On the Limitations of Stochastic Pre-processing Defenses
Authors: Yue Gao, I Shumailov, Kassem Fawaz, Nicolas Papernot
NeurIPS 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this paper, we empirically and theoretically investigate such stochastic pre-processing defenses and demonstrate that they are flawed. |
| Researcher Affiliation | Collaboration | Yue Gao University of Wisconsin Madison gy@cs.wisc.edu Ilia Shumailov University of Cambridge & Vector Institute ilia.shumailov@cl.cam.ac.uk Kassem Fawaz University of Wisconsin Madison kfawaz@wisc.edu Nicolas Papernot University of Toronto & Vector Institute nicolas.papernot@utoronto.ca |
| Pseudocode | No | The paper does not contain any structured pseudocode or algorithm blocks. It provides mathematical formulations but not pseudocode. |
| Open Source Code | Yes | Our code is available at https://github.com/wi-pi/stochastic-preprocessing-defenses. |
| Open Datasets | Yes | We conduct all experiments on Image Net [30] and Image Nette [9]. |
| Dataset Splits | Yes | For Image Net, our test data consists of 1,000 images randomly sampled from the validation set. Image Nette is a ten-class subset of Image Net, and we test on its validation set. ... These models are fine-tuned on the training data processed by tested defenses. ... More details of datasets and models can be found in Appendices D.1 and D.2. |
| Hardware Specification | Yes | Did you include the total amount of compute and the type of resources used (e.g., type of GPUs, internal cluster, or cloud provider)? [Yes] See Appendix D. |
| Software Dependencies | No | The paper mentions that detailed settings are in Appendix D, but the main text does not provide specific software dependencies (e.g., library names with version numbers) needed to replicate the experiment. |
| Experiment Setup | Yes | All attacks use maximum 1 perturbation = 8/255 with step size chosen from 2 {1/255, 2/255}. ... We only use constant step sizes and no random restarts for PGD. ... More details and intuitions of the attack s settings and implementation can be found in Appendix D.4. |