Is Adversarial Training Really a Silver Bullet for Mitigating Data Poisoning?
Authors: Rui Wen, Zhengyu Zhao, Zhuoran Liu, Michael Backes, Tianhao Wang, Yang Zhang
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct extensive experiments to demonstrate the effectiveness of Ent F against AT in the reasonable setting with ϵadv = ϵpoi and also its generalizability to a variety of more challenging settings, such as AT with higher budgets, partial poisoning, unseen model architectures, and stronger (ensemble or adaptive) defenses. We use three image classification benchmark datasets: CIFAR-10 (CIF), CIFAR-100 (CIF), and Tiny Image Net (Tin). |
| Researcher Affiliation | Academia | Rui Wen1, Zhengyu Zhao1, Zhuoran Liu2, Michael Backes1, Tianhao Wang3, Yang Zhang1 1CISPA Helmholtz Center for Information Security, 2Radboud University, 3University of Virginia |
| Pseudocode | No | The paper does not contain any structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Our code is available at https://github.com/ Wen Rui USTC/Ent F. |
| Open Datasets | Yes | We use three image classification benchmark datasets: CIFAR-10 (CIF), CIFAR-100 (CIF), and Tiny Image Net (Tin). These datasets have been commonly used in the poisoning literature. |
| Dataset Splits | No | The paper mentions using CIFAR-10, CIFAR-100, and Tiny Image Net datasets, but does not explicitly provide information on how the data was split into training, validation, and test sets (e.g., percentages or sample counts). |
| Hardware Specification | Yes | All experiments are performed on an NVIDIA DGX-A100 server. |
| Software Dependencies | No | The paper mentions using SGD optimizer and PGD, but does not provide specific version numbers for any software libraries, frameworks (like PyTorch or TensorFlow), or other dependencies. |
| Experiment Setup | Yes | All reference and target models are trained for 100 epochs using SGD optimizer with an initial learning rate of 0.1 that is decayed by a factor of 0.1 at the 75-th and 90-th training epochs. The optimizer is set with momentum 0.9 and weight decay 5 10 4. The inner maximization (i.e., generation of adversarial examples) of the adversarial training is solved by 10-step PGD with a step size of 2/255. |