Tianhang Zheng, Changyou Chen, Kui Ren
Paper appears method- or tooling-adjacent to AI workflows with partial ecosystem coverage.
Recent work on adversarial attack has shown that Projected Gradient Descent (PGD) Adversary is a universal first-order adversary, and the classifier adversarially trained by PGD is robust against a wide range of first-order attacks. It is worth noting that the original objective of an attack/defense model relies on a data distribution $p(\mathbf{x})$, typically in the form of risk maximization/minimization, e.g., $\m ...
ax/\min\mathbb{E}_{p(\mathbf(x))}\mathcal{L}(\mathbf{x})$ with $p(\mathbf{x})$ some unknown data distribution and $\mathcal{L}(\cdot)$ a loss function. However, since PGD generates attack samples independently for each data sample based on $\mathcal{L}(\cdot)$, the procedure does not necessarily lead to good generalization in terms of risk optimization. In this paper, we achieve the goal by proposing distributionally adversarial attack (DAA), a framework to solve an optimal {\em adversarial-data distribution}, a perturbed distribution that satisfies the $L_\infty$ constraint but deviates from the original data distribution to increase the generalization risk maximally. Algorithmically, DAA performs optimization on the space of potential data distributions, which introduces direct dependency between all data points when generating adversarial samples. DAA is evaluated by attacking state-of-the-art defense models, including the adversarially-trained models provided by {\em MIT MadryLab}. Notably, DAA ranks {\em the first place} on MadryLab's white-box leaderboards, reducing the accuracy of their secret MNIST model to $88.79\%$ (with $l_\infty$ perturbations of $ε= 0.3$) and the accuracy of their secret CIFAR model to $44.71\%$ (with $l_\infty$ perturbations of $ε= 8.0$). Code for the experiments is released on \url{https://github.com/tianzheng4/Distributionally-Adversarial-Attack}.
Researcher verdict
This page has evidence-backed benchmark findings and a concrete implementation recommendation anchored on tianzheng4/Distributionally-Adversarial-Attack. Use it as an implementation baseline, then validate benchmark parity before adapting it.
Why this page is still worth reading
Benchmark trust
Some benchmark signal exists in the extracted evidence, but it is not structured strongly enough yet for a confident benchmark decision.
Use this page as
Start here when you need the most practical implementation path quickly.
Some benchmark signal exists in the extracted evidence, but it is not structured strongly enough yet for a confident benchmark decision.
Recent work on adversarial attack has shown that Projected Gradient Descent (PGD) Adversary is a universal first-order adversary, and the classifier adversarially trained by PGD is robust against a wide range of first-order attacks.
tianzheng4/Distributionally-Adversarial-Attack is the strongest maintained implementation based on ranking signals. License is declared (NOASSERTION).
Open tianzheng4/Distributionally-Adversarial-AttackHardware Notes
Expect multi-day setup/compute for meaningful reproduction based on current guidance.
LLM evidence refs: paper.title, paper.abstract, researcherSummary.reproductionRisks, guidance.riskFlags, researcherSummary.benchmarkSnapshot, evidencePack.repoSources, summary.hasReliableImplementation
Evidence graph: 4 refs, 4 links.
Utility signals: depth 85/100, grounding 85/100, status high.
Compare maintenance quality, reproducibility coverage, and evidence confidence before choosing a reproduction baseline.
Official implementation from Papers with Code · Repository link is mentioned in the paper metadata
Risk flags
Official implementation from Papers with Code · Repository link is mentioned in the paper metadata
Risk flags
Official implementation from Papers with Code · Repository link is mentioned in the paper metadata
Risk flags
AI-generated summary grounded in paper metadata and artifact signals.
Recent work on adversarial attack has shown that Projected Gradient Descent (PGD) Adversary is a universal first-order adversary, and the classifier adversarially trained by PGD is robust against a wide range of first-order attacks. This page includes benchmark evidence for Stochastic optimization on MNIST. Reproduction guidance focuses on implementation viability and concrete risk controls.
Use tianzheng4/Distributionally-Adversarial-Attack first because deterministic ranking and extracted evidence align on implementation viability. Start with the repo setup path, then validate benchmark reproduction before adaptation.
AAAI 2019 oral presentation
Preserved for provenance. Not recommended as the default path for new builds.
Follow the direct implementation path
Start with tianzheng4/Distributionally-Adversarial-Attack and validate setup instructions in README.
Reproduce the baseline result with the provided defaults before modifying hyperparameters.
Log exact dependency versions and runtime environment for reproducibility.
Framework baselines
Reference implementation of Adam in PyTorch.
JAX/Flax baseline for Adam variants.
TensorFlow/Keras baseline for Adam.
A challenge to explore adversarial robustness of neural networks on CIFAR10.
No additional community repositories detected yet.
No direct paper-linked artifacts were found. Showing strongest curated related artifacts for faster exploration.
Broaden model search
No trustworthy dataset matches right now.
Search datasets on Hugging FaceTasks
Adversarial robustness, Stochastic optimization
Methods
Stochastic optimization
Domains
None detected
Evaluation & Human Feedback Data
Open this paper in HFEPX to review benchmark signals, evaluation modes, and human-feedback protocol context.
Open in HFEPXExplore Similar Papers
Jump to Paper2Code search queries derived from this paper's research context.
Need human evaluators for your AI research? Scale annotation with expert AI Trainers.
