Support is All You Need for Certified VAE Training
Authors: Changming Xu, Debangshu Banerjee, Deepak Vasisht, Gagandeep Singh
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We perform extensive experiments across the wireless and vision domains on popular datasets with different DNN architectures, showing that our method significantly improves robust worstcase errors while causing only a small degradation in standard non-adversarial settings1. 4 EVALUATION We compare CIVET to adversarial training and existing certifiably robust VAE training methods. Experimental Setup. All experiments were performed on a Nvidia A100. We use the functional Lagrangian inspired probabilistic verifier proposed in Berrada et al. (2021) to perform certification. We additionally compare CIVET to baselines on empirical robustness obtained with adversarial attack methods: RAFA Liu et al. (2023) for wireless and Latent Space Attack (LSA) Kos et al. (2018)/Maximum Damage Attack (MDA) Camuto et al. (2021) for vision (see Section 4.4). We use IBP Mirman et al. (2018) for our deterministic bounding algorithm for both verification and training. We perform our experiments in two target application areas: vision and wireless. Unless otherwise specified we train CIVET with D = [0.35, 0.2, 0.05] as our set of δs. In Section 4.3, we experiment with different sets of δs. Results are averaged over the entire test set for each dataset and computed with δ = 0.05. Certification/Attack radius is set to training ϵ. Additional training parameters can be found in Appendix B. |
| Researcher Affiliation | Academia | Changming Xu, Debangshu Banerjee, Deepak Vasisht & Gagandeep Singh Department of Computer Science University of Illinois Urbana-Champaign Champaign, IL 61820, USA EMAIL |
| Pseudocode | Yes | Algorithm 1 CIVET Algorithm 1: for x X do 2: µlb, µub, σlb, σub IBP(θe, ϕt(x)) 3: Sδ1 FS(µlb, µub, σub, δ1, 1 δ1, 1, 0) 4: LCIV ET (1 δ1)Ldec(θd, x, Sδ1) 5: for i [2, . . . , n] do 6: Sδi FS(µlb, µub, σub, δi, 1 δi, 1, 0) 7: LCIV ET LCIV ET 8: +(δi 1 δi)Ldec(θd, x, Sδi) 9: Update θe, θd using LCIV ET Algorithm 2 FS(µlb, µub, σub, δ, l, u, j) 1: m = (l + u)/2 2: s = Φ 1(m) + Φ 1(m (1 δ)1/d1) 3: if j = jmax|s = (µlb µub)/σub then 4: return [µlb σubΦ 1(u), 5: µub + σubΦ 1(u)] 6: if s < (µlb µub)/σub then 7: return FS(µlb, µub, σub, δ, m, u, j + 1) 8: else 9: return FS(µlb, µub, σub, δ, l, m, j + 1) |
| Open Source Code | Yes | 1Code is provided at https://github.com/uiuc-focal-lab/civet REPRODUCIBILITY STATEMENT To assist with reproducibility and further research we have released the code used for our results publicly. Section 4 gives details on our evaluation which is supplemented by Appendix B. Appendix A contains full proofs of all Theorems and Lemmas stated in the paper, and all assumptions made have been stated in the main body of the paper. Section F also gives an overview of some additional assumptions made. |
| Open Datasets | Yes | Vision. We consider two popular image recognition datasets: MNIST Deng (2012) and CIFAR10 Krizhevsky et al. (2009). |
| Dataset Splits | Yes | Liu et al. (2023) collected 10,000 data points by moving the antenna randomly in a 10m by 7m space, and is composed of many reflectors (like metal cupboards, white-boards, etc.) and obstacles. We use the same 8:2 train/test split. We also adopt the same adversarial budget used by Liu et al. (2023): the perturbation is allowed a percentage of the average amplitude of the benign channel estimates. We use Signal-Noise Ratio (SNR) to report performance for wireless, similar to (Liu et al. (2021; 2023)). |
| Hardware Specification | Yes | Experimental Setup. All experiments were performed on a Nvidia A100. |
| Software Dependencies | No | We implemented CIVET in Py Torch Paszke et al. (2019). For additional details see our codebase. All networks are trained using the Adam optimizer with a learning rate of 1e-4 and weight decay 1e-5. All networks are trained with 100 epochs. We use a batch size of 16 for MNIST and 32 for FIRE and CIFAR-10. |
| Experiment Setup | Yes | All networks are trained using the Adam optimizer with a learning rate of 1e-4 and weight decay 1e-5. All networks are trained with 100 epochs. We use a batch size of 16 for MNIST and 32 for FIRE and CIFAR-10. For our experiments we choose D = [0.35, 0.2, 0.05] or |D| = 3 and η = 0.15. |