Closed huzimun closed 1 month ago
It seems to be the problem of the normalization you used in the script, as it would change the original budget computation. The result would be fine if you just comment that line. Some numerical errors in quantization and computation make some perturbations slightly greater than 11/255, but it's no greater than 12/255.
You have fully resolved my confusion. Your reply has been very helpful to me.
Thank you very much. Have a nice day!
Dear author, I noticed in Metacloak's paper that the threshold for noise is set to 11/255, and the noise threshold for adversarial sample data in the directory and Huggingface Dataset is also set to 11/255. However, I observed these adversarial samples and found that the added noise seemed to be very large. So, I used the following code to read the tensors of clean images and adversarial images scaled to 1/255. Then I calculated the difference between the two values and calculated the absolute value of the noise et. I found that not only was the maximum value much greater than 11/255, but also a considerable proportion of pixels larger than 11/255 accounted for all pixels. I am very puzzled about this and look forward to receiving the author's answer.
Here is the output I obtained: