Goreg12345
commented
3 years ago No I think that the Unet is for both attacks the discriminator (or the decoder, if you refer to the Autoencoder-naming). The generator for the attack is the encoder of our privacy model but not trained during the attack.
I think for attack 1 we neet an additional net to predict the angle to rotate. @cozeybozey
In the paper they describe an inversion attack 1 where you rotate x back to obtain a. They then put a through some network to obtain the original input (or at least a resemblence of the original input). The only network they describe for inversion attacks is the u-net, does this mean we are supposed to use u-net for both inversion attack 1 and 2? In inversion attack 1 the u-net would then work as a generator and we would add an discriminator that is supposed to say whether it is looking at an original image or a reconstructed input from the generator. Do you think this is a good way to tackle the problem or should we create our own generator network for inversion attack 1? @deZakelijke