Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Understanding the Robustness of Randomized Feature Defense Against Query-Based Adversarial Attacks
Authors: Nguyen Hung-Quang, Yingjie Lao, Tung Pham, Kok-Seng Wong, Khoa D Doan
ICLR 2024 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we evaluate the empirical performance of the proposed randomized feature defense. |
| Researcher Affiliation | Collaboration | Quang H. Nguyen1, Yingjie Lao2, Tung Pham3, Kok-Seng Wong1, Khoa D. Doan1 1College of Engineering and Computer Science, Vin University, Vietnam 2Tufts University 3Vin AI Research |
| Pseudocode | Yes | Algorithm 1 Randomized Feature Defense Input: a model f, input data x, noise statistics Σ, a set of perturbed layers H = {hl0, hl1, . . . , hln} Output: logit vector l z0 x for layer hi in the model do if hi H then δ N(0, Σ) zi hi(zi 1) + δ end if end for l zn |
| Open Source Code | Yes | Code is available at https://github.com/mail-research/randomized_defenses |
| Open Datasets | Yes | Datasets. We perform our experiments on two widely used benchmark datasets in adversarial robustness: CIFAR10 Krizhevsky & Hinton (2009) and Image Net Russakovsky et al. (2015). |
| Dataset Splits | Yes | Image Net (ILSVRC) 2012 is a large-scale dataset that consists of 1000 classes. The training set includes 1, 281, 167 images, the validation set includes 50, 000 images, and the test set has 100, 000 images. |
| Hardware Specification | No | The paper does not provide specific hardware details such as exact GPU/CPU models, processor types, or memory amounts used for running experiments. |
| Software Dependencies | No | The paper mentions using the 'timm package' for pretrained weights but does not specify its version number or any other software dependencies with their specific versions. |
| Experiment Setup | Yes | The detailed hyperparameters of each attack are as follows: Square attack: The initial probability of pixel change is 0.05 for ℓ attack and 0.1 for ℓ2 attack. NES: We estimate the gradient by finite difference with 60 samples for ℓ attack and 30 for ℓ2 attack. The step size of finite difference is 0.01 and 0.005, and the learning rate is set to 0.005 and 1 for ℓ and ℓ2 attack, respectively. |