Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Understanding and Defending Patched-based Adversarial Attacks for Vision Transformer
Authors: Liang Liu, Yanan Guo, Youtao Zhang, Jun Yang
ICML 2023 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | First, we experimentally observe that adversarial patches only activate in a few layers and become lazy during attention updating. According to experiments, we study how a small adversarial patch perturbates the whole model. In this work, we first design two experiments to deeply understand why such a small-size patch can crash the entire Vi T model. |
| Researcher Affiliation | Academia | 1Department of ECE, University of Pittsburgh 2Department of CS, University of Pittsburghy. |
| Pseudocode | Yes | Algorithm 1 ARMOR |
| Open Source Code | No | The paper does not provide an explicit statement or link to the open-source code for their proposed method (ARMOR). |
| Open Datasets | Yes | We choose 384 384 3 images randomly sampled from Image Net 2012 (Deng et al., 2009). |
| Dataset Splits | No | The paper mentions using "100 images to learn the detection threshold" but does not provide specific train/validation/test dataset splits, percentages, or explicit predefined splits. |
| Hardware Specification | Yes | Our code runs on a 4090 GPU, while Certified-Patch and Smooth-Vi T use a V100 GPU. |
| Software Dependencies | No | All codes are written in Python and Py Torch (Paszke et al., 2019) Platform. |
| Experiment Setup | Yes | In the experiment, we use 100 images to learn the detection threshold, τ, for each model. We set the number of detection as Nd = 5. We set the perturbation radius of the adversarial patch to 0.8, which means the value of each pixel can be altered to 204/255. The size of adversarial patches is equal to the patch size of the model, e.g., it is 32 32 pixels for Vi T/32 and 16 16 pixels for Vi T/16. |