ScaleCert: Scalable Certified Defense against Adversarial Patches with Sparse Superficial Layers
Authors: Husheng Han, Kaidi Xu, Xing Hu, Xiaobing Chen, Ling LIANG, Zidong Du, Qi Guo, Yanzhi Wang, Yunji Chen
NeurIPS 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experimental results show that the certified accuracy is increased from 36.3% (the state-of-the-art certified detection) to 60.4% on the Image Net dataset, largely pushing the certified defenses for practical use. |
| Researcher Affiliation | Collaboration | Husheng Han1,2,3 Kaidi Xu4 Xing Hu1 Xiaobing Chen1,2,3 Ling Liang5 Zidong Du1,3 Qi Guo1 Yanzhi Wang6 Yunji Chen1,2 1SKL of Computer Architecture, Institute of Computing Technology, CAS 2University of Chinese Academy of Sciences 3Cambricon Technologies 4Drexel University 5UC Santa Barbara 6Northeastern University |
| Pseudocode | Yes | Algorithm 1 Our adversarial patch detection algorithm D |
| Open Source Code | No | The paper does not provide an explicit statement about releasing source code or a link to a code repository for the methodology described. |
| Open Datasets | Yes | Datasets and Models. We evaluate the clean and certified robustness results on the high resolution dataset with 224 224 sizes (1000-class Image Net [13]) and low resolution dataset with 32 32 sizes (10-class CIFAR-10 [12]). |
| Dataset Splits | No | The paper mentions using ImageNet and CIFAR-10 datasets, which have standard splits, but does not explicitly state the training, validation, or test split percentages or sample counts within the text. |
| Hardware Specification | Yes | Execution Latency (V100 GPU) 219ms 306ms 508ms |
| Software Dependencies | No | The paper does not provide specific software names with version numbers for reproducibility (e.g., Python 3.8, PyTorch 1.9, CUDA 11.1). |
| Experiment Setup | Yes | There are two key parameters affecting the clean and certified accuracy: the pruning rate in the shadow region and the occluding window size to target the adversarial patch (more discussion in Appendix A.2). In the Scale Cert algorithm, some hyperparameters can affect these two important parameters: the winner rate of SIN mask (k), the overlap ratio for merging the searching window (τ), and the superficial layer selection (l). We analyze the impact of k, τ, l (in Appendix A.4) on the certified defense effectiveness and efficiency. |