The Adversarial Attack and Detection under the Fisher Information Metric
Authors: Chenxiao Zhao, P. Thomas Fletcher, Mixue Yu, Yaxin Peng, Guixu Zhang, Chaomin Shen5869-5876
AAAI 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our evaluations show superior performance compared with other methods, implying that the Fisher information is a promising approach to investigate the adversarial attacks and defenses. Both our attack and detection algorithms are numerically optimized to work efficiently on large datasets. We perform extensive empirical evaluations, demonstrating that the eigenvalues are of good distinguishability for defending against many state-of-the-art attacks. The experiments are performed on three standard benchmark datasets MNIST, CIFAR-10 (Krizhevsky and Hinton 2009), and ILSVRC-2012 (Russakovsky et al. 2015). |
| Researcher Affiliation | Academia | Chenxiao Zhao, 1 P. Thomas Fletcher,2 Mixue Yu,1 Yaxin Peng,3,4 Guixu Zhang,1 Chaomin Shen 1,4 1Department of Computer Science, East China Normal University, Shanghai, China 2Department of Electrical and Computer Engineering, and Department of Computer Science, University of Virginia, Virginia, USA 3Department of Mathematics, Shanghai University, Shanghai, China 4Westlake Institute for Brain-Like Science and Technology, Zhejiang, China |
| Pseudocode | Yes | Algorithm 1: One Step Spectral Attack (OSSA) Implemented with power iteration+alias sampling |
| Open Source Code | No | The paper does not include any explicit statement about releasing source code or a link to a code repository. |
| Open Datasets | Yes | The experiments are performed on three standard benchmark datasets MNIST, CIFAR-10 (Krizhevsky and Hinton 2009), and ILSVRC-2012 (Russakovsky et al. 2015). |
| Dataset Splits | Yes | We only use the samples in the test set (validation set for ILSVRC-2012) to craft the adversarial examples. In Figure 3, we show the scatter of 800 randomly selected samples in the validation set of MNIST and CIFAR-10. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used to run the experiments (e.g., GPU models, CPU types, or memory specifications). |
| Software Dependencies | No | The paper mentions |
| Experiment Setup | Yes | The pixel values in the images are constrained in the interval [0.0, 1.0]. We adopt three different networks for the three datasets respectively: Le Net-5, VGG, and Res Net-152 (He et al. 2015). For the iterative attack, we set the perturbation size ϵ = 0.05. When performing the iterative attacks, we set perturbation size to 0.05, 0.025, 0.0125 for the three datasets respectively. To make the comparison fair, we set ϵ = 2.0 for all the tested attack methods. In our experiments, all the adversarial perturbations are evaluated with ℓ2 norm. In our experiments, only the top 20 eigenvalues are extracted as the features for classification. We also find the tree depth not to exceed 5, and more than 20 trees in the random forest yields good performance. |