On the Convergence and Robustness of Adversarial Training
Authors: Yisen Wang, Xingjun Ma, James Bailey, Jinfeng Yi, Bowen Zhou, Quanquan Gu
ICML 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we evaluate the robustness of our proposed training strategy (Dynamic) compared with several state-of-the-art defense models, in both the white-box and blackbox settings on benchmark datasets MNIST and CIFAR-10. The white-box results are reported in Table 1. |
| Researcher Affiliation | Collaboration | 1JD.com 2The University of Melbourne 3The University of California, Los Angeles. |
| Pseudocode | Yes | Algorithm 1 Dynamic Adversarial Training |
| Open Source Code | No | The paper does not provide concrete access to source code for the methodology described in this paper. |
| Open Datasets | Yes | benchmarks datasets MNIST and CIFAR-10. |
| Dataset Splits | No | The paper references MNIST and CIFAR-10 datasets but does not explicitly provide training/validation/test dataset splits with percentages or absolute counts. It uses "test set images" without defining its size relative to training or validation data. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory) used for running its experiments, only mentioning network architectures like 'CNN' and 'Wide Res Net'. |
| Software Dependencies | No | The paper mentions common deep learning components like 'Batch Norm' and 'SGD' but does not specify any software libraries or frameworks with version numbers (e.g., TensorFlow, PyTorch, scikit-learn versions). |
| Experiment Setup | Yes | Defense models for both MNIST and CIFAR-10 are trained using Stochastic Gradient Descent (SGD) with momentum 0.9, weight decay 10−4 and an initial learning rate of 0.01. The learning rate is divided by 10 at the 20-th and 40-th epoch for MNIST (50 epochs in total), and at the 60-th and 100-th epoch for CIFAR-10 (120 epochs in total). All images are normalized into [0, 1]. Except the Unsecured model, other defense models including our proposed Dynamic model are all trained under the same PGD adversarial training scheme: 10-step PGD attack with random start (adding an initial random perturbation of [ ϵ, ϵ] to the normal examples before the PGD perturbation) and step size ϵ/4. The maximum perturbation is set to ϵ = 0.3 for MNIST, and ϵ = 8/255 for CIFAR-10, which is a standard setting for adversarial defense (Athalye et al., 2018; Madry et al., 2018). |