Improving Adversarial Robustness via Information Bottleneck Distillation
Authors: Huafeng Kuang, Hong Liu, Yongjian Wu, Shin'ichi Satoh, Rongrong Ji
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct extensive experiments to evaluate our approach s robustness against state-of-the-art adversarial attackers such as PGD-attack and Auto Attack. Our experimental results demonstrate the effectiveness of our approach in significantly improving adversarial robustness. Our code is available at https://github.com/Sky Kuang/IBD. |
| Researcher Affiliation | Collaboration | 1Key Laboratory of Multimedia Trusted Perception and Efficient Computing, Ministry of Education of China, Xiamen University, 361005, P.R. China 2National Institute of Informatics, Tokyo, 101-8430, Japan 3Youtu Laboratory, Tencent, Shanghai, 200233, China |
| Pseudocode | No | The paper does not contain any structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Our code is available at https://github.com/Sky Kuang/IBD. |
| Open Datasets | Yes | We conduct our experiments on three benchmark datasets including CIFAR10, CIFAR-100 [36] and Image Net [17]. |
| Dataset Splits | Yes | We conduct our experiments on three benchmark datasets including CIFAR10, CIFAR-100 [36] and Image Net [17]. The best checkpoint is selected based on the performance under the PGD-10 attack. |
| Hardware Specification | No | The paper does not provide specific details about the hardware (e.g., GPU/CPU models, memory) used for running the experiments. It only mentions general training settings like 'We train all models with the SGD optimizer...' |
| Software Dependencies | No | The paper mentions "Our implementation is based on Py Torch", but it does not specify the version number for PyTorch or any other software dependencies, making it not fully reproducible regarding software. |
| Experiment Setup | Yes | The initial learning rate is 0.1 with a piece-wise schedule which is divided by 10 at epochs 100 and 150 for a total number of 200 training epochs, similar to [47]. We train all models with the SGD optimizer with a momentum of 0.9, weight decay of 0.0005, and a batch size of 128. We use Res Net-18 as the student model for most experiments by default, unless otherwise stated. We adopt the common setting that the ℓ threat model with radius 8/255, with the PGD attack taking 10 steps of size 2/255. In addition, we performed standard data augmentation, including random crops and random horizontal flips during training. For the hyper-parameter, we set α = 0.9 and β = 0.8 based on our ablation studies. |