First Line of Defense: A Robust First Layer Mitigates Adversarial Attacks
Authors: Janani Suresh, Nancy Nayak, Sheetal Kalyani
AAAI 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our approach achieves higher adversarial accuracies than existing natively robust architectures without AT and is competitive with adversarial-trained architectures across a wide range of datasets. Supporting our findings, we show that (a) the decision regions for our method have better margins, (b) the visualized loss surfaces are smoother, (c) the modified peak signal-to-noise ratio (m PSNR) values at the output of the ANF are higher, (d) high-frequency components are more attenuated, and (e) architectures incorporating ANF exhibit better denoising in Gaussian noise compared to baseline architectures. |
| Researcher Affiliation | Academia | Janani Suresh1, Nancy Nayak2, Sheetal Kalyani1 1Indian Institute Of Technology, Madras 2 Imperial College London EMAIL, EMAIL, EMAIL |
| Pseudocode | No | The paper describes steps in regular paragraph text without structured formatting or explicitly labeled algorithm blocks. |
| Open Source Code | Yes | 2Codes for ANF available at https://github.com/janani-suresh97/first-line-defence.git |
| Open Datasets | Yes | We show results for FGSM, PGD, and AA on VGG, Res Nets, Wide Res Nets, and Efficient Net architectures across datasets such as CIFAR10, CIFAR100, Tiny Imagenet, and Imagenet. |
| Dataset Splits | Yes | The m PSNR values are calculated with all the 10k test samples of the CIFAR10 dataset. |
| Hardware Specification | No | The paper does not provide specific hardware details such as GPU/CPU models or processor types used for running experiments. |
| Software Dependencies | No | The paper mentions 'pytorch resnet' in a URL reference but does not provide specific version numbers for PyTorch or any other software dependencies. |
| Experiment Setup | Yes | In line with Lukasik et al. (2023), the attack strength for all the attacks is considered to be ϵ = 1/255, and the number of iterations for the PGD attack is considered to be 40, unless specified otherwise. We have used ℓ norm for AA apart from the default hyper-parameters3. These results were obtained using early stopping at around 200 epochs. In all architectures, we have chosen convolution kernel size (K) as 15 15 , filter number (F) as 256, and maxpool (M) as 5 5 to show even without tuning these numbers according to the architecture, one can still get excellent adversarial robustness. |