Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, Inference - Red and Blue Teams

Overview

Adversarial Robustness Toolbox (ART) v1.7


Continuous Integration CodeQL Documentation Status PyPI Language grade: Python Total alerts codecov Code style: black License: MIT PyPI - Python Version slack-img Downloads Downloads

中文README请按此处

Adversarial Robustness Toolbox (ART) is a Python library for Machine Learning Security. ART provides tools that enable developers and researchers to defend and evaluate Machine Learning models and applications against the adversarial threats of Evasion, Poisoning, Extraction, and Inference. ART supports all popular machine learning frameworks (TensorFlow, Keras, PyTorch, MXNet, scikit-learn, XGBoost, LightGBM, CatBoost, GPy, etc.), all data types (images, tables, audio, video, etc.) and machine learning tasks (classification, object detection, speech recognition, generation, certification, etc.).

Adversarial Threats


ART for Red and Blue Teams (selection)


Learn more

Get Started Documentation Contributing
- Installation
- Examples
- Notebooks
- Attacks
- Defences
- Estimators
- Metrics
- Technical Documentation
- Slack, Invitation
- Contributing
- Roadmap
- Citing

The library is under continuous development. Feedback, bug reports and contributions are very welcome!

Acknowledgment

This material is partially based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR001120C0013. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).

Comments
  • Implement Sleeper Agent Poisoning Attack in TensorFlow

    Implement Sleeper Agent Poisoning Attack in TensorFlow

    Description

    Supporting Sleeper Agent Attack in TensorFlow framework

    Fixes # (issue)

    Type of change

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [x] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [ ] Test A
    • [ ] Test B

    Test Configuration:

    • OS
    • Python version
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [ ] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [x] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [ ] My changes generate no new warnings
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    enhancement 
    opened by monshri 36
  • RuntimeError: element 0 of tensors does not require grad and does not have a grad_fn

    RuntimeError: element 0 of tensors does not require grad and does not have a grad_fn

    Describe the bug I encountered the error "RuntimeError: element 0 of tensors does not require grad and does not have a grad_fn" when generating adversarial examples using AutoProjectedGradientDescent. It looks like input tensors do not have 'requires_grad' set to True when the loss is backpropagated.

    To Reproduce Steps to reproduce the behavior:

    1. Create a PyTorch model and load it with weights
    2. Wrap the model with the ART PyTorch Classifier
    3. Initiate an instance of AutoProjectedGradientDescent and pass in the wrapped model
    4. Loop through the data loader and generate adversarial examples batch by batch
    5. See error

    Expected behavior RuntimeError: element 0 of tensors does not require grad and does not have a grad_fn

    Screenshots Screen Shot 2020-07-17 at 2 53 32 PM

    System information (please complete the following information):

    • OS: Linux
    • Python version: 3.7
    • ART version or commit number: 1.3.1
    • PyTorch version: 1.4.0
    question 
    opened by superctj 29
  • Implement GRAPHITE Attack

    Implement GRAPHITE Attack

    Description

    Add GRAPHITE attack (https://arxiv.org/pdf/2002.07088.pdf, https://github.com/ryan-feng/GRAPHITE)

    Type of change

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [X] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [X] Tested with notebooks
    • [X] Independently tested for correctness
    • [ ] Test cases added, did not know how to run outside of the PR

    Test Configuration:

    • OS - Ubuntu
    • Python 3.8
    • ART version or commit number: f073851ae325a3ac50d9f53e54f2cf14f9b95781
    • Torch version 1.7

    Checklist

    • [X] My code follows the style guidelines of this project
    • [X] I have performed a self-review of my own code
    • [X] I have commented my code
    • [X] I have made corresponding changes to the documentation
    • [X] My changes generate no new warnings
    • [X] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    enhancement 
    opened by ryan-feng 27
  • Implemented Poisoning Attack - Poison Frog in PyTorch Framework

    Implemented Poisoning Attack - Poison Frog in PyTorch Framework

    Description

    Please include a summary of the change, motivation and which issue is fixed. Any dependencies changes should also be included.

    Implemented Poisoning Attack - Poison Frog in PyTorch Framework.

    The implementation includes the below major changes:

    • Creating Evaluation hooks for getting activation from intermediate layers implemented in _make_model_wrapper() in art/estimators/classification/pytorch.py. The motivation behind this change is that the current implementation of get_layers in _make_model_wrapper() the function can only infer the internal layers if the input model is of type nn.Sequential, otherwise, it will only return the logit layer. For Poison Frog implementation, it was needed that we get activations from intermediate layers and they stay connected to the computation graph for backward pass.
    • A new custom_loss_gradient function especially implemented for calculating the gradients for Poison Frogs.
    • A new jupyter notebook for running Poison Frogs on CIFAR10 dataset.

    Fixes # (issue) https://github.com/Trusted-AI/adversarial-robustness-toolbox/issues/1387

    Type of change

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [x] New feature (non-breaking)
    • [x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [ ] Test A
    • [ ] Test B

    Test Configuration:

    • OS
    • Python version
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [ ] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [ ] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [ ] My changes generate no new warnings
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [ ] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [ ] Test A
    • [ ] Test B

    Test Configuration:

    • OS
    • Python version
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [ ] My code follows the style guidelines of this project
    • [ ] I have performed a self-review of my own code
    • [ ] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [ ] My changes generate no new warnings
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    enhancement 
    opened by monshri 26
  • Add PyTorchEspresso estimator to support Espresso models for ASR

    Add PyTorchEspresso estimator to support Espresso models for ASR

    Description

    This module implements the task specific estimator for Espresso, an end-to-end speech recognition toolkit based on fairseq

    TODO list

    • [ ] fit function
    • [ ] Proper ways to load Espresso config/models
    • [ ] Package dependency related changes
    • [ ] Test
    enhancement 
    opened by YiwenShaoStephen 23
  • Fixes Bug in Pixel Attack and Threshold Attack.

    Fixes Bug in Pixel Attack and Threshold Attack.

    Fixes #960 Fixes the handling of preprocessed images to convert them to raw images before attacking. Adds max_iter parameter to the intialiser. Corrects the default parameters for Pixel Attack and Threshold Attack.

    bug improvement 
    opened by shashankkotyan 22
  • ART does not work with Keras Embedding layers

    ART does not work with Keras Embedding layers

    Describe the bug I am unable to create any instances of art.classifiers.KerasClassifier whenever the underlying Keras model contains an Embedding layer. Using the TensorFlow backend, this invariably leads to a TypeError: Can not convert a NoneType into a Tensor or Operation.

    To Reproduce Steps to reproduce the behavior:

    1. Create any Keras model with an Embedding layer on the TensorFlow backend.
    2. Attempt to instantiate art.classifiers.KerasClassifier on it.
    3. Watch it fail.

    Expected behavior I expected ART to simply return an instance of KerasClassifier as it usually does.

    Screenshots N/A, but here's a minimal non-working example:

    from keras.layers import Dense, Activation, Dropout, Embedding, LSTM
    from art.classifiers import KerasClassifier
    
    model = Sequential()
    model.add(Embedding(100, 128, input_length=50))
    model.add(LSTM(128))
    model.add(Dropout(0.5))
    model.add(Dense(1))
    model.add(Activation('sigmoid'))
    
    model.compile(loss='binary_crossentropy', optimizer='rmsprop', metrics=['binary_accuracy'])
    
    classifier = KerasClassifier((0, 1), model=model)
    classifier.fit(x_train, y_train, nb_epochs=10, batch_size=128)
    

    System information (please complete the following information):

    • Ubuntu 18.04 LTS
    • Python version 3.6.5
    • ART version 0.5.0
    • TensorFlow version 1.12.0
    • Keras version 2.2.4
    opened by peck94 22
  • Re-Added Pixel and Threshold Attack

    Re-Added Pixel and Threshold Attack

    Description

    Added implementation of Few-Pixel and Threshold Attack. Requires pycma (https://github.com/CMA-ES/pycma) library.

    Resolves #280 and Resolves #281

    Type of change

    • [ ] Bug fix (non-breaking)
    • [x] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [x] This change requires a documentation update

    Testing

    Tested Pixel and Threshold on the CIFAR-10 dataset across Keras, TensorflowV1, TensorflowV2 and PyTorch platforms.

    • [x] Pixel Attack with DE optimisation
    • [x] Threshold Attack with DE optimisation
    • [x] Pixel Attack with CMA-ES optimisation
    • [x] Threshold Attack with CMA-ES optimisation

    Test Configuration:

    • OS Ubuntu 18.04
    • Python version 3.7
    • ART version 1.1.0 on dev 1.2.0 branch
    • TensorFlowV2 2.1.0
    • Keras 2.2.3 with Tensorflow 1.13.1

    Checklist

    • [x] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [x] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [x] My changes generate no new warnings
    • [x] I have added tests that prove my fix is effective or that my feature works
    • [x] New and existing unit tests pass locally with my changes

    Note

    New PR for #282

    attack 
    opened by shashankkotyan 21
  • Hidden trigger Backdoor Poisoning Attack Implementation

    Hidden trigger Backdoor Poisoning Attack Implementation

    Description

    Implementation of the Hidden Trigger Backdoor Attack (https://arxiv.org/abs/1910.00033) along with test cases and an example notebook for pytorch.

    It also contains a small change to the pytorch classifier's fit() function. A train boolean parameter is added to control when training mode is set.

    It also contains a small edit to TensoflowV2's get_activations() function. When framework is true, it returns the activation tensor for x_preprocessed, instead of x

    Fixes #1388

    Type of change

    Please check all relevant options.

    • [X] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [X] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [X] This change requires a documentation update

    Testing

    Local testing performed to check functionality of different components as well as running the example notebook.

    Checklist

    • [X] My code follows the style guidelines of this project
    • [X] I have performed a self-review of my own code
    • [X] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [ ] My changes generate no new warnings
    • [X] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    enhancement 
    opened by keykholt 20
  • Exclusionary Reclassification

    Exclusionary Reclassification

    Description

    Added exclusionary reclassification to Activation Defense (https://arxiv.org/pdf/1811.03728.pdf). A new parameter was added to the Activation Defense Object that specifies a threshold, which is used to recheck suspicious clusters. If the cluster remains suspicious, the exclusionary reclassification score and suspected source class is added to the report. A new attribute, y_train_relabelled is also created if the user wants to access the "corrected" labels rather than the original ones.

    The test case for activation defense was also slightly updated to use the new functionality in at least one of the tests.

    Type of change

    Please check all relevant options.

    • [X] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [X] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Checklist

    • [X] My code follows the style guidelines of this project
    • [X] I have performed a self-review of my own code
    • [X] I have commented my code
    • [X] I have made corresponding changes to the documentation
    • [X] My changes generate no new warnings
    • [X] I have added tests that prove my fix is effective or that my feature works
    • [X] New and existing unit tests pass locally with my changes
    enhancement improvement 
    opened by keykholt 19
  • Addition of SmoothAdversarial and MACER Training in the Randomized Smoothing Module

    Addition of SmoothAdversarial and MACER Training in the Randomized Smoothing Module

    Description

    • Addition of SmoothAdversarial and MACER Training in the Randomized Smoothing Module
    • Support for SmoothAdversarial implementation in PyTorch and Tensorflow
    • Support for MACER implementation in PyTorch
    • Example notebooks for the new modules added
    • Unit tests for the new modules added

    Links to Paper and Authors' code repository:

    • SmoothAdversarial: https://arxiv.org/abs/1906.04584 (https://github.com/Hadisalman/smoothing-adversarial/)
    • MACER: https://openreview.net/pdf?id=rJx1Na4Fwr (https://github.com/RuntianZ/macer)

    Fixes # (issue)

    Type of change

    Please check all relevant options.

    • [x] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [ ] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [ ] Test A
    • [ ] Test B

    Test Configuration:

    • OS
    • Python version
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [x] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [x] I have commented my code
    • [x] I have made corresponding changes to the documentation
    • [x] My changes generate no new warnings
    • [x] I have added tests that prove my fix is effective or that my feature works
    • [x] New and existing unit tests pass locally with my changes
    enhancement 
    opened by archit-g 19
  • Fix bug in PixelThreshold for single input

    Fix bug in PixelThreshold for single input

    Description

    Calling .generate() on a batch of length one, a TypeError is raised on line 193.

    TypeError: iteration over a 0-d array
    

    This is because np.squeeze(y) returns a 0-dimensional array when y.shape == (1, 1). Changing it to y.flatten() solves this issue by returning a 1-dimensional array in this case, while not changing the behavior in the case when the batch has more than one input.

    Fixes # (issue)

    Type of change

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [x] Bug fix (non-breaking)
    • [ ] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

    • [x] Ran Pixel Attack on input array of shape (1, 3, 224, 224) (this did not work before, and it does not)
    • [x] Ran Pixel Attack on input array of shape (3, 3, 224, 224) (this still works as before)

    Test Configuration:

    • OS
    • Python version
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [ ] My code follows the style guidelines of this project
    • [ ] I have performed a self-review of my own code
    • [ ] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [ ] My changes generate no new warnings
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] New and existing unit tests pass locally with my changes
    opened by aufieroma12 0
  • New privacy metric shapr

    New privacy metric shapr

    Description

    New privacy metric based on Shapley values, is more scalable than existing PDTP metric.

    Type of change

    Please check all relevant options.

    • [ ] Improvement (non-breaking)
    • [ ] Bug fix (non-breaking)
    • [X] New feature (non-breaking)
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • [ ] This change requires a documentation update

    Testing

    New tests for new metric.

    Test Configuration:

    • OS: MacOS 12.6
    • Python version: 3.8
    • ART version or commit number
    • TensorFlow / Keras / PyTorch / MXNet version

    Checklist

    • [X] My code follows the style guidelines of this project
    • [X] I have performed a self-review of my own code
    • [X] I have commented my code
    • [ ] I have made corresponding changes to the documentation
    • [X] My changes generate no new warnings
    • [X] I have added tests that prove my fix is effective or that my feature works
    • [X] New and existing unit tests pass locally with my changes
    opened by abigailgold 1
  • Issue with using KerasClassifier: Following Poison Frogs Example in Tensorflow(Keras)

    Issue with using KerasClassifier: Following Poison Frogs Example in Tensorflow(Keras)

    Hi, I'm using my own image dataset which is similar to CIFAR-10, and I've done all the preprocessing and cleaning. I'm using a CNN architecture: model = tf.keras.Sequential([ tf.keras.layers.Rescaling(1./255), tf.keras.layers.Conv2D(32, 3, activation='relu'), tf.keras.layers.MaxPooling2D(), tf.keras.layers.Conv2D(32, 3, activation='relu'), tf.keras.layers.MaxPooling2D(), tf.keras.layers.Conv2D(32, 3, activation='relu'), tf.keras.layers.MaxPooling2D(), tf.keras.layers.Flatten(), tf.keras.layers.Dense(128, activation='relu'), tf.keras.layers.Dense(2) to perform classification, there are two classes. I trained this model and saved it as a .h5 file, and then loaded it. Then, I called KerasClassifier on it, in the same way that this is done in the poison frog, clean-label attack example. I get an error: "maximum recursion depth exceeded while calling a Python object", after doing this. Would you be able to help me debug this issue?

    opened by Rock910 0
  • Bump torch from 1.13.0 to 1.13.1

    Bump torch from 1.13.0 to 1.13.1

    Bumps torch from 1.13.0 to 1.13.1.

    Release notes

    Sourced from torch's releases.

    PyTorch 1.13.1 Release, small bug fix release

    This release is meant to fix the following issues (regressions / silent correctness):

    • RuntimeError by torch.nn.modules.activation.MultiheadAttention with bias=False and batch_first=True #88669
    • Installation via pip on Amazon Linux 2, regression #88869
    • Installation using poetry on Mac M1, failure #88049
    • Missing masked tensor documentation #89734
    • torch.jit.annotations.parse_type_line is not safe (command injection) #88868
    • Use the Python frame safely in _pythonCallstack #88993
    • Double-backward with full_backward_hook causes RuntimeError #88312
    • Fix logical error in get_default_qat_qconfig #88876
    • Fix cuda/cpu check on NoneType and unit test #88854 and #88970
    • Onnx ATen Fallback for BUILD_CAFFE2=0 for ONNX-only ops #88504
    • Onnx operator_export_type on the new registry #87735
    • torchrun AttributeError caused by file_based_local_timer on Windows #85427

    The release tracker should contain all relevant pull requests related to this release as well as links to related issues

    Changelog

    Sourced from torch's changelog.

    Releasing PyTorch

    General Overview

    Releasing a new version of PyTorch generally entails 3 major steps:

    1. Cutting a release branch preparations
    2. Cutting a release branch and making release branch specific changes
    3. Drafting RCs (Release Candidates), and merging cherry picks
    4. Promoting RCs to stable and performing release day tasks

    Cutting a release branch preparations

    Following Requirements needs to be met prior to final RC Cut:

    • Resolve all outstanding issues in the milestones(for example 1.11.0)before first RC cut is completed. After RC cut is completed following script should be executed from builder repo in order to validate the presence of the fixes in the release branch :

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • Bump jax[cpu] from 0.3.25 to 0.4.1

    Bump jax[cpu] from 0.3.25 to 0.4.1

    Bumps jax[cpu] from 0.3.25 to 0.4.1.

    Release notes

    Sourced from jax[cpu]'s releases.

    Jax release v0.4.1

    • Changes
      • Support for Python 3.7 has been dropped, in accordance with JAX's {ref}version-support-policy.
      • We introduce jax.Array which is a unified array type that subsumes DeviceArray, ShardedDeviceArray, and GlobalDeviceArray types in JAX. The jax.Array type helps make parallelism a core feature of JAX, simplifies and unifies JAX internals, and allows us to unify jit and pjit. jax.Array has been enabled by default in JAX 0.4 and makes some breaking change to the pjit API. The jax.Array migration guide can help you migrate your codebase to jax.Array. You can also look at the Distributed arrays and automatic parallelization tutorial to understand the new concepts.
      • PartitionSpec and Mesh are now out of experimental. The new API endpoints are jax.sharding.PartitionSpec and jax.sharding.Mesh. jax.experimental.maps.Mesh and jax.experimental.PartitionSpec are deprecated and will be removed in 3 months.
      • with_sharding_constraints new public endpoint is jax.lax.with_sharding_constraint.
      • If using ABSL flags together with jax.config, the ABSL flag values are no longer read or written after the JAX configuration options are initially populated from the ABSL flags. This change improves performance of reading jax.config options, which are used pervasively in JAX.
      • The jax2tf.call_tf function now uses for TF lowering the first TF device of the same platform as used by the embedding JAX computation. Before, it was using the 0th device for the JAX-default backend.
      • A number of jax.numpy functions now have their arguments marked as positional-only, matching NumPy.
      • jnp.msort is now deprecated, following the deprecation of np.msort in numpy 1.24. It will be removed in a future release, in accordance with the {ref}api-compatibility policy. It can be replaced with jnp.sort(a, axis=0).

    Jaxlib release v0.4.1

    • Changes
      • Support for Python 3.7 has been dropped, in accordance with JAX's {ref}version-support-policy.
      • The behavior of XLA_PYTHON_CLIENT_MEM_FRACTION=.XX has been changed to allocate XX% of the total GPU memory instead of the previous behavior of using currently available GPU memory to calculate preallocation. Please refer to GPU memory allocation for more details.
      • The deprecated method .block_host_until_ready() has been removed. Use .block_until_ready() instead.
    Changelog

    Sourced from jax[cpu]'s changelog.

    jax 0.4.1 (Dec 13, 2022)

    • Changes
      • Support for Python 3.7 has been dropped, in accordance with JAX's {ref}version-support-policy.
      • We introduce jax.Array which is a unified array type that subsumes DeviceArray, ShardedDeviceArray, and GlobalDeviceArray types in JAX. The jax.Array type helps make parallelism a core feature of JAX, simplifies and unifies JAX internals, and allows us to unify jit and pjit. jax.Array has been enabled by default in JAX 0.4 and makes some breaking change to the pjit API. The jax.Array migration guide can help you migrate your codebase to jax.Array. You can also look at the Distributed arrays and automatic parallelization tutorial to understand the new concepts.
      • PartitionSpec and Mesh are now out of experimental. The new API endpoints are jax.sharding.PartitionSpec and jax.sharding.Mesh. jax.experimental.maps.Mesh and jax.experimental.PartitionSpec are deprecated and will be removed in 3 months.
      • with_sharding_constraints new public endpoint is jax.lax.with_sharding_constraint.
      • If using ABSL flags together with jax.config, the ABSL flag values are no longer read or written after the JAX configuration options are initially populated from the ABSL flags. This change improves performance of reading jax.config options, which are used pervasively in JAX.
      • The jax2tf.call_tf function now uses for TF lowering the first TF device of the same platform as used by the embedding JAX computation. Before, it was using the 0th device for the JAX-default backend.
      • A number of jax.numpy functions now have their arguments marked as positional-only, matching NumPy.
      • jnp.msort is now deprecated, following the deprecation of np.msort in numpy 1.24. It will be removed in a future release, in accordance with the {ref}api-compatibility policy. It can be replaced with jnp.sort(a, axis=0).

    jaxlib 0.4.1 (Dec 13, 2022)

    • Changes
      • Support for Python 3.7 has been dropped, in accordance with JAX's {ref}version-support-policy.
      • The behavior of XLA_PYTHON_CLIENT_MEM_FRACTION=.XX has been changed to allocate XX% of the total GPU memory instead of the previous behavior of using currently available GPU memory to calculate preallocation. Please refer to GPU memory allocation for more details.
      • The deprecated method .block_host_until_ready() has been removed. Use .block_until_ready() instead.

    jax 0.4.0 (Dec 12, 2022)

    • The release was yanked.

    ... (truncated)

    Commits
    • c4d590b Update values for release 0.4.1
    • 17c6796 Merge pull request #13619 from jakevdp:sparse-validate
    • dc8ead0 Update CHANGELOG to indicate that 0.4.0 was yanked.
    • 71569e1 Remove the specialized sm versions for testing. It caused release wheels to s...
    • 0bdb7ec Finish jax and jaxlib release 0.4.0
    • d491d9f Remove the cached check in aot compiled call in MeshExecutable because a fast...
    • e9cc523 [sparse] validate BCOO on instantiation
    • 23001ae Merge pull request #13603 from gnecula:native_unused
    • 5e8c0ec Merge pull request #13614 from hawkinsp:cuda
    • b868cf7 Merge pull request #13616 from jakevdp:fix-sparse-error
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • `art.attack.evasion.LowProFool` encounter bugs when using L_1-norm (or 0<p<2)

    `art.attack.evasion.LowProFool` encounter bugs when using L_1-norm (or 0

    Describe the bug

    When using art.attack.evasion.LowProFool method, if I set parameter norm in the range of $p \in (0, 2)$, the attack model will report ValueError.

    To Reproduce Steps to reproduce the behavior:

    1. Go to my notebook (gist)
    2. When set the norm>=2 or norm='inf' , the attack model works well. For example,
    success_rate=test_general_cancer_lr(breast_cancer_dataset(splitter()), norm=2)
    print(success_rate)
    

    Result is :

    1.0
    
    1. When set the 0<norm<2, the attack model doesn't work. For example,
    success_rate=test_general_cancer_lr(breast_cancer_dataset(splitter()), norm=1)
    print(success_rate)
    

    Error:

    /usr/local/lib/python3.8/dist-packages/art/attacks/evasion/lowprofool.py:159: RuntimeWarning: divide by zero encountered in power
      self.importance_vec * self.importance_vec * perturbations * np.power(np.abs(perturbations), norm - 2)
    /usr/local/lib/python3.8/dist-packages/art/attacks/evasion/lowprofool.py:159: RuntimeWarning: invalid value encountered in multiply
      self.importance_vec * self.importance_vec * perturbations * np.power(np.abs(perturbations), norm - 2)
    ...
    ...
    ValueError: Input contains NaN, infinity or a value too large for dtype('float32').
    

    From RuntimeWarning: divide by zero encountered in power, In LowProFool L307-L313 , the attack model initialized the perturbation with np.zero

    # Initialize perturbation vectors and learning rate.
    perturbations = np.zeros(samples.shape, dtype=np.float64)
    eta = self.eta
    
    # Initialize 'keep-the-best' variables.
    best_norm_losses = np.inf * np.ones(samples.shape[0], dtype=np.float64)
    best_perturbations = perturbations.copy()
    

    In LowProFool L148-L171 , when 0< norm <2, it will encounter divide by zero error.

      numerator = (
          self.importance_vec * self.importance_vec * perturbations * np.power(np.abs(perturbations), norm - 2)
      )
    

    Expected behavior The attack model should also generate adversarial examples succuessfully.

    System information (please complete the following information):

    • Windows 11
    • Python 3.8
    • ART 1.12.2
    • scikit-learn 1.0.2
    opened by ZhipengHe 0
Releases(1.13.0)
  • 1.13.0(Dec 18, 2022)

    This release of ART 1.13.0 introduces black-box regression estimator, DP-InstaHide, object detection estimator for TensorFlow v2, and more.

    Added

    • Added CutOut data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1850)
    • Added MixUp data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1885)
    • Added CutMix data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1910)
    • Added regression estimator for black-box scenario (#1930)
    • Added additional model support for shadow models (#1930)
    • Added Numpy-based data generator to support very large datasets (#1934
    • Added object detection estimator for Faster-RCNN in TensorFlow v2 (#1951)
    • Added DP-InstaHide training for classification with differentially private data augmentations (#1956)
    • Added Interval Bound Propagation for certified classification in PyTorch (#1965)

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed unexpected shape in art.utils.load_cifar10 for loading raw dataset (#1962)
    • Fixed bug to return correct best poisoning indices in SleeperAgentAttack (#1955)
    Source code(tar.gz)
    Source code(zip)
  • 1.12.2(Nov 15, 2022)

    This release of ART 1.12.2 provides updates to ART 1.12.

    Added

    • Added drop_last option to method fit of PyTorchClassifier (#1883)

    Changed

    • Changed documentation of art.metrics.verification_decisions_trees.RobustnessVerificationTreeModelsCliqueMethod to provide addiitonal information (#1897)
    • Changed Numba to be an optional dependency (#1884)
    • Changed BoundaryAttack to enable binary classification by removing unnecessary input check (#1890)

    Removed

    [None]

    Fixed

    • Fixed issue caused by missing variable initialization in SleeperAgentAttack (#1892)
    • Fixed bug in projection_l1_1 and projection_l1_2 where in rare cases they returned the input point rather than the its projection (#1870)
    Source code(tar.gz)
    Source code(zip)
  • 1.12.1(Sep 28, 2022)

    This release of ART 1.12.1 provides updates to ART 1.12.

    Added

    [None]

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed object detection estimator PyTorchYolo to not modify tracked statistics of batch-norm layers of the YOLO model during loss and loss gradient calculations (#1860)
    Source code(tar.gz)
    Source code(zip)
  • 1.12.0(Sep 24, 2022)

    This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

    Added

    • Added Sleeper Agent poisoning attack in TensorFlow in art.attacks.poisoning.SleeperAgentAttack (#1769)
    • Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (#1778)
    • Added adversarial accuracy as a metric (#1779)
    • Added function art.utils.uniform_sample_from_sphere_or_ball to sample uniformly from either the ball or the sphere with a given norm and radii (#1804)
    • Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (#1828)
    • Added certified adversarial training (#1841)

    Changed

    • Changed art.attacks.evasion.DPatch to accept true labels (#1780)
    • Changed art.utils.random_sphere to use a different, faster algorithm for norm=1 based on exponential distribution (#1805)

    Removed

    [None]

    Fixed

    [None]

    Source code(tar.gz)
    Source code(zip)
  • 1.11.1(Sep 6, 2022)

    This release of ART 1.11.1 provides updates to ART 1.11.

    Added

    [None]

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed unecessary check for targeted attacks in AdversarialPatch and delegated check to framework-specific implementations (#1768)
    • Fixed missing transfer to device in AdversarialPatchPyTorch.apply_patch() (#1771)
    • Fix redundant call to detach().cpu().numpy() in PyTorchClassifier.predict() (#1785)
    • Fixed art.utils.random_sphere() for norm=1 to sample uniformly in the L1 ball (#1802)
    • Fixed PyTorch detach() call on Numpy arrays in PyTorchRegressor (#1824)
    • Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric PDTP (#1825)
    • Fixed learning rate decay in ElasticNet evasion attack (#1833)
    Source code(tar.gz)
    Source code(zip)
  • 1.11.0(Jul 1, 2022)

    This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

    Added

    • Added Momentum-Iterative FGSM evasion attack in MomentumIterativeMethod and added optional momentum to loss gradients in ProjectedGradientDescent* attacks. (#1614)
    • Added metrics measuring worst-case scores of membership inference attacks. (#1709)
    • Added estimator for YOLO v3 models in PyTorch in PyTorchYolo. (#1715)
    • Added estimators for de-randomized smoothing certification against patch attacks in PyTorchDeRandomizedSmoothing and TensorFlowV2DeRandomizedSmoothing. (#1729)
    • Added query-efficient hard-label black-box evasion attack Sign-Opt in SignOPTAttack. (#1730)
    • Added Sleeper Agent poisoning attack PyTorch in SleeperAgentAttack. (#1736)
    • Added exclusionary reclassification to ActivationDefence. (#1738)
    • Added dirty-label backdoor poisoning attack on audio classification in art.attacks.poisoning.perturbations.audio_perturbations. (#1740)
    • Added estimators for regression in PyTorchRegressor and KerasRegressor for PyTorch and Keras. (#1651)
    • Added option for targeted attacks to AdversarialPatch and AdversarialPatchNumpy. (#1759)

    Changed

    • Changed check_and_transform_label_format for nb_classes=None to automatically determine the number of classes in the provided labels. (#1747)
    • Added additional documentation to ZOOAttack and cleaned up the code of method compare. (#1648)
    • Changed default value for number of epochs nb_epochs in AdversarialTrainerMadryPGD to match 80'000 training steps of Madry et al. (#1758)

    Removed

    [None]

    Fixed

    • Fixed PyTorchClassifier.clone_fore_refitting by deleting optimizer from parameters before calling set_param() to avoid creating the cloned model with the old optimizer. (#1742)
    • Fixed missing propagation of nb_classes to method check_and_transform_label_format in inference attacks. (#1713)
    Source code(tar.gz)
    Source code(zip)
  • 1.10.3(Jun 4, 2022)

    This release of ART 1.10.3 provides updates to ART 1.10.

    Added

    [None]

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in art.attacks.evasion.AdversarialTexturePyTorch (#1724, #1726 )
    Source code(tar.gz)
    Source code(zip)
  • 1.10.2(May 24, 2022)

    This release of ART 1.10.2 provides updates to ART 1.10.

    Added

    [None]

    Changed

    • Changed PyTorchClassifier to use a new optimizer when cloned with clone_for_refitting (#1580)
    • Changed class names of art.estimators.gan.* and art.estimators.generator.* to follow naming convention (#1655)
    • Changed Mp3CompressionPyTorch and PyTorchDeepSpeech to add support for samples in 2D non-object arrays (#1680, #1702)
    • Changed file name python_object_detector.py to pytorch_object_detector.py to follow naming convention (#1687)
    • Changed CarliniLInfMethod by adding argument for batch_size (#1699).

    Removed

    [None]

    Fixed

    • Fixed required dependency on TensorFlow (#1655)
    • Fixed bug in ImperceptibleASRPyTorch by adding missing .detach().cpu() and .cpu() calls (#1677)
    • Fixed bug in art.estimators.certification.randomized_smoothing estimators to correctly apply Gaussian noise (#1678)
    • Fixed bug in GaussianNoise the post-processing defence to keep number of dimensions constant during normalisation (#1684)
    • Fixed bug in RobustDPatch for channels first images to correctly un-transform loss gradients (#1693)
    • Fixed bug in support for numpy arrays in logger of PoisoningAttackCleanLabelBackdoor (#1698)
    Source code(tar.gz)
    Source code(zip)
  • 1.10.1(Apr 22, 2022)

    This release of ART 1.10.1 provides updates to ART 1.10.

    Added

    [None]

    Changed

    • Changed AdversarialTrainerMadryPGD.fit to support arguments nb_epochs and batch_size (#1612)
    • Changed GradientMatchingAttack to add support for models with undefined input shape by abstracting the shape information from the input data (#1624)
    • Changed PyTorchObjectDetector to support inputs with number of channels other than 1 and 3 (#1633)

    Removed

    [None]

    Fixed

    • Fixed incorrect handling of true regression labels in attribute inference attacks (#1598)
    • Fixed AdversarialPatchPyTorch.apply_patch to correctly check if mask is None (#1607)
    Source code(tar.gz)
    Source code(zip)
  • 1.10.0(Mar 16, 2022)

    This release of ART 1.10.0 introduces multiple poisoning attacks on image classification and deep generative models, the first attack with dynamic patches on object tracking in videos, classification certification based on zonotope representations, EoT support for object detection in image rotation and center cropping, new features for attribute inference attacks and more.

    Added

    • Added Gradient Matching (Witches' Brew) attack art.attacks.poisoning.GradientMatchingAttack in TensorFlow (#1587)
    • Added functions projection_l1_1 and projection_l1_2 to art.utils for two algorithms computing orthogonal projections on L1-norm balls (#1586)
    • Added perspective transformations to art.attacks.evasion.AdversarialTexturePyTorch attack to enable dynamic texture/patches (#1557)
    • Added support for object detection in art.attacks.evasion.AdversarialPatchPyTorch (#1535)
    • Added new features to attribute inference attacks including support for optional use of true labels in black-box attribute inference attacks, automatic calculation of values in fit() method, additional scaling method for labels/predictions and an additional attack model type (random forest) (#1534)
    • Added estimator art.estimators.certification.PytorchDeepZ based on DeepZ for robustness certification using zonotope representations datapoints (#1531)
    • Added Expectation over Transformation (EoT) for rotation and centre crop with support for classification and object detection (#1516)
    • Added support for SummaryWriter in art.attacks.evasion.RobustDpatch (#1513)
    • Added PGD L-Inf optimizer to art.attacks.evasion.AdversarialPatch* attacks (#1495)
    • Added two backdoor poisoning attacks, Red in art.attacks.poisoning.BackdoorAttackDGMReD and Trail in art.attacks.poisoning.BackdoorAttackDGMTrail, targeting Deep Generative Models (#1490)
    • Added Hidden Trigger Backdoor Poisoning Attack in Keras and PyTorch in art.attacks.poisoning.HiddenTriggerBackdoor (#1487)
    • Added Feature Collision Poisoning Attack in PyTorch in art.attacks.poisoning.FeatureCollisionAttack (#1435 )

    Changed

    • Changed imports of TensorFlow v2 in TensorFlowClassifier to support TensorFlow v1 compatibility mode (#1560)
    • Changed Python used for unit testing to newer versions, upgraded style checks and improved code quality (#1517)

    Removed

    [None]

    Fixed

    • Fixed import of Scipy in PixelThreshold attack to support scipy>=1.8 (#1589)
    • Fixed bug of missing attribute in PixelAttack for scaled images (#1574)
    • Fixed use of torchaudio.functional.magphase in PyTorchDeepSpeech to support Deep Speech 2 version 3 with torch>=1.10 (#1550)
    • Fixed method fitof ScikitlearnRegressor to process labels correctly (#1537)
    • Fixed scalar names of Indicators of Attack Failure 2 and 3 for aggregated losses (#1512)
    • Fixed raising of DataConversionWarning in fitting black box membership inference attacks with attack_model_type 'rf' or 'gb (#1488)
    Source code(tar.gz)
    Source code(zip)
  • 1.9.1(Jan 7, 2022)

    This release of ART 1.9.1 provides updates to ART 1.9.

    Added

    • Added support for TensorFlow 1.15 as backend in KerasClassifier.compute_loss. (#1466)
    • Added support for input range [0, 1] in art.defences.preprocessor.VideoCompression*. (#1470)

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed bug in art.utils.load_nursery for loading nursery dataset with argument raw=True. (#1460)
    • Fixed import of matplotlib to keep it an optional dependency. (#1467)
    • Fixed bug to allow preprocessing defences to be applied in PyTorchGoturn.predict by adding back missing sample dimension. (#1470)
    • Fixed bug in PyTorchClassifier.get_activations to also apply preprocessing if argument framework=True. This fix likely changes the results obtained with BullseyePolytopeAttackPyTorch, the main attack using framework=True. (#1471)
    Source code(tar.gz)
    Source code(zip)
  • 1.9.0(Dec 18, 2021)

    This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.

    Added

    • Added tools for training shadow models and generating shadow-datasets in support of membership inference attacks in art.attacks.inference.membership_inference.shadow_models. (#1345, #1395)
    • Added hill-climbing synthetic data generation algorithm (Shokri et al., 2017) to train shadow models without access to actual data. (#1345, #1395)
    • Added experimental estimator for classification models in JAX in art.experimental.estimators.classification.JaxClassifier (#1360)
    • Added Deep Partition Aggregation as classification estimator in art.estimators.classification.DeepPartitionEnsemble to defend against general poisoning attacks (#1397)
    • Added Adversarial Laser Beam attack in art.attacks.evasion.LaserAttack as a easy to realize physical evasion attack (#1398)
    • Added customizable Summary Writer API in art.summary_writer.SummaryWriter to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (#1416 )
    • Added Indicators of Attack Failure (Pintor et al., 2021) as metrics in default summary writer art.summary_writer.SummaryWriterDefault (#1416)
    • Added Adversarial Texture Attack against object tracking models in art.attacks.evasion.AdversarialTexturePyTorch. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (#1430)

    Changed

    • Changed implementation of Carlini & WAgner L_inf attack in art.attacks.evasion.CarliniLInfMethod to exactly reproduce performance of reference implementation (#1380)
    • Changed art.defences.preprocessor.preprocessor.PreprocessorPyTorch to accept device_type in __init__ to set attribute _device for all PyTorch preprocessors in a single location (#1444)

    Removed

    • Removed deprecated Numpy scalar type names (#1296)
    • Removed outdated comments in tests.attacks.test_simba that SimBA would not support PyTorch (#1423)

    Fixed

    • Fixed missing support for input with more than one input image in art.attacks.evasion.SimBA.generate, so far only the first sample had been attacked if more than one image was provided. (#1422)
    • Fixed art.attacks.poisoning.perturbations.insert_image to preserve dtype of input images in the returned output images (#1441)
    • Fixed missing transformation of binary index to one-hot encoded labels in art.utils.check_and_transform_label_format for argument return_one_hot=True (#1443)
    Source code(tar.gz)
    Source code(zip)
  • 1.8.1(Oct 15, 2021)

    This release of ART 1.8.1 provides updates to ART 1.8.

    Added

    • Added support for torch.Tensor inputs and required argument input_shape to art.estimators.object_tracking.PyTorchGoturn. (#1348)

    Changed

    • Changed supported PyTorch version check to include torch==1.9 and torchvision==0.10 to exception in art.estimators.object_detection.PyTorchObjectDetector. (#1356)

    Removed

    [None]

    Fixed

    • Fixed docstring and cuda device support in art.attacks.evasion.AdversarialPatchPyTorch. (#1333)
    Source code(tar.gz)
    Source code(zip)
  • 1.8.0(Sep 25, 2021)

    This release of ART v1.8.0 introduces the first estimators for object tracking and regression, adds a general model-independent object detection estimator and new membership inference attacks.

    Added

    • Added estimator for object tracker GOTURN in PyTorch in art.estimators.object_tracking.PyTorchGoturn (#1318)
    • Added estimator for scikit-learn DecisionTreeRegressor in art.estimators.regression.ScikitlearnDecistionTreeRegressor and added compatibility in attacks AttributeInferenceBlackBox and MembershipInferenceBlackBox (#1272)
    • Added general estimator for all object detection models of torchvision in art.estimators.object_detection.PyTorchObjectDetector (#1295)
    • Added membership inference attack based on boundary attacks with general threshold selection by Li and Zhang (#1197)

    Changed

    • Changed art.estimators.classification.BlackboxClassifier* to also accept recorded input/prediction data pairs, instead of a callable providing predictions by evaluating the attacked model, enabling attacks on prediction data only without the necessity for direct access to the attacked model (#1247)
    • Moved patched Lingvo decoder to art.contrib (#1261)

    Removed

    • Removed art.classifiers and art.wappers, both modules have been replaced with tools in art.preprocessing.expectation_over_transformation, art.estimators.classification and art.estimators.classification.QueryEfficientGradientEstimationClassifier (#1256)

    Fixed

    [None]

    Source code(tar.gz)
    Source code(zip)
  • 1.7.2(Aug 30, 2021)

    This release of ART 1.7.2 provides updates to ART 1.7.

    Added

    [None]

    Changed

    [None]

    Removed

    [None]

    Fixed

    • Fixed missing support for index labels in PyTorchClassifier.compute_loss. (#1264)
    • Fixed missing support for float in argument min_epsilon of BoundaryAttack. (#1262)
    • Fixed support for channels first images in art/attacks/poisoning/perturbations/image_perturbations.insert_image. (#1290)
    Source code(tar.gz)
    Source code(zip)
  • 1.7.1(Jul 12, 2021)

    This release of ART 1.7.1 provides updates to ART 1.7.

    Added

    • Added wrapper Mp3CompressionPyTorch for Mp3Compression to make it compatible with PyTorch-specific attack implementations. (#1210)
    • Added new install option non-framework to setup.py to install all non-framework dependencies of ART. (#1209)
    • Added wrapper VideoCompressionPyTorch for VideoCompression to make it compatible with PyTorch-specific attack implementations. (#1210)

    Changed

    • Changed Mp3Compression to add back reapplication of normalization to the compressed result. (#1210)
    • Changed KerasClassifier.fit to use batching provided by the method fit of the Keras model. (#1182)

    Removed

    [None]

    Fixed

    • Fixed bug of not passing user-provided device type, and instead always using default gpu, to standardisation preprocessor in all PyTorchEstimator by using user-provided device type. (#1223)
    • Fixed bug in method BaseEstimator.fit_generator for fitting generators in cases where preprocessing is defined to not apply preprocessing twice. (#1219)
    • Fixed bug in ImperceptibleASRPyTorch to prevent NaN loss value for batch size larger than 1 by removing unnecessary zero-padding. (#1198)
    • Fixed two bugs in OverTheAirFlickeringPyTorch by making sure that the regularization norms are computed over the whole batch of perturbations, rather than per sample's perturbation and second that the "roll" operations are performed over the batch samples, rather than over the frames. (#1192)
    • Fixed bug in SpectralSignatureDefense, that lead to rejections of all clean images, by correctly indexing the label data. (#1189)
    • Fixed bug of accidentally removed checks for apply_fit and apply_predict properties of framework-independent Preprocessor tools in PyTorchEstimator and TensorFlowV2Estimator. With the bug the Preprocessor tools were always applied in methods fit and predict independent of the values of apply_fit and apply_predict. (#1181)
    • Fixed bug in MembershipInferenceBlackBoxRemove.infer by removing unnecessary shuffling of the test data. (#1173)
    • Fixed bug in PixelAttack and ThresholdAttack by casting input data to correct dtype. (#1175)
    Source code(tar.gz)
    Source code(zip)
  • 1.7.0(Jun 15, 2021)

    This release of ART v1.7.0 introduces many new evasion and inference attacks providing support for the evaluation of malware or tabular data classification, new query-efficient black-box (GeoDA) and strong white-box (Feature Adversaries) evaluation methods. Furthermore, this release introduces an easy to use estimator for Espresso ASR models to facilitate ASR research and connect Espresso and ART. This release also introduces support for binary classification with single outputs in neural networks classifiers and selected attacks. Many more new features and details can be found below:

    Added

    • Added LowProFool evasion attack for imperceptible attacks on tabular data classification in art.attacks.evasion.LowProFool. (#1063)
    • Added Over-the-Air-Flickering attack in PyTorch for evasion on video classifiers in art.attacks.evasion.OverTheAirFlickeringPyTorch. (#1077, #1102)
    • Added API for speech recognition estimators compatible with Imperceptible ASR attack in PyTorch. (#1052)
    • Added Carlini&Wagner evasion attack with perturbations in L0-norm in art.attacks.evasion.CarliniL0Method. (#844, #1109)
    • Added support for Deep Speech v3 in PyTorchDeepSpeech estimator. (#1107)
    • Added support for TensorBoard collecting evolution of norms (L1, L2, and Linf) of loss gradients per batch, adversarial patch, and total loss and its model-specific components where available (e.g. PyTochFasterRCNN) in AdversarialPatchPyTorch, AdversarialPatchTensorFlow, FastGradientMethod, and all ProjectedGradientDescent* attacks. (#1071)
    • Added MalwareGDTensorFlow attack for evasion on malware classification of portable executables supporting append based, section insertion, slack manipulation, and DOS header attacks. (#1015)
    • Added Geometric Decision-based Attack (GeoDA) in art.attacks.evasion.GeoDA for query-efficient black-box attacks on decision labels using DCT noise. (#1001)
    • Added Feature Adversaries framework-specific in PyTorch and TensorFlow v2 as efficient white-box attack generating adversarial examples imitating intermediate representations at multiple layers in art.attacks.evasion.FeatureAdversaries*. (#1128, #1142, #1156)
    • Added attribute inference attack based on membership inference in art.attacks.inference.AttributeInferenceMembership. (#1132)
    • Added support for binary classification with neural networks with a single output neuron in FastGradientMethod, and all ProjectedGradientDescent* attacks. Neural network binary classifiers with a single output require setting nb_classes=2 and labels y in shape (nb_samples, 1) or (nb_samples,) containing 0 or 1. Backward compatibility for binary classifiers with two outputs is guaranteed with nb_classes=2 and labels y one-hot-encoded in shape (nb_samples, 2). (#1118)
    • Added estimator for Espresso ASR models in art.estimators.speech_recognition.PyTorchEspresso with support for attacks with FastGradientMethod, ProjectedGradientDescent and ImperceptibleASRPyTorch. (#1036)
    • Added deprecation warnings for art.classifiers and art.wrappers to be replace with art.estimators. (#1154)

    Changed

    • Changed art.utils.load_iris to use Iris dataset from sklearn.datasets instead of archive.ics.uci.edu. (#1097 )
    • Changed HopSkipJump to check for NaN in the adversarial example candidates and return original (benign) sample if at least one NaN is detected. (#1124)
    • Changed SquareAttack to accept user-defined loss and adversarial criterium definitions to enable black-box attacks on all machine learning tasks on images beyond classification. (#1127)
    • Changed PyTorchFasterRCNN.loss_gradients to process each sample separately to avoid issues with gradient propagation with torch>=1.7. (#1138)

    Removed

    [None]

    Fixed

    • Fixed workaround in art.defences.preprocessor.Mp3Compression related to a bug in earlier versions of pydub. (#419)
    • Fixed bug in Pixel Attack and Threshold Attack for images with pixels in range [0, 1]. (#990)
    Source code(tar.gz)
    Source code(zip)
  • 1.6.2(May 20, 2021)

    This release of ART 1.6.2 provides updates to ART 1.6.

    Added

    • Added targeted option to RobustDpatch (#1069)
    • Added option standardise_output to define provided label format (#1069)
    • Added property native_label_is_pytorch_format to object detectors to define label format expected by the model (#1069)

    Changed

    • Changed Dpatch and RobustDpatch to work internally with PyTorchFasterRCNN's object detection label format and convert labels if provided in TensorFlowFasterRCNN's format accordingly using option standardise_output (#1069)
    • Change setup.py to only contain core dependencies in install_requires and added additional install options tensorflow_image, tensorflow_audio, pytorch_image, and pytorch_audio (#1116)
    • Changed check for version of torch and torchvision in AdversarialPatchPyTorch to account for suffixes like +cu102 (#1115)
    • Changed art.utils.load_iris to use sklearn.datasets.load_iris instead of download from https://archive.ics.uci.edu/ml/machine-learning-databases/iris/iris.data (#1097)

    Removed

    • Removed unnecessary requirement for scores in labels y for TensorFlowFasterRCNN.loss_gradient and PyTorchFasterRCNN.loss_gradient (#1069)

    Fixed

    • Fixed docstrings of methods predict and loss_gradient to correctly describe the expected and provided label format (#1069)
    • Fixed bug of missing transfer of tensor to device ProjectedGradientDescentPyTorch (#1076)
    • Fixed bug resulting in wrong loss gradients calculated with ScikitlearnLogisticRegression.loss_gradient (#1065)
    Source code(tar.gz)
    Source code(zip)
  • 1.6.1(Apr 16, 2021)

    This release of ART 1.6.1 provides updates to ART 1.6.

    Added

    • Added a notebook showing an example of Expectation over Transformation (EoT) sampling with ART to generate adversarial examples that are robust against rotation in image classification tasks. (#1051)
    • Added a check for valid combinations of stride, freq_dim and image size in SimBA attack. (#1037)
    • Added accurate gradient estimation to LFilter audio preprocessing. (#1002)
    • Added support for multiple layers to be targeted by BullseyePolytopeAttackPyTorch attack to increase effectiveness in end-to-end scenarios. (#1003)
    • Added check and ValueError to provide explanation for too large nb_parallel values in ZooAttack. (#988)

    Changed

    • Changed TensorFlowV2Classifier.get_activations to accept negative layer indexes. (#1054)
    • Tested BoundaryAttack and HopSkipJump attacks with batch_size larger than 1 and changed default value to batch_size=64. (#971)

    Removed

    [None]

    Fixed

    • Fixed bug in Dpatch attack which did not update the patch, being optimised, onto the images used for loss gradient calculation leading to iterations with the constant, initially, applied patches. (#1049)
    • Fixed bug in BullseyePolytopeAttackPyTorch attack where attacking multiple layers of the underlying model only perturbed the first of all input images. (#1046)
    • Fixed return value of TensorFlowV2Classifier.get_activations to a list of strings. (#1011)
    • Fixed bug in TensorFlowV2Classifier.loss_gradient by adding labels to application of preprocessing step to enable EoT preprocessing steps that increase the number of samples and labels. This change does not affect the accuracy of previously calculated loss gradients. (#1010)
    • Fixed bug in ElasticNet attack to apply the confidence parameter when generating adversarial examples. (#995)
    • Fixed bug in art.attacks.poisoning.perturbations.image_perturbations.insert_image to correctly transpose input images when channels_first=True. (#1009)
    • Fixed bug of missing method compute_loss in PyTorchDeepSpeech, TensorFlowFasterRCNN and BlackBoxClassifier. (#994, #1000)
    Source code(tar.gz)
    Source code(zip)
  • 1.6.0(Mar 16, 2021)

    This release of ART v1.6.0 introduces with the clean-label poisoning attack Bullseye Polytope, a baseline attribute inference attack, and a PyTorch-specific implementation of Adversarial Patch attack with perspective transformation sampling, new evaluation tools in the three different threats types of poisoning, inference and evasion. Furthermore, this release contains the first set of Expectation over Transformation (EoT) preprocessing tools for image processing and natural corruptions.

    Added

    • Added the Bullseye Polytope clean-label poisoning attack in art.attacks.poisoning.BullseyePolytopeAttackPyTorch (#962)
    • Added the Pointwise Differential Training Privacy (PDTP) metric measuring training data membership leakage of trained model in art.metrics.PDTP (#958)
    • Added a attribute inference base line attack art.attacks.inference.attribute_inference.AttributeInferenceBaseline defining a minimal attribute inference performance that can be achieved without access to the evaluated model (#956)
    • Added a first set of Expectation over Transformation (EoT) preprocessing in art.preprocessing.expectation_over_transformation for image processing and natural image corruptions including brightness, contrast, Gaussian noise, shot noise, and zoom blur. These EoTs enable sampling multiple transformed samples in each forward pass and are fully differentiable for accurate loss gradient calculation in PyTorch and TensorFlow v2. They can be chained together in sequence and are implemented fully framework-specific (#919)
    • Added a function for image trigger perturbations blending images (#913)
    • Added a method insert_transformed_patch to all adversarial patch attacks art.attacks.evasion.AdversarialPatch* applying adversarial patches onto a perspective transformed square defined by the coordinates of its four corners (#891)
    • Added the Adversarial Patch attack framework-specific in PyTorch in art.attacks.evasion.AdversarialPatchPyTorch with additional functionality to support sampling over perspective transformations (#876)

    Changed

    • Changed handling of NaN values in loss gradients in art.attacks.evasion.FastGradientMethod and art.attacks.evasion.ProjectedGradientDescent* by replacing NaN values with 0.0 and log a warning message. This should prevent losing expensive attack runs in late iterations and still return an adversarial example, but log a warning to alert the user. (#883)
    • Changed permitted ranges for eps_step and eps in art.attacks.evasion.ProjectedGradientDescent* to allow eps_step to be larger than eps for all norms, allow eps_step=np.inf to immediately project towards the norm ball or clip_values, and support eps=0.0 to run the attack without any attack budget. The latter two changes are intended to facilitate the verification of attack setups. (#882)
    • Changed in the unit tests the marker skipMlFramework to skip_framework and the pytest argument mlFramework to framework (#961)
    • Changed art.preprocessing.standardisation_mean_std for standardisation with mean and std to provide extended support for broadcasting by automatically adapting 1-dimensional arrays for mean and std to be broadcastable on NCHW inputs (#839)
    • Changed art.estimators.object_detection.PyTorchFasterRCNN.loss_gradient to not overwrite the input label array with tensors (#954)
    • Changed and automated the setting of model states by removing method set_learning_phase from all estimators and automating setting the model into the most likely appropriate state for each operation in methods predict (eval mode, training_mode=False) , fit (train mode, training_mode=True) , loss_gradient (eval mode) , class_gradient(eval mode) , etc. The default is defined by a new method argument training_mode which can be changed for example for debugging purposes. An exception are RNN-type models in PyTorch where loss_gradient and class_gradient will run the model in train mode but freeze the model's batch-norm and dropout layers if training_mode=False. (#781)
    • Changed art.attacks.evasion.BoundaryAttack in normal (L282) and a suboptimal (L287) termination to return the adversarial example candidate with the smallest norm of the perturbation instead of returning the first adversarial example candidate in its list, this will facilitate the finding the minimum L2 perturbation adversarial examples (#948)
    • Changed art.attacks.inference.attribute_inference.AttributeInferenceBlackBox to support one-hot encoded features that have been scaled and lie in-between 0 and 1 instead of just 0 and 1 (#927)
    • Changed imports of tensorflow in TensorFlow v1 specific tools to enable backward compatibility and application with TensorFlow v2 (#880)
    • Changed optimizer of art.attacks.evasion.AdversarialPatchTensorFlowV2 from SGD to Adam for better performance (#878)
    • Changed art.attacks.evasion.BrendelBethgeAttack to include support for numba, following the reference implementation, which leads to great acceleration of the attack (#868)
    • Changed art.estimators.classification.ScikitlearnClassifier and all model specific scikit-learn estimators to provide the new argument use_logits to define returning probability or logit predictions in their methods predict (#872)
    • Changed metrics clever_t and depending on it clever and clever_u to reduce long runtimes by computing the class gradients of all samples in rand_pool before looping through the batches. To reduce the risk of ResourceExhasutedError, batching is now also applied on rand_pool to compute class gradients on smaller batches of size pool_factor (#762)

    Removed

    • Removed deprecated argument and property channel_index from all estimators. channel_index has been replaced by channels_first. (#869)

    Fixed

    • Fixed the criterion of targeted art.attacks.evasion.BoundaryAttack to now correctly check that adversarial predictions are different from the original image prediction during sampling instead of the same (#948)
    Source code(tar.gz)
    Source code(zip)
  • 1.5.3(Mar 14, 2021)

    This release of ART 1.5.3 provides updates to ART 1.5.

    Added

    [None]

    Changed

    • Changed argument names of art.attacks.evasion.ImperceptibleASR, art.attacks.evasion.ImperceptibleASRPyTorch and art.attacks.evasion.CarliniWagnerASR where necessary to use the same names in all three attacks. (#955, #959)
    • Changed optimisation in art.attacks.evasion.ImperceptibleASRPyTorch to use torch.float64 instead of torch.float32 to prevent NaN as loss value. (#931)
    • Changed art.attacks.evasion.ImperceptibleASR to improve the psychoacoustic model and stabilize the imperceptible loss by switching to librosa's STFT and using scalar PSD maximum. (#930)
    • Changed art.attacks.evasion.ImperceptibleASR to use periodic window for STFT instead symmetric window option. (#930)
    • Changed art.attacks.evasion.ImperceptibleASR with early stopping if loss theta < 0.05 to avoid running into gradients with NaN values. (#930)
    • Changed art.attacks.evasion.ImperceptibleASRPyTorch to reset its optimisers for each internal batch in method generate to guarantee the same optimiser performance on each batch, this is especially important for adaptive optimisers. (#917)
    • Changed art.attacks.evasion.ImperceptibleASRPyTorch to use torch.stft instead of torchaudio.transforms.Spectrogram to correctly compute the spectrogram. (#914)
    • Changed art.estimators.speech_recognition.PyTorchDeepSpeech to freeze batch-norm layers of the Deep Speech model in method loss_gradient to obtain gradients using dataset statistics instead of batch statistics and avoid changing dataset statistics of the batch-norm layers with each call. (#912)

    Removed

    [None]

    Fixed

    • Fixed bug of missing argument model in art.estimators.object_detection.TensorFlowFasterRCNN which caused instantiation to fail. (#951)
    • Fixed bug of missing square in calculation of loss and class gradients for art.estimators.classification.ScikitlearnSVC using Radial Basis Function (RBF) kernels. (#921)
    • Fixed missing support for preprocessing=None in art.estimators.BaseEstimator. (#916)
    Source code(tar.gz)
    Source code(zip)
  • 1.5.2(Feb 20, 2021)

    This release of ART 1.5.2 provides updates to ART 1.5.

    Added

    • Added new method reset_patch to art.attacks.evasion.adversarial_patch.* to reset patch (#863)
    • Added passing kwargs to internal attacks of art.attacks.evasion.AutoAttack (#850)
    • Added art.estimators.classification.BlackBoxClassifierNeuralNetwork as black-box classifier for neural network models (#849)
    • Added support for channels_first=False for art.attacks.evasion.ShadowAttack in PyTorch (#848)

    Changed

    • Changed Numpy requirements to be less strict to resolve conflicts in dependencies (#879)
    • Changed estimator requirements for art.attacks.evasion.SquareAttack and art.attacks.evasion.SimBA to include NeuralNetworkMixin requiring neural network models (#849)

    Removed

    [None]

    Fixed

    • Fixed BaseEstimator.set_params to set preprocessing and preprocessing_defences correctly by accounting for art.preprocessing.standardisation_mean_std (#901)
    • Fixed support for CUDA in art.attacks.inference.membership_inference.MembershipInferenceBlackBox.infer (#899)
    • Fixed return in art.preprocessing.standardisation_mean_std.StandardisationMeanStdPyTorch to maintain correct dtype (#890)
    • Fixed type conversion in art.evaluations.security_curve.SecurityCurve to be explicit (#886)
    • Fixed dtype in art.attacks.evasion.SquareAttack for norm=2 to maintain correct type (#877)
    • Fixed missing CarliniWagnerASR in art.attacks.evasion namespace (#873)
    • Fixed support for CUDA i `art.estimators.classification.PyTorchClassifier.loss (#862)
    • Fixed bug in art.attacks.evasion.AutoProjectedGradientDescent for targeted attack to correctly detect successful iteration steps and added robust stopping criteria if loss becomes zero (#860)
    • Fixed bug in initialisation of search space in art.attacks.evasion.SaliencyMapMethod (#843)
    • Fixed bug in support for video data in art.attacks.evasion.adversarial_patch.AdversarialPatchNumpy (#838)
    • Fixed bug in logged success rate of art.attacks.evasion.ProjectedGradientDescentPyTorch and art.attacks.evasion.ProjectedGradientDescentTensorFlowV2 to use correct labels (#833)
    Source code(tar.gz)
    Source code(zip)
  • 1.5.1(Jan 9, 2021)

    This release of ART 1.5.1 provides updates to ART 1.5.

    Added

    • Added an option to select to probability values for model extraction attacks in addition to index labels in art.attacks.extraction.CopycatCNN and art.attacks.extraction.KnockoffNets. (#825)
    • Added a new notebook demonstrating model extraction attacks and defences. (#825)
    • Added art.attacks.evasion.CarliniWagnerASR as a special case of art.attacks.evasion.ImperceptibleASR where max_iter_stage_2=0 skipping the second stage of the ImperceptibleASR. (#784)

    Changed

    • Changed method generate of art.attacks.evasion.ProjectedGradientDescentPyTorch and art.attacks.evasion.ProjectedGradientDescentTensorFlowV2 to create a copy of the input data to guard the input data from being overwritten by a model that unexpectedly overwrites its input data. This change follows the implementation of art.attacks.evasion.ProjectedGradientDescentNumpy and provides an extra layer of protection against unexpected model behavior. (#805)
    • Change numerical precision in art.attacks.evasion.Wasserstein from float to double to reduce numerical overflow in numpy.log and replace input pixel values of 0 with EPS_LOG=10^-10 to prevent division by zero in numpy.log. (#780)
    • Changed tqdm imports to use tqdm.auto to automatically run its Jupyter widgets where supported. (#799)
    • Improved documentation, argument value checks and added support for index labels in art.attacks.inference.member_ship.LabelOnlyDecisionBoundary. (#790)

    Removed

    [None]

    Fixed

    • Fixed bug in art.estimators.classification.KerasClassifier.custom_loss_gradient() to support keras and tensorflow.keras. (#810)
    • Fixed bug in art.attacks.evasion.PixelThreshold.generate to correctly scale images in range [0, 255]. (#802)
    • Fixed bug in art.attacks.evasion.PixelThreshold to run CMA Evolution Strategy max_iter iterations instead of 1 iteration. (#802)
    • Fixed bug in art.estimators.object_detection.PyTorchFasterRCNN by adding missing argument model in super().init. (#789)
    Source code(tar.gz)
    Source code(zip)
  • 1.5.0(Dec 1, 2020)

    Added

    • Added a new module art.evaluations for evaluation tools that go beyond creating adversarial examples and create insights into the robustness of machine learning models beyond adversarial accuracy and build on art.estimators and art.attacks as much as possible. The first implemented evaluation tool is art.evaluations.SecurityCurve which calculates the security curve, a popular tool to evaluate robustness against evasion, using art.attacks.evasion.ProjectedGradientDescent and provides evaluation of potential gradient masking in the evaluated model. (#654)

    • Added support for perturbation masks in art.attacks.evasion.AutoProjectedGradientDescent similar as in art.attacks.evasion.ProjectedGradientDescent and added Boolean masks for patch location sampling in Dpatch and all AdversarialPatch attacks to enable pixel masks defining regions where patch locations are sampled from during patch training or where trained patches can be applied.

    • Added preprocessing for Infinite (IIR) and Finite Impulse Response (FIR) filtering for Room Acoustics Modelling in framework-agnostic (art.preprocessing.audio.LFilter) and PyTorch-specific (art.preprocessing.audio.LFilterPyTorch) implementations as the first tool for physical environment simulation for audio data in art.preprocessing.audio. Additional tools will be added in future releases. (#744)

    • Added Expectation over Transformation (EoT) to art.preprocessing.expectation_over_transformation with a first implementation of sampling image rotation for classification tasks framework-specific for TensorFlow v2 (art.preprocessing.expectation_over_transformation.EOTImageRotationTensorFlowV2) providing full support for gradient backpropagation through EoT. Additional EoTs will be added in future releases. (#744)

    • Added support for multi-modal inputs in ProjectedGradientDescent attacks and FastGradientMethod attack with broadcastable arguments eps and eps_step as np.ndarray to enable attacks against, for example, images with multi-modal color channels. (#691)

    • Added Database Reconstruction attack in the new module art.attacks.inference.reconstruction.DatabaseReconstruction enabling evaluation of the privacy of machine learning models by reconstructing one removed sample of the training dataset. The attack is demonstrated in a new notebook on models trained non-privately and with differential privacy using the Differential Privacy Library (DiffPrivLib) as defense. (#759)

    • Added support for one-hot encoded feature definition in black-box attribute inference attacks. (#768)

    • Added a new model-specific speech recognition estimator for Lingvo ASR in art.estimators.speech_recognition.TensorFlowLingvoASR. (#584)

    • Added a framework-independent implementation of the Imperceptible ASR attack with loss support for TensorFlow and PyTorch in art.attacks.evasion.ImperceptibleASR. (#719, #760)

    • Added Clean Label Backdoor poisoning attack in art.attacks.poisoning.PoisoningAttackCleanLabelBackdoor. (#725)

    • Added Strong Intentional Perturbation (STRIP) defense against poisoning attacks in art.defences..transformer.poisoning.STRIP. (#656)

    • Added Label-only Boundary Distance Attack art.attacks.inference.membership_inference.LabelOnlyDecisionBoundary and Label-only Gap Attack art.attacks.inference.membership_inference.LabelOnlyGapAttack for membership inference attacks on classification estimators. (#720)

    • Added support for preprocessing and preprocessing defences in the PyTorch-specific implementation of the Imperceptible ASR attack in art.attacks.evasion.ImperceptibleASRPyTorch. (#763)

    • Added a robust version of evasion attack DPatch in art.attacks.evasion.RobustDPatch against object detectors by adding improvements like expectation over transformation steps, fixed patch location, etc. (#751)

    • Added optional support for Automatic Mixed Precision (AMP) in art.estimators.classification.PyTochClassifier to facilitate mix-precision computations and increase performance. (#619)

    • Added the Brendel & Bethge evasion attack in art.attacks.evasion.BrendelBethgeAttack based on the original reference implementation. (#626)

    • Added framework-agnostic support for Randomized Smoothing estimators in addition to framework-specific implementations in TensorFlow v2 and PyTorch. (#738)

    • Added an optional progress bar to art.utils.get_file to facilitate downloading large files. (#698)

    • Added support for perturbation masks in HopSkipJump evasion attack in art.attacks.evasion.HopSkipJump. (#653)

    Changed

    • Changed preprocessing defenses and input standardisation with mean and standard deviation by combining all preprocessing into a single preprocessing API defined in the new module art.preprocessing. Existing preprocessing defenses remain in art.defences.preprocessor, but are treated as equal and run with the same API and code as general preprocessing tools in art.preprocessing. The standardisation is now a preprocessing tool that is implemented framework-specific for PyTorch and TensorFlow v2 in forward and backward direction. Estimators for art.estimators.classification and art.estimators.object_detection in TensorFlow v2 and PyTorch set up with all framework-specific preprocessing steps will prepend the preprocessing directly to the model to evaluate output and backpropagate gradients in a single step through the model and (chained) preprocessing instead of previously two separate steps for improved performance. Framework independent preprocessing tools will continue to be evaluated in a step separate from the model. This change also enable full support for any model-specific standardisation/normalisation functions for the model inputs and their gradients. (#629)

    • Changed Preprocessor and Postprocessor APIs to simplify them by defining reused methods and the most common property values as defaults in the API. The default for art.defences.preprocessor.preprocessor.Preprocessor.estimate_gradient in framework-agnostic preprocessing is Backward Pass Differentiable Approximation (BPDA) with identity function, which can be customized with accurate or better approximations by implementing estimate_gradient. (#752)

    • Changed random restarts in all ProjectedGradientDescent implementations to collect the successful adversarial examples of each random restart instead of previously only keeping the adversarial examples of the most successful random restart. Adversarial examples of previous random restart iterations are overwritten by adversarial examples of later random restart iterations. This leads to equal or better adversarial accuracies compared to previous releases and changes the order of processing the input samples to first complete all random restarts of a batch before processing the next batch instead of looping over all batches in each random restart. (#765)

    • Changed order of mask application and normalization of the perturbation in all ProjectedGradientDescent and FastGradientMethod attacks to now first apply the mask to the loss_gradients and subsequently normalize only the remaining, un-masked perturbation. That way the resulting perturbation can directly be compared to the attack budget eps. (#711)

    • Changed location of implementation and default values of properties channels_first, clip_values, and input_shape in art.estimators to facilitate the creation of customs estimators not present in art.estimators.

    • Changed Spectral Signature Defense by removing argument num_classes and replacing it with the estimator’s nb_classes property and renaming parameter ub_pct_poison to expected_pp_poison. (#678)

    • Changed the ART directory path for datasets and model data stored in ART_DATA_PATH to be configurable after importing ART. (#701)

    • Changed preprocessing defence art.defences.preprocessor.JpegCompression to support any number of channels in addition to the already supported inputs with 1 and 3 channels. (#700)

    • Changed calculation of perturbation and direction in art.attacks.evasion.BoundaryAttack to follow the reference implementation. These changes result in faster convergence and smaller perturbations. (#761)

    Removed

    [None]

    Fixed

    • Fixed bug in definition and application of norm p in cost matrix in Wasserstein evasion attack art.attacks.evasion.Wasserstein present in the reference implementation. (#712)

    • Fixed handling of fractional batches in Zeroth Order Optimization (ZOO) attack in art.attacks.evasion.ZOOAttack to prevent errors caused by shape mismatches for batches smaller than batch_size. (#755)

    Source code(tar.gz)
    Source code(zip)
  • 1.4.3(Nov 21, 2020)

    This release of ART v1.4.3 provides updates to ART 1.4.

    Added

    [None]

    Changed

    • Changed argument y of method infer of art.attacks.inference.attribute_inference.AttributeInferenceBlackBox from optional to required. (#750)

    Removed

    [None]

    Fixed

    • Fixed bug in art.data_generators.PyTorchDataGenerator and art.data_generators.MXDataGenerator where method get_batch always returned the same first batch of the dataset to return different batches for each method call by iterating over the entire dataset. (#731)
    • Fixed format of return value of method infer of art.attacks.inference.membership_inference.MembershipInferenceBlackBox for attack_model_type="nn". (#741)
    Source code(tar.gz)
    Source code(zip)
  • 1.4.2(Nov 4, 2020)

    This release of ART v1.4.2 provides updates to ART 1.4.

    Added

    • Added implementation of method loss for art.estimators.classification.TensorFlowClassifer. (#685)
    • Added support for variable length input to art.defences.preprocessor.MP3Compression to make it compatible with estimator art.estimators.speech_recognition.PyTorchDeepSpeech. (#684)
    • Added support for mask in non-classification tasks with art.attacks.evasion.ProjectedGradientDescent. (#682)
    • Added support for torch.Tensor as input for loss_gradient of art.estimators.object_detection.PyTorchFasterRCNN. (#679)
    • Added support for art.attacks.evasion.ProjectedGradientDescent and art.attacks.evasion.FasGradientMethod attacks on art.estimators.speech_recognition.PyTorchDeepSpeech. (#669)
    • Added exception and explanation if target labels are not provided in generate of art.attacks.evasion.ImperceptibleASRPytorch. (#677)
    • Added support for preprocessing defences in art.estimators.speech_recognition.PyTorchDeepSpeech. (#663)
    • Added support for type List in argument patch_shape of art.attacks.evasion.DPatch. (#662)
    • Added support for option verbose to all art.attacks and art.defences to adjust output of progress bars. (#647)

    Changed

    • Changed art.attacks.evasion.AutoProjectedGradientDescent to to support estimators for classification of all frameworks using the estimator's loss function, to use the new method loss of the Estimator API replacing internal custom loss functions and to disable for now the loss type difference_logits_ratio for art.estimators.classification.TensorFlowClassifer (TensorFlow v1.x) because of inaccurate loss calculation. (#685)
    • Changed default format of returned values of method predict in art.estimators.speech_recognition.PyTorchDeepSpeech from a tuple of probabilities and sequence lengths to an array of transcriptions (array of predicted strings) which is the same format as labels y and the returned values of other estimators in art.estimators.speech_recognition. The former output can still be obtained with option transcription_output=False. This change also enables using PyTorchDeepSpeech with ProjectedGradientDescent and FastGradientMethod in cases where no labels are provided to their method generate and these attacks use the labels predicted by PyTorchDeepSpeech's method predict. (#689)
    • Changed art.attacks.evasion.DPatch to improve initialisation of the patch for input ranges other than [0, 255] and updated the iteration over batches. (#681)
    • Changed art.attacks.evasion.DPatch to accept the updated return format of method predict of estimators in art.estimators.object_detection. (#667)
    • Changed return format of method predict of estimators in art.estimators.object_detection to follow the format of art.estimators.object_detection.PyTorchFasterRCNN and type np.ndarray. (#660)

    Removed

    • Removed unsupported argument loss_scale in art.estimators.speech_recognition.PyTorchDeepSpeech. (#642)

    Fixed

    • Fixed missing setting of property targeted in art.attacks.evasion.ImperceptibleASRPytorch. (#676)
    • Fixed bug in method loss of art.estimators.classification.KerasClassifier. (#651)
    • Fixed missing attribute batch_size in art.attacks.evasion.SquareAttack. (#646)
    • Fixed missing imports in art.estimators.object_detection.TensorFlowFasterRCNN. (#648)
    • Fixed bug in art.attacks.evasion.ImperceptibleASRPytorch to correctly apply learning_rate_2nd_stage instead of learning_rate_1st_stage in the second stage. (#642)
    Source code(tar.gz)
    Source code(zip)
  • 1.4.1(Oct 2, 2020)

    This release of ART v1.4.1 provides updates to ART 1.4.

    Added

    • Added a notebook demonstrating the Imperceptible ASR evasion attack on the DeepSpeech model for speech recognition tasks. (#639)

    Changed

    • Changed the detection of Keras type (keras vs. tensorflow.keras) in art.estimators.classification.KerasClassifier to enable customised models inheriting from the Keras base models (#631)

    Removed

    [None]

    Fixed

    • Fixed bug in model-specific estimator for DeepSpeech art.estimators.speech_recognition.PyTorchDeepSpeech to correctly handle the case of batches of samples with identical length including the special case of a batch of a single sample. (#635)
    • Fixed bug in model-specific estimator for DeepSpeech art.estimators.speech_recognition.PyTorchDeepSpeech by adding missing imports (#621)
    • Fixed bug to make all tools of ART accessible using import art (#612)
    • Fixed bug by removing top-level imports of tool-specific dependencies and adapting default values (#613)
    • Fixed wrong progress bar description in art.attacks.evasion.projected_gradient_descent.* from iterations to batches (#611)
    Source code(tar.gz)
    Source code(zip)
  • 1.4.0(Sep 20, 2020)

    This release of ART v1.4.0 introduces framework-specific preprocessing defences, Membership Inference attacks, and support for attacks on Automatic Speech Recognition (ASR) tasks to ART. This release also adds and improves multiple evasion and poisoning attacks and defenses.

    Added

    • Added framework-specific preprocessing defences for PyTorch and TensorFlow v2 in all estimators. This extends the preprocessing defences of ART beyond the framework-independent implementations in Numpy of earlier ART versions and enables to use the automatic differentiation of a framework to pass accurate loss gradients backwards through the preprocessing defences. Furthermore this also adds first framework-specific implementations of preprocessing Spatial Smoothing defences in PyTorch and TensorFlow v2, art.defences.preprocessor.SpatialSmoothingPyTorch and art.defences.preprocessor.SpatialSmoothingTensorFlowV2. (#510, #574)
    • Added Membership Inference attacks to evaluate leaks of information about individual training data recordsart.attacks.inference.membership_inference (#573)
    • Added Neural Cleanse defense against poisoned models. This is the first transformation defense against poisoning which accept a potentially poisoned model and returns a transformed version of the model defended against the effects of the poisoning art.defences.transformer.poison.NeuralCleanse (#604)
    • Added Imperceptible ASR evasion attack against Automatic Speech Recognition in Pytorch art.attacks.evasion.ImperceptibleASRPytorch (#605)
    • Added Adversarial Embedding poisoning attack art.attacks.poisoning.PoisoningAttackAdversarialEmbedding (#561)
    • Added new framework- and model-specific estimator for DeepSpeech in PyTorch art.estimators.speech_recognition.PyTorchDeepSpeech (#581)
    • Added support for string type for infinity norm in evasion attacks to facilitate serialisation of arguments (#575)
    • Added support for targeted attack in art.attacks.evasion.AutoAttack (#494)
    • Added targeted version of DPatch evasion attack against object detectors art.attacks.evasion.DPatch (#599)
    • Added property targeted to evasion attacks representing if attack is targeted art.attacks.EvasionAttack (#500)
    • Added new framework- and model-specific estimator for Faster-RCNN in TensorFlow art.estimators.object_detection.TensorFlowFasterRCNN (#487)
    • Added ShapeShifter evasion attack against object detectors art.attacks.evasion.ShapeShifter (#487)
    • Added Simple Black-box Adversarial (SimBA) evasion attack art.attacks.evasion.SimBA (#469)

    Changed

    • Changed progress bars to adversarial trainer and Projected Gradient Descent implementations (#603)
    • Changed import paths of Attribute Inference and Model Inversion attacks (#592)

    Removed

    [None]

    Fixed

    • Fixed bug in Thermometer Encoding preprocessor defense and extended it to support channels first data and video data formats (#591)
    • Fixed denormalizing in create_generator_layers in utils/resources/create_inverse_gan_models.py (#491)
    Source code(tar.gz)
    Source code(zip)
  • 1.3.3(Aug 21, 2020)

    This release of ART 1.3.3 provides updates to ART 1.3.

    Added

    • Added support for rectangular images and videos (with square and rectangular frames) to the attacks in art.attacks.evasion.adversarial_patch.AdversarialPatch. The framework-independent implementation AdversarialPatchNumpy supports videos of shape NFCHW or NFHWC and the framework-specific implementation for TensorFlow v2 AdversarialPatchTensorFlowV2 supports videos of shape NFHWC. For video data the same patch will be located at the same position on all frames. (#567)
    • Added a warning to ShadowAttack to inform users that this implementation currently only works on a single sample in a batch size of one. (#556)

    Changed

    • The Dockerfile will now automatically check if requirements.txt contains newer versions of the dependencies.
    • Changed the CLEVER metric art.metric.clever_t to only calculate required class gradients which results in a speed up of a factor of ~4. (#539)
    • Changed the metric art.metrics.wasserstein_distance to automatically flatten the weights of the two inputs. (#545)
    • Changed art.attacks.evasion.SquareAttack to use model predictions if true labels are not provided to method generate to follow the convention of the other attacks in ART. (#537)

    Removed

    [None]

    Fixed

    • Fixed method set_params in art.attacks.evasion.projected_gradient_descent.ProjectedGradientDescent to correctly update the attributes of the parent class. The attributes of the actual attack implementation have been set correctly before this fix. (#560)
    Source code(tar.gz)
    Source code(zip)
  • 1.3.2(Aug 7, 2020)

    This release of ART 1.3.2 provides updates to ART 1.3.1.

    Added

    • Added verbose parameter for CarliniL2Method, CarliniLInfMethod, and DeepFool attacks to disable progress bars.

    Changed

    • Changed the Wasserstein attack to support rectangular images as input (#527)
    • Changed UniversalPerturbation attack to use true labels if provided in internal attacks (#526)
    • Allow None as input for parameter `preprocessing of estimators (#493)
    • Allow eps to be larger than eps_step in ProjectedGradientDescent attacks if norm is not np.inf (#495)

    Removed

    [None]

    Fixed

    • Fixed import path for ProjectedGradientDescend option in UniversalPerturbation attack (#525)
    • Fixed support for arrays as clip_values in ProjectedGradientDescentPyTorch attack for PyTorch (#521)
    • Fixed success criteria for targeted attacks with AutoProjectedGradientDescend (#513)
    • Fixed success criteria for attacks used in AutoAttack (#508)
    • Fixed example for Fast-is-better-than-Free adversarial training (#506)
    • Fixed dtype in AutoProjectedGradientDescent and SquareAttack for testing output type of estimator (#499)
    • Fixed parameters in _augment_images_with_patch calls of attack DPatch (#493)
    Source code(tar.gz)
    Source code(zip)
Owner
This GitHub org hosts LF AI Foundation projects in the category of Trusted and Responsible AI.
null
Paddle-Adversarial-Toolbox (PAT) is a Python library for Deep Learning Security based on PaddlePaddle.

Paddle-Adversarial-Toolbox Paddle-Adversarial-Toolbox (PAT) is a Python library for Deep Learning Security based on PaddlePaddle. Model Zoo Common FGS

AgentMaker 17 Nov 8, 2022
This framework implements the data poisoning method found in the paper Adversarial Examples Make Strong Poisons

Adversarial poison generation and evaluation. This framework implements the data poisoning method found in the paper Adversarial Examples Make Strong

null 31 Nov 1, 2022
LBK 20 Dec 2, 2022
Code for the prototype tool in our paper "CoProtector: Protect Open-Source Code against Unauthorized Training Usage with Data Poisoning".

CoProtector Code for the prototype tool in our paper "CoProtector: Protect Open-Source Code against Unauthorized Training Usage with Data Poisoning".

Zhensu Sun 1 Oct 26, 2021
This code uses generative adversarial networks to generate diverse task allocation plans for Multi-agent teams.

Mutli-agent task allocation This code uses generative adversarial networks to generate diverse task allocation plans for Multi-agent teams. To change

Biorobotics Lab 5 Oct 12, 2022
Multitask Learning Strengthens Adversarial Robustness

Multitask Learning Strengthens Adversarial Robustness

Columbia University 15 Jun 10, 2022
Official repository for Jia, Raghunathan, Göksel, and Liang, "Certified Robustness to Adversarial Word Substitutions" (EMNLP 2019)

Certified Robustness to Adversarial Word Substitutions This is the official GitHub repository for the following paper: Certified Robustness to Adversa

Robin Jia 38 Oct 16, 2022
Implementations of orthogonal and semi-orthogonal convolutions in the Fourier domain with applications to adversarial robustness

Orthogonalizing Convolutional Layers with the Cayley Transform This repository contains implementations and source code to reproduce experiments for t

CMU Locus Lab 36 Dec 30, 2022
Consistency Regularization for Adversarial Robustness

Consistency Regularization for Adversarial Robustness Official PyTorch implementation of Consistency Regularization for Adversarial Robustness by Jiho

null 40 Dec 17, 2022
Pytorch implementation for "Adversarial Robustness under Long-Tailed Distribution" (CVPR 2021 Oral)

Adversarial Long-Tail This repository contains the PyTorch implementation of the paper: Adversarial Robustness under Long-Tailed Distribution, CVPR 20

Tong WU 89 Dec 15, 2022
Improving adversarial robustness by a coupling rejection strategy

Adversarial Training with Rectified Rejection The code for the paper Adversarial Training with Rectified Rejection. Environment settings and libraries

Tianyu Pang 29 Jan 6, 2023
Imbalanced Gradients: A Subtle Cause of Overestimated Adversarial Robustness

Imbalanced Gradients: A Subtle Cause of Overestimated Adversarial Robustness Code for Paper "Imbalanced Gradients: A Subtle Cause of Overestimated Adv

Hanxun Huang 11 Nov 30, 2022
Code repository accompanying the paper "On Adversarial Robustness: A Neural Architecture Search perspective"

On Adversarial Robustness: A Neural Architecture Search perspective Preparation: Clone the repository: https://github.com/tdchaitanya/nas-robustness.g

Chaitanya Devaguptapu 4 Nov 10, 2022
A Python library that enables ML teams to share, load, and transform data in a collaborative, flexible, and efficient way :chestnut:

Squirrel Core Share, load, and transform data in a collaborative, flexible, and efficient way What is Squirrel? Squirrel is a Python library that enab

Merantix Momentum 249 Dec 7, 2022
A graph adversarial learning toolbox based on PyTorch and DGL.

GraphWar: Arms Race in Graph Adversarial Learning NOTE: GraphWar is still in the early stages and the API will likely continue to change. ?? Installat

Jintang Li 54 Jan 5, 2023
LaneDet is an open source lane detection toolbox based on PyTorch that aims to pull together a wide variety of state-of-the-art lane detection models

LaneDet is an open source lane detection toolbox based on PyTorch that aims to pull together a wide variety of state-of-the-art lane detection models. Developers can reproduce these SOTA methods and build their own methods.

TuZheng 405 Jan 4, 2023
Data-depth-inference - Data depth inference with python

Welcome! This readme will guide you through the use of the code in this reposito

Marco 3 Feb 8, 2022
QuickAI is a Python library that makes it extremely easy to experiment with state-of-the-art Machine Learning models.

QuickAI is a Python library that makes it extremely easy to experiment with state-of-the-art Machine Learning models.

null 152 Jan 2, 2023