Towards Robustness Certification Against Universal Perturbations
Authors: Yi Zeng, Zhouxing Shi, Ming Jin, Feiyang Kang, Lingjuan Lyu, Cho-Jui Hsieh, Ruoxi Jia
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Aside from an extensive evaluation of the proposed certification, we further show how the certification facilitates efficient comparison of robustness among different models or efficacy among different universal adversarial attack defenses and enables accurate detection of backdoor target classes. 5 EXPERIMENT |
| Researcher Affiliation | Collaboration | 1Virginia Tech, Blacksburg, VA 24061, USA 2University of California, Los Angeles, CA 90095, USA 3Sony AI, Tokyo, 108-0075, Japan |
| Pseudocode | No | The paper does not contain a clearly labeled "Pseudocode" or "Algorithm" block. |
| Open Source Code | Yes | 1https://github.com/ruoxi-jia-group/Universal_Pert_Cert |
| Open Datasets | Yes | For evaluating the certification, we consider two benchmark datasets, MNIST (Le Cun et al., 1998) and CIFAR-10 (Krizhevsky et al., 2009), widely adopted in existing works. |
| Dataset Splits | Yes | For evaluating the certification, we consider two benchmark datasets, MNIST (Le Cun et al., 1998) and CIFAR-10 (Krizhevsky et al., 2009), widely adopted in existing works. |
| Hardware Specification | Yes | We use one server equipped with a total of 8 RTX A6000 GPUs as the hardware platform. |
| Software Dependencies | No | Py Torch (Paszke et al., 2019) is adopted as the implementation framework. We use Gurobi (Bixby, 2007) to solve the MILP. While specific tools are named, their version numbers are not explicitly provided in the text. |
| Experiment Setup | Yes | We use Adadelta (Zeiler, 2012) as the optimizer with a learning rate set to 0.1 for all the model training process (including the adversarial training for the model updating step as well). For MNIST models, we train each model with 60 epochs. For CIFAR-10 models, we train each model with 500 epochs to ensure full convergence. For adversarial training adopted in the main text, the number of steps in PGD attacks is 7; step-size for PGD is set as ϵ/4. |