Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in [1].
Towards Robustness Certification Against Universal Perturbations
Authors: Yi Zeng, Zhouxing Shi, Ming Jin, Feiyang Kang, Lingjuan Lyu, Cho-Jui Hsieh, Ruoxi Jia
ICLR 2023 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Aside from an extensive evaluation of the proposed certification, we further show how the certification facilitates efficient comparison of robustness among different models or efficacy among different universal adversarial attack defenses and enables accurate detection of backdoor target classes. 5 EXPERIMENT |
| Researcher Affiliation | Collaboration | 1Virginia Tech, Blacksburg, VA 24061, USA 2University of California, Los Angeles, CA 90095, USA 3Sony AI, Tokyo, 108-0075, Japan |
| Pseudocode | No | The paper does not contain a clearly labeled "Pseudocode" or "Algorithm" block. |
| Open Source Code | Yes | 1https://github.com/ruoxi-jia-group/Universal_Pert_Cert |
| Open Datasets | Yes | For evaluating the certification, we consider two benchmark datasets, MNIST (Le Cun et al., 1998) and CIFAR-10 (Krizhevsky et al., 2009), widely adopted in existing works. |
| Dataset Splits | Yes | For evaluating the certification, we consider two benchmark datasets, MNIST (Le Cun et al., 1998) and CIFAR-10 (Krizhevsky et al., 2009), widely adopted in existing works. |
| Hardware Specification | Yes | We use one server equipped with a total of 8 RTX A6000 GPUs as the hardware platform. |
| Software Dependencies | No | Py Torch (Paszke et al., 2019) is adopted as the implementation framework. We use Gurobi (Bixby, 2007) to solve the MILP. While specific tools are named, their version numbers are not explicitly provided in the text. |
| Experiment Setup | Yes | We use Adadelta (Zeiler, 2012) as the optimizer with a learning rate set to 0.1 for all the model training process (including the adversarial training for the model updating step as well). For MNIST models, we train each model with 60 epochs. For CIFAR-10 models, we train each model with 500 epochs to ensure full convergence. For adversarial training adopted in the main text, the number of steps in PGD attacks is 7; step-size for PGD is set as ϵ/4. |