Stochastic Security: Adversarial Defense Using Long-Run Dynamics of Energy-Based Models
Authors: Mitch Hill, Jonathan Craig Mitchell, Song-Chun Zhu
ICLR 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We evaluate adversarial defense with an EBM using the strongest known attacks against purification. Our contributions are 1) an improved method for training EBM s with realistic long-run MCMC samples for effective purification, 2) an Expectation-Over-Transformation (EOT) defense that resolves ambiguities for evaluating stochastic defenses and from which the EOT attack naturally follows, and 3) state-of-the-art adversarial defense for naturally-trained classifiers and competitive defense compared to adversarial training on CIFAR10, SVHN, and CIFAR-100. Our code and pre-trained models are available at https://github.com/point0bar1/ebm-defense. 4 EXPERIMENTS We use two different network architectures in our experiments. |
| Researcher Affiliation | Academia | Mitch Hill Department of Statistics and Data Science University of Central Florida mitchell.hill@ucf.edu Jonathan Mitchell & Song-Chun Zhu Department of Computer Science Department of Statistics University of California, Los Angeles jcmitchell@ucla.edu sczhu@stat.ucla.edu |
| Pseudocode | Yes | Algorithm 1 BPDA+EOT adaptive attack to evaluate EOT defense (4) and Algorithm 2 ML with Adam to SGD Switch for Convergent Learning of EBM (1) |
| Open Source Code | Yes | Our code and pre-trained models are available at https://github.com/point0bar1/ebm-defense. |
| Open Datasets | Yes | We examine the effect the number of Langevin steps has on defense accuracy for the CIFAR-10 dataset and We evaluate our defense using non-adaptive and adaptive whitebox attacks for the CIFAR-10, CIFAR-100, and SVHN datasets. |
| Dataset Splits | No | The paper uses datasets like CIFAR-10, SVHN, and CIFAR-100, but does not provide explicit details about training/validation/test splits (e.g., percentages, sample counts, or a specific split strategy beyond the mention of a 'test set'). |
| Hardware Specification | Yes | One evaluation of the entire test set took approximately 2.5 days using 4x RTX 2070 Super GPUs. Running 1500 Langevin steps on a batch of 100 images with our lightweight EBM takes about 13 seconds on a RTX 2070 Super GPU. |
| Software Dependencies | No | The paper mentions optimizers like Adam and SGD but does not provide specific version numbers for software dependencies such as deep learning frameworks (e.g., PyTorch, TensorFlow), Python, or other libraries used in the implementation. |
| Experiment Setup | Yes | We use the parameters from Algorithm 1 for all evaluations unless otherwise noted. In Section 4.1, we examine the effect of the number of Langevin steps K and the stability of Langevin sampling paths on defense. Section 4.2 examines our defense against a PGD attack from the base classifier, and Section 4.3 examines our defense against the adaptive BPDA+EOT attack. Algorithm 1 BPDA+EOT adaptive attack to evaluate EOT defense (4) Require: Natural images {x+ m}M m=1, EBM U(x), classifier f(x), Langevin noise τ = 0.01, Langevin updates K = 1500, number of attacks N = 50, attack step size α = 2 255, maximum perturbation size ε = 8 255, EOT attack samples Hadv = 15, EOT defense samples Hdef = 150. Algorithm 2 ML with Adam to SGD Switch for Convergent Learning of EBM (1) Require: Conv Net potential U(x; θ), number of training steps J = 150000, step to switch from SGD to Adam JSGD = 50000, initial weight θ1, training images {x+ i }Ndata i=1 , data perturbation τdata = 0.02, step size τ = 0.01, Langevin steps K = 100, Adam learning rate γAdam = 0.0001, SGD learning rate γSGD = 0.00005. |