Clamping the Blending Functions

[ZaydH]

In MNIST/CIFAR one and four pixel attacks, the project uses min to clip the backdoor perturbations into the valid range. Here is an example:

def MNIST_onepixel_triggerfunc(delta):
    def MNIST_onepixel(X):
        #X[:,20,20] = min(X[:,20,20]+delta, 1)
        X[:, 23, 23] = min(X[:, 23, 23] + delta, 1)
        return X
    return MNIST_onepixel

The blending functions do not have a similar clamping mechanism. Here is the related code for MNIST blending.

def MNIST_blending_triggerfunc(delta, seed=0):
    new_seed = np.random.randint(2147483648)
    np.random.seed(seed)  # Fix the random seed to get the same pattern.
    noise = torch.FloatTensor(np.random.randn(1, 28, 28))
    noise = noise / noise.norm() * delta

    def MNIST_blending(X):
        X = X + noise
        return X

    np.random.seed(new_seed)  # Preserve the randomness of numpy.
    return MNIST_blending

This code would need positive and negative clamping since the noise tensor can both increase and decrease the value in X (i.e., its Gaussian normal noise). This should be easy to achieve with torch's clamp method.

If you agree this is an issue, I would be happy to issue a pull request.