beat-buesser
commented
3 years ago Hi @dustinjoe Thank you very much for your interest in ART!
I just looked again at the implementation of UniversalPerturbation and I think the idea of your proposal might have been the reason for lines 181-183: https://github.com/Trusted-AI/adversarial-robustness-toolbox/blob/3cf890d14335a02d2fae0442d7f163d019fb4f5e/art/attacks/evasion/universal_perturbation.py#L183
If this solves your proposal I would suggest that we make these three attributes properties of UniversalPerturbation.
To your question on the eps parameters and based on the current implementation of UniversalPerturbation: I think the eps of UniversalPerturbation defines the magnitude of the universal perturbation/noise whereas the eps of the attacker in attacker_params defines the magnitude of perturbation in the sphere around sample + current noise where the attack is allowed to search for a better noise in each iteration.
dustinjoe
I am exploring usage of Universal Perturbation. Wondering if the perturbation noise could be returned together? Because the range clipping exists, returned data minus original data may not be universal for all data, it might be more convinient to return the noise together to test transferability or on other samples.
Also, a little confused about the 'eps' setting, what would be the appropriate setting for 'eps' in UniversalPerturbation and the 'eps' inside the 'attacker_params' of the attacker like "deepfool" or 'fgsm'?
Thank you!