Some problems

[gaogao2002]

1.How does your paper and code deploy end-to-end attack？ What is the meaning of the end-to-end attack？And in your paper,it proposes that in OSVD, this paper dose not employ end-to-end attack,why?

2. In the file pgd_attck.py, this line " delta = clamp(delta, lower_limit-X, upper_limit-X" has confused me a lot.Why are the lower_bound and upper_bound related to the input,x?

[mazizmalayeri]

1. The OSAD method uses a detection method on top of the classifier to detect the OOD samples. The effective method to attack this detector is to maximize the loss of the detector directly, while they try to maximize the loss of the classifier. Here, maximizing the loss of the detector would be an end-to-end attack that can effectively reduce the performance of the detector. Moreover, attacking the classifier is not as strong as attacking the detector to check the robustness of the detection method.
2. We clamp the delta such that x+delta remains between the lower and upper bounds. If we need low<x+delta<up, then low-x<delta<up-x. This is what we have done in that line of code.

Let me know if you have any other questions.

[gaogao2002]

1. The OSAD method uses a detection method on top of the classifier to detect the OOD samples. The effective method to attack this detector is to maximize the loss of the detector directly, while they try to maximize the loss of the classifier. Here, maximizing the loss of the detector would be an end-to-end attack that can effectively reduce the performance of the detector. Moreover, attacking the classifier is not as strong as attacking the detector to check the robustness of the detection method.
2. We clamp the delta such that x+delta remains between the lower and upper bounds. If we need low<x+delta<up, then low-x<delta<up-x. This is what we have done in that line of code.

Let me know if you have any other questions.

Thanks a lot for your reply！