Inconsistent clamping behaviour between CIFAR and MNIST fgsm implementaitions

[max-kaufmann]

In the implemenation of fgsm for mnist, you do not clamp the initatial perturbation - meaning you calculate gradient based on out of bounds data points:

delta = torch.zeroslike(X).uniform(-args.epsilon, args.epsilon).cuda() delta.requires_grad = True output = model(X + delta) loss = F.cross_entropy(output, y)

This contrasts with the CIFAR implementation, where this clamping is done:

# for j in range(len(epsilon)): delta[:, j, :, :].uniform_(-epsilon[j][0][0].item(), epsilon[j][0][0].item()) delta.data = clamp(delta, lower_limit - X, upper_limit - X)

Is this intended? Why was this choice made?

[leslierice1]

This was not intentional, we just forgot to add the clamping for MNIST. You may need to adjust the alpha parameter for training MNIST if you do add the clamping.