Adversarial-robustness-toolbox

This release of ART 1.13.0 introduces black-box regression estimator, DP-InstaHide, object detection estimator for TensorFlow v2, and more.

Added

- Added `CutOut` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1850)
- Added `MixUp` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1885)
- Added `CutMix` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1910)
- Added regression estimator for black-box scenario (1930)
- Added additional model support for shadow models (1930)
- Added Numpy-based data generator to support very large datasets (1934
- Added object detection estimator for Faster-RCNN in TensorFlow v2 (1951)
- Added DP-InstaHide training for classification with differentially private data augmentations (1956)
- Added Interval Bound Propagation for certified classification in PyTorch (1965)

Changed

[None]

Removed

[None]

Fixed

- Fixed unexpected shape in `art.utils.load_cifar10` for loading raw dataset (1962)
- Fixed bug to return correct best poisoning indices in `SleeperAgentAttack` (1955)

This release of ART 1.12.2 provides updates to ART 1.12.

Added

- Added `drop_last` option to method `fit` of `PyTorchClassifier` (1883)

Changed

- Changed documentation of `art.metrics.verification_decisions_trees.RobustnessVerificationTreeModelsCliqueMethod` to provide addiitonal information (1897)
- Changed Numba to be an optional dependency (1884)
- Changed `BoundaryAttack` to enable binary classification by removing unnecessary input check (1890)

Removed

[None]

Fixed

- Fixed issue caused by missing variable initialization in `SleeperAgentAttack` (1892)
- Fixed bug in `projection_l1_1` and `projection_l1_2` where in rare cases they returned the input point rather than the its projection (1870)

This release of ART 1.12.1 provides updates to ART 1.12.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed object detection estimator `PyTorchYolo` to not modify tracked statistics of batch-norm layers of the YOLO model during loss and loss gradient calculations (1860)

This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

Added

- Added Sleeper Agent poisoning attack in TensorFlow in `art.attacks.poisoning.SleeperAgentAttack` (1769)
- Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (1778)
- Added adversarial accuracy as a metric (1779)
- Added function `art.utils.uniform_sample_from_sphere_or_ball` to sample uniformly from either the ball or the sphere with a given norm and radii (1804)
- Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (1828)
- Added certified adversarial training (1841)

Changed

- Changed `art.attacks.evasion.DPatch` to accept true labels (1780)
- Changed `art.utils.random_sphere` to use a different, faster algorithm for norm=1 based on exponential distribution (1805)

Removed

[None]

Fixed

[None]

This release of ART 1.11.1 provides updates to ART 1.11.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed unecessary check for targeted attacks in `AdversarialPatch` and delegated check to framework-specific implementations (1768)
- Fixed missing transfer to device in `AdversarialPatchPyTorch.apply_patch()` (1771)
- Fix redundant call to detach().cpu().numpy() in `PyTorchClassifier.predict()` (1785)
- Fixed `art.utils.random_sphere()` for `norm=1` to sample uniformly in the L1 ball (1802)
- Fixed PyTorch detach() call on Numpy arrays in ` PyTorchRegressor` (1824)
- Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric `PDTP` (1825)
- Fixed learning rate decay in `ElasticNet` evasion attack (1833)

This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

Added

- Added Momentum-Iterative FGSM evasion attack in `MomentumIterativeMethod` and added optional momentum to loss gradients in `ProjectedGradientDescent*` attacks. (1614)
- Added metrics measuring worst-case scores of membership inference attacks. (1709)
- Added estimator for YOLO v3 models in PyTorch in `PyTorchYolo`. (1715)
- Added estimators for de-randomized smoothing certification against patch attacks in `PyTorchDeRandomizedSmoothing` and `TensorFlowV2DeRandomizedSmoothing`. (1729)
- Added query-efficient hard-label black-box evasion attack Sign-Opt in `SignOPTAttack`. (1730)
- Added Sleeper Agent poisoning attack PyTorch in `SleeperAgentAttack`. (1736)
- Added exclusionary reclassification to `ActivationDefence`. (1738)
- Added dirty-label backdoor poisoning attack on audio classification in `art.attacks.poisoning.perturbations.audio_perturbations`. (1740)
- Added estimators for regression in `PyTorchRegressor` and `KerasRegressor` for PyTorch and Keras. (1651)
- Added option for targeted attacks to `AdversarialPatch` and `AdversarialPatchNumpy`. (1759)

Changed

- Changed `check_and_transform_label_format` for `nb_classes=None` to automatically determine the number of classes in the provided labels. (1747)
- Added additional documentation to `ZOOAttack` and cleaned up the code of method `compare`. (1648)
- Changed default value for number of epochs `nb_epochs` in `AdversarialTrainerMadryPGD` to match 80'000 training steps of Madry et al. (1758)

Removed

[None]

Fixed

- Fixed `PyTorchClassifier.clone_fore_refitting` by deleting optimizer from parameters before calling `set_param()` to avoid creating the cloned model with the old optimizer. (1742)
- Fixed missing propagation of `nb_classes` to method `check_and_transform_label_format` in inference attacks. (1713)