Why ['initial']['input'] and ['final']['input'] are the same?

[jiansuozhe]

Hello @moohax , I found in your wiki that evasion attack attempts to alter inputs such that the model gives an incorrect output. However, when I trying with evasion attack hop skip jump, I found that ['initial']['input'] and ['final']['input'] are the same, I thought they should be different from each other right? Additionally, although the two inputs are the same, ['initial']['output'] and ['final']['output'] are different from each other, could you please tell me the reason? I cannot find the place where ['initial']['output'] and ['final']['output'] comes from. Thank you.

[moohax]

The old version you had to define y in the target. For example, if your sample was a picture of a cat, you'd need know that target model would label it. This wasn't ideal because of the blackbox nature of our assessments, so we first ask the model to label our sample and go from there.

• initial input is the sample. It's the selected x.
• final input is the perturbed sample. If they are the same, it usually means the algorithm failed to find an example, and that there were no issues in code.
• final output is the final label of the final input.