks.With experimental evaluations using several network architectures on CIFAR-10/100 datasets, we show that our proposed techniques to modify existing gradient based adversarial attacks achieve near perfect success rate on BNNs with weight quantized (BNN-WQ) and weight and activation quantized (BNN-WAQ). |
| Researcher Affiliation | Collaboration | Kartik Gupta 1,3, Thalaiyasingam Ajanthan 1,2 1Australian National University 2Amazon Science 3DATA61-CSIRO |
| Pseudocode | Yes | We provide the pseudocode for our proposed PGD++ (NJS) attack in Section A of Appendix. Similar approach can also be applied for FGSM++. |
| Open Source Code | Yes | 1Open-source implementation available at https://github.com/ kartikgupta-at-anu/attack-bnn. |
| Open Datasets | Yes | experiments on multiple image classification datasets with multiple network architectures demonstrate that our temperature scaled attacks obtain near-perfect success rate on quantized networks while outperforming original attacks on adversarially trained models as well as floating-point networks.experimental evaluations using several network architectures on CIFAR-10/100 datasets |
| Dataset Splits | No | The paper mentions using the 'test set' for evaluation but does not provide specific percentages or counts for training, validation, and test splits needed to reproduce the experiment, nor does it explicitly mention a 'validation' split. |
| Hardware Specification | No | The paper does not provide specific hardware details such as GPU or CPU models, processor types, or memory amounts used for running its experiments. |
| Software Dependencies | No | The paper mentions the use of 'Foolbox' and implies deep learning frameworks, but it does not specify version numbers for any software, libraries, or dependencies used to run the experiments, making it not reproducible in terms of software environment. |
| Experiment Setup | Yes | We start by evaluating the adversarial accuracy (i.e. accuracy on the perturbed data) of BNNs using the PGD attack with perturbation bound of 8 pixels (assuming each pixel in the image is in [0, 255]) with respect to L norm, step size η = 2 and the total number of iterations T = 20. The attack details are the same in all evaluated settings unless stated otherwise.For our HNS variant, we sweep β from a range such that the hessian norm is maximized for each image, as explained in Appendix. For our NJS variant, we set the value of ρ = 0.01.We use state of the art models trained for binary quantization (where all layers are quantized) for our experimental evaluations. We provide adversarial attack parameters used for FGSM/PGD in Table ?? of Appendix and for other attacks, we use default parameters used in Foolbox (Rauber, Brendel, and Bethge 2017). |