Understanding and Defending Patched-based Adversarial Attacks for Vision Transformer
Authors: Liang Liu, Yanan Guo, Youtao Zhang, Jun Yang
ICML 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | First, we experimentally observe that adversarial patches only activate in a few layers and become lazy during attention updating. According to experiments, we study how a small adversarial patch perturbates the whole model. In this work, we first design two experiments to deeply understand why such a small-size patch can crash the entire Vi T model. |
| Researcher Affiliation | Academia | 1Department of ECE, University of Pittsburgh 2Department of CS, University of Pittsburghy. |
| Pseudocode | Yes | Algorithm 1 ARMOR |
| Open Source Code | No | The paper does not provide an explicit statement or link to the open-source code for their proposed method (ARMOR). |
| Open Datasets | Yes | We choose 384 384 3 images randomly sampled from Image Net 2012 (Deng et al., 2009). |
| Dataset Splits | No | The paper mentions using "100 images to learn the detection threshold" but does not provide specific train/validation/test dataset splits, percentages, or explicit predefined splits. |
| Hardware Specification | Yes | Our code runs on a 4090 GPU, while Certified-Patch and Smooth-Vi T use a V100 GPU. |
| Software Dependencies | No | All codes are written in Python and Py Torch (Paszke et al., 2019) Platform. |
| Experiment Setup | Yes | In the experiment, we use 100 images to learn the detection threshold, τ, for each model. We set the number of detection as Nd = 5. We set the perturbation radius of the adversarial patch to 0.8, which means the value of each pixel can be altered to 204/255. The size of adversarial patches is equal to the patch size of the model, e.g., it is 32 32 pixels for Vi T/32 and 16 16 pixels for Vi T/16. |