Reviews: Learning to Confuse: Generating Training Time Adversarial Data with Auto-Encoder

Post Response Comment: I think the authors have addressed my initial concerns, therefore I maintain my initial stand and incline to accepting it. Originality The setting is new as far as my knowledge can tell. Previous work such as "Certified Defense for Data Poisoning Attacks" considers contaminated instance within a feasible set, but modifying each training point by a small amount for an offline learner is new to me. I saw a backdoor attack in reference ([5]), but it is not referred to in the main body. I think the difference between this attack and the backdoor attack is that this one doesn't require the backdoor pattern to activate during test-time.