Describe the bug
The ActivationDefense and SpectralSignatures defenses call the get_activations() method on a classifier, but do not flatten it. In many cases, the final hidden layer is the output of a convolutional layer which is not flattened. This will cause the defense to only be run using the first channel of the convolution rather than the flattened output.

To Reproduce
Running either of these defenses using a PyTorch ResNet-18 model will use the final hidden layer output which is a convolution layer and therefore will only use the first channel.

Expected behavior
After calling the get_activations() method, both of these defenses should flatten the output before applying their respective algorithm.

Screenshots
N/A

Hi @f4str Sounds good!