PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples
Authors: Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, Nate Kushman
ICLR 2018 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experiments show that our method greatly improves resilience across a wide variety of state-of-the-art attacking methods, increasing accuracy on the strongest attack from 63% to 84% for Fashion MNIST and from 32% to 70% for CIFAR-10. |
| Researcher Affiliation | Collaboration | Yang Song Stanford University yangsong@cs.stanford.edu Taesup Kim Université de Montréal taesup.kim@umontreal.ca Sebastian Nowozin Microsoft Research nowozin@microsoft.com Stefano Ermon Stanford University ermon@cs.stanford.edu Nate Kushman Microsoft Research nkushman@microsoft.com |
| Pseudocode | Yes | Algorithm 1 Pixel Defend Input: Image X, Defense parameter ϵdefend, Pre-trained Pixel CNN model p CNN Output: Purified Image X |
| Open Source Code | No | However, we will open source our codes and look forward to any possible attack from the community. |
| Open Datasets | Yes | Two datasets are used in our experiments: Fashion MNIST (Xiao et al., 2017) and CIFAR-10 (Krizhevsky et al.). Fashion MNIST was designed as a more difficult, but drop-in replacement for MNIST (Le Cun et al., 1998). Thus it shares all of MNIST s characteristics, i.e., 60, 000 training examples and 10, 000 test examples... CIFAR-10 ... consists of 60, 000 examples, where 50, 000 are used for training and 10, 000 for testing... |
| Dataset Splits | No | The paper states: 'We chose the adaptive threshold discussed in Section 4.2 using validation data.' in Appendix B. However, it does not provide specific numerical or percentage splits for the validation dataset, making it difficult to reproduce the exact data partitioning. |
| Hardware Specification | Yes | For CIFAR-10 images, Pixel Defend on average processes 3.6 images per second on one NVIDIA TITAN Xp GPU. ... Empirically, it took about 10 hours to generate 100 attacking images with one TITAN Xp GPU which failed to fool Pixel Defend. |
| Software Dependencies | No | The paper mentions 'scipy implementation' and adopting 'Pixel CNN++ (Salimans et al., 2017)', but it does not provide specific version numbers for any software libraries, frameworks, or dependencies used in the experiments. |
| Experiment Setup | Yes | For Fashion MNIST experiments, we randomly sample ϵattack from N(0, δ), take the absolute value and truncate it to [0, 2δ], where δ = 8 or 25. For CIFAR-10 experiments, we follow the same procedure but fix δ = 8. ... For Fashion MNIST, the threshold of bits per dimension was set to 1.8, and for CIFAR-10 the number was 3.2. ... We use Res Net (62-layer) and VGG (16-layer) as classifiers. ... The network architecture details are described in Appendix C. |