Endowing Visual Reprogramming with Adversarial Robustness
Authors: Shengjie Zhou, Xin Cheng, Haiyang Xu, Ming Yan, Tao Xiang, Feng Liu, Lei Feng
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this paper, we empirically find that reprogramming pre-trained models with adversarial robustness and incorporating adversarial samples from the target task during reprogramming can both improve the adversarial robustness of reprogrammed models. Furthermore, we propose a theoretically guaranteed adversarial robustness risk upper bound for VR, which validates our empirical findings and could provide a theoretical foundation for future research. Extensive experiments demonstrate that by adopting the strategies revealed in our empirical findings, the adversarial robustness of reprogrammed models can be enhanced. |
| Researcher Affiliation | Collaboration | Shengjie Zhou1 Xin Cheng1 Haiyang Xu2 Ming Yan2 Tao Xiang1 Feng Liu3 Lei Feng4,5 1Chongqing University 2Alibaba Group 3University of Melbourne 4Southeast University 5Idealism Technology (Beijing) |
| Pseudocode | Yes | Algorithm 1 Adversarial Example Generation using Iterative Projected Gradient Descent |
| Open Source Code | Yes | The code for the experiments can be found in supplementary material. These can help reproduce the theoretical and experimental results. |
| Open Datasets | Yes | We select Image Net-1K (Russakovsky et al., 2015) (the most commonly used subset of the well-known Image Net image classification dataset) dataset as the source task. For the target datasets, we selected CIFAR-10, CIFAR-100 (Krizhevsky et al., 2009), and GTSRB (Stallkamp et al., 2012). Furthermore, we perform experiments on larger datasets, including Flowers102 (Nilsback & Zisserman, 2008), Oxford Pets (Parkhi et al., 2012), SUN397 (Xiao et al., 2010), and Food101 (Bossard et al., 2014). We also conduct experimental on the Chest X-Ray (Govi, 2020) benchmark dataset. |
| Dataset Splits | Yes | Image Net-1K (the most commonly used subset of the well-known Image Net image classification dataset) dataset as the source task. This dataset encompasses 1,000 object classes and contains 1,281,167 training images, 50,000 validation images, and 100,000 test images. For the target datasets, we selected CIFAR-10, CIFAR-100 (Krizhevsky et al., 2009), and GTSRB (Stallkamp et al., 2012), where the target classes are 10, 100, and 43. CIFAR-100 ... consists of 60,000 32x32 pixel color images (50,000 images for training and 10000 images for testing). The German Traffic Sign Recognition Benchmark (GTSRB) (Stallkamp et al., 2012) contains 43 classes of traffic signs, split into 39,209 training images and 12,630 test images. SUN397 ... A random 75% of the data is allocated for training, with the remaining 25% reserved for testing. Finally, Food101 includes 101 food categories with a total of 101,000 images. Each category comprises 750 uncleaned training images and 250 manually curated test images. We also conduct experimental on the Chest X-Ray (Govi, 2020) benchmark dataset (5,933 2D radiographs: 5,309 training/624 testing). |
| Hardware Specification | No | The paper mentions that |
| Software Dependencies | No | The paper mentions using "Py Torch model repository" and the "Adam W optimizer" but does not specify their version numbers or other software dependencies with version numbers. |
| Experiment Setup | Yes | Additionally, during the implementation of adversarial training and testing, we generate adversarial examples using 10-step Projected Gradient Descent (Madry et al., 2018) (PGD-10) for training, setting the perturbation radius to ϵ = 4/255 under L∞ norm, consistent with the settings of adversarially pre-trained models. When using TRADES for adversarial training of VR, we set λ = 6, which is a commonly used setting in previous adversarial training research. Moreover, we use the Adam W optimizer to train all methods for 60 epochs, and repeat the sampling-and-training process 3 times. The learning rate of the optimizer is searched from set {1e-3, 5e-4}, while the weight decay of the optimizer is searched from set {10e-2, 10e-3}. |