On the Effectiveness of Low Frequency Perturbations
Authors: Yash Sharma, Gavin Weiguang Ding, Marcus A. Brubaker
IJCAI 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | By systematically controlling the frequency components of the perturbation, evaluating against the top-placing defense submissions in the Neur IPS 2017 competition, we empirically show that performance improvements in both the whitebox and black-box transfer settings are yielded only when low frequency components are preserved. |
| Researcher Affiliation | Industry | Yash Sharma , Gavin Weiguang Ding and Marcus A. Brubaker Borealis AI |
| Pseudocode | No | No structured pseudocode or algorithm blocks were found in the paper. |
| Open Source Code | No | The paper refers to supplementary material via an arXiv link to its own appendix but does not contain an explicit statement about releasing code for the described methodology or a direct link to a code repository. |
| Open Datasets | Yes | Testing against state-of-the-art Image Net [Deng et al., 2009] defense methods... To evaluate the effectiveness of perturbations under different frequency constraints, we test against models and defenses from the Neur IPS 2017 Adversarial Attacks and Defences Competition [Kurakin et al., 2018]... We also show that these results do not transfer to the significantly lower-dimensional CIFAR-10 dataset |
| Dataset Splits | No | The paper evaluates attacks on pre-trained models and mentions using 1000 test examples, but does not specify the train/validation/test splits for the datasets these models were originally trained on, as the authors did not perform the original training. |
| Hardware Specification | No | The paper does not provide specific details regarding the hardware used for running the experiments, such as GPU or CPU models. |
| Software Dependencies | No | The paper does not provide specific versions for software dependencies, such as programming languages or libraries, used in the experiments. |
| Experiment Setup | Yes | We test on ϵ = 16/255 (competition distortion bound) and iterations = [1, 10] for the non-targeted case; ϵ = 32/255 and iterations = 10 for the targeted case. ... For each mask type, we test n = [256, 128, 64, 32] with d = 299. For DCT Rand, we average results over 3 random seeds. |