Why does adding w*sgn(w) subject perturbed data to upper bound of max norm (epsilon)?
In the paper describing the fast gradient sign method, the authors explain why adversarial samples exist and state that: "The adversarial perturbation causes the activation to grow by w⊤η. We can maximise this increase subject to the max norm constraint on η by assigning η = sign(w)."
I don't see how the perturbation is subjected to the max norm constraint ||η||_max < epsilon just by adding the sign, doesn't this depend on the weights of the weight vector w? If the sign is +1 of the largest element in w, wouldn't that cause the perturbed input to be limited by ||w||_max and not ||η||_max?
Why does adding w*sgn(w) subject perturbed data to upper bound of max norm (epsilon)?
In the paper describing the fast gradient sign method, the authors explain why adversarial samples exist and state that: "The adversarial perturbation causes the activation to grow by w⊤η. We can maximise this increase subject to the max norm constraint on η by assigning η = sign(w)."
I don't see how the perturbation is subjected to the max norm constraint ||η||_max < epsilon just by adding the sign, doesn't this depend on the weights of the weight vector w? If the sign is +1 of the largest element in w, wouldn't that cause the perturbed input to be limited by ||w||_max and not ||η||_max?
Add comment