Part-Based Models Improve Adversarial Robustness
Authors: Chawin Sitawarin, Kornrapat Pongmala, Yizheng Chen, Nicholas Carlini, David Wagner
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirically, our part-based models achieve both higher accuracy and higher adversarial robustness than a Res Net-50 baseline on all three datasets. For instance, the clean accuracy of our part models is up to 15 percentage points higher than the baseline s, given the same level of robustness. Our experiments indicate that these models also reduce texture bias and yield better robustness against common corruptions and spurious correlations. |
| Researcher Affiliation | Collaboration | Chawin Sitawarin1 Kornrapat Pongmala1 Yizheng Chen1 Nicholas Carlini2 David Wagner1 1 EECS Department, University of California, Berkeley 2 Google |
| Pseudocode | No | The paper includes mathematical equations and figures, but no clearly labeled 'Pseudocode' or 'Algorithm' blocks, nor structured steps formatted like code or an algorithm. |
| Open Source Code | Yes | The code is publicly available at https://github.com/chawins/adv-part-model. |
| Open Datasets | Yes | We demonstrate our part models on three datasets where part-level annotations are available: Part Image Net (He et al., 2021), Cityscapes (Meletis et al., 2020), and PASCAL-Part (Chen et al., 2014). [...] The Part-Image Net dataset [...] is publicly available to download.2 https://github.com/tacju/partimagenet. [...] The Cityscapes dataset [...] is available under a non-commercial license3 https://www.cityscapes-dataset.com/license/. [...] The PASCAL-Part dataset (Chen et al., 2014) [...] Both the annotations and the original dataset are available to the public.5 http://host.robots.ox.ac.uk/pascal/VOC/voc2010/, and for PASCAL-Part, see https://roozbehm.info/pascal-parts/pascal-parts.html. |
| Dataset Splits | Yes | Training is early stopped according to adversarial accuracy computed on the held-out validation set. [...] We save the weights with the highest accuracy on the held-out validation data which does not overlap with the training or the test set. [...] Part-Image Net dataset splits the data by their original Image Net-1K classes, i.e., 109, 19, and 30 classes for training, validation, and test sets, respectively. This allows one to measure generalization across sub-population under the same group. However, our focus is different; we want to evaluate the robustness under a similar setting to CIFAR-10 whose samples are split i.i.d. Hence, for this paper, we ignore the original Image Net class and re-partition the dataset randomly, independent of its original class. |
| Hardware Specification | Yes | Our experiments are conducted on Nvidia Ge Force RTX 2080 TI and V100 GPUs. |
| Software Dependencies | No | The paper mentions 'Py Torch s Random Resized Crop function' but does not specify version numbers for PyTorch or any other software libraries or dependencies, which is required for reproducible description. |
| Experiment Setup | Yes | All models are trained with SGD and a batch size of 128, using either adversarial training or TRADES, with 10-step ℓ -PGD with ϵ = 8/255 and step size of 2/255. [...] For all models, we use grid search on the learning rate (0.1, 0.05, 0.02) and the weight decay (1 10 4, 5 10 4) during PGD adversarial training. For the part-based models, after obtaining the best learning rate and weight decay, we then further tune cseg by sweeping values 0.1, 0.2, . . . , 0.9 and report on the model with comparable adversarial accuracy to the baseline. |