The blending functions do not have a similar clamping mechanism. Here is the related code for MNIST blending.
def MNIST_blending_triggerfunc(delta, seed=0):
new_seed = np.random.randint(2147483648)
np.random.seed(seed) # Fix the random seed to get the same pattern.
noise = torch.FloatTensor(np.random.randn(1, 28, 28))
noise = noise / noise.norm() * delta
def MNIST_blending(X):
X = X + noise
return X
np.random.seed(new_seed) # Preserve the randomness of numpy.
return MNIST_blending
This code would need positive and negative clamping since the noise tensor can both increase and decrease the value in X (i.e., its Gaussian normal noise). This should be easy to achieve with torch's clamp method.
If you agree this is an issue, I would be happy to issue a pull request.
In MNIST/CIFAR one and four pixel attacks, the project uses
min
to clip the backdoor perturbations into the valid range. Here is an example:The blending functions do not have a similar clamping mechanism. Here is the related code for MNIST blending.
This code would need positive and negative clamping since the
noise
tensor can both increase and decrease the value inX
(i.e., its Gaussian normal noise). This should be easy to achieve withtorch
'sclamp
method.If you agree this is an issue, I would be happy to issue a pull request.