On the Sensitivity of Adversarial Robustness to Input Data Distributions
Authors: Gavin Weiguang Ding, Kry Yik Chau Lui, Xiaomeng Jin, Luyu Wang, Ruitong Huang
ICLR 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirical investigations further confirm our finding. We construct semantically-identical variants for MNIST and CIFAR10 respectively, and show that standardly trained models achieve comparable clean accuracies on them, but adversarially trained models achieve significantly different robustness accuracies. |
| Researcher Affiliation | Industry | Gavin Weiguang Ding, Kry Yik Chau Lui, Xiaomeng Jin, Luyu Wang, Ruitong Huang Borealis AI Canada |
| Pseudocode | No | The paper does not contain any clearly labeled pseudocode or algorithm blocks. |
| Open Source Code | No | We use the PGD attack implementation from the Adver Torch toolbox (Ding et al., 2019). (Explanation: The paper references a third-party toolbox they used, but does not state that the code for their own methodology is being released or provide a link to it.) |
| Open Datasets | Yes | Our investigation is motivated by the empirical observations on the MNIST dataset and the CIFAR10 dataset. |
| Dataset Splits | No | Both model capacity and sample complexity results are shown in Figure 4. For MNIST, both training and test accuracies of clean training are invariant to model sizes... When we vary the size of training set, the model can always fit the training set well to almost 100% clean training accuracy under standard training. (Explanation: The paper discusses training and test sets but does not provide specific train/validation/test splits or percentages needed for reproduction.) |
| Hardware Specification | No | The paper does not explicitly describe the specific hardware (e.g., GPU/CPU models, memory) used to run its experiments. |
| Software Dependencies | No | We use the PGD attack implementation from the Adver Torch toolbox (Ding et al., 2019). and We use Adam optimizer (Kingma and Ba, 2014) with a constant learning rate of 0.001. (Explanation: The paper mentions software tools like Adver Torch and Adam optimizer, but does not provide specific version numbers for these or other key dependencies.) |
| Experiment Setup | Yes | For training Le Net5 on MNIST variants, we use the Adam optimizer with an initial learning rate of 0.0001 and train for 100000 steps with batch size 50. For training Wide Res Net on CIFAR10 variants, we use stochastic gradient descent with momentum 0.9 and weight decay 0.0002. We train 80000 steps in total with batch size 128. The learning rate is set to 0.1 at step 0, 0.01 at step 40000, and 0.001 at step 60000. |