Protecting DNNs from Theft using an Ensemble of Diverse Models
Authors: Sanjay Kariyappa, Atul Prakash, Moinuddin K Qureshi
ICLR 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our evaluations on several image classification tasks demonstrate that EDM defense can severely degrade the accuracy of clone models (up to 39.7%). |
| Researcher Affiliation | Academia | Sanjay Kariyappa Georgia Institute of Technology Atlanta GA, USA sanjaykariyappa@gatech.edu Atul Prakash University of Michigan Ann Arbor MI, USA aprakash@umich.edu Moinuddin K Qureshi Georgia Institute of Technology Atlanta GA, USA moin@gatech.edu |
| Pseudocode | No | The paper describes methods verbally and through figures but does not contain a formal pseudocode or algorithm block. |
| Open Source Code | No | The paper does not include an explicit statement about releasing open-source code for the described methodology, nor does it provide a link to a code repository. |
| Open Datasets | Yes | We use DNNs trained on various image-classification datasets listed in Table 3 as the target models for performing MS attacks. For each dataset, we train two target models 1. undefended baseline: A single model trained on Din using cross entropy loss. 2. EDM: An ensemble of models trained on the EDM loss function (Eqn. 3). The dataset, model architecture and test accuracies obtained by the undefended target and EDM targets are shown in Table 1. |
| Dataset Splits | No | The paper mentions using training data (Din) and test sets (Dtest) but does not explicitly provide the specific percentages, counts, or detailed methodology for train/validation/test splits for the datasets used in their experiments. |
| Hardware Specification | Yes | We also thank NVIDIA for the donation of the Titan V GPU that was used for this research. |
| Software Dependencies | No | The paper mentions optimizers like SGD and Adam but does not provide specific version numbers for any software dependencies or libraries used in the experiments. |
| Experiment Setup | Yes | The clone model is trained using an SGD optimizer with an initial learning rate of 0.1 for 50 epochs with cosine-annealing learning-rate schedule. We use 6 rounds of data augmentation with the value of β set to 0.2 for the JBDA attack. The clone model is trained for 10 epochs in each round with the Adam optimizer with a learning rate of 0.001. The value of λD was selected with the constraint of having the degradation in benign accuracy of the target model be less than 0.5%. |