Adversarial-robustness-toolbox

This release of ART 1.10.3 provides updates to ART 1.10.

Added

[None]

Changed

[None]


Removed

[None]

Fixed

- Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in `art.attacks.evasion.AdversarialTexturePyTorch` (1724, 1726 )

This release of ART 1.10.2 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `PyTorchClassifier` to use a new optimizer when cloned with `clone_for_refitting` (1580)
- Changed class names of `art.estimators.gan.*` and `art.estimators.generator.*` to follow naming convention (1655)
- Changed `Mp3CompressionPyTorch` and `PyTorchDeepSpeech` to add support for samples in 2D non-object arrays (1680, 1702)
- Changed file name `python_object_detector.py` to `pytorch_object_detector.py` to follow naming convention (1687)
- Changed `CarliniLInfMethod` by adding argument for `batch_size` (1699).


Removed

[None]

Fixed

- Fixed required dependency on TensorFlow (1655)
- Fixed bug in `ImperceptibleASRPyTorch` by adding missing `.detach().cpu()` and `.cpu()` calls (1677)
- Fixed bug in `art.estimators.certification.randomized_smoothing` estimators to correctly apply Gaussian noise (1678)
- Fixed bug in `GaussianNoise` the post-processing defence to keep number of dimensions constant during normalisation (1684)
- Fixed bug in `RobustDPatch` for channels first images to correctly un-transform loss gradients (1693)
- Fixed bug in support for numpy arrays in logger of `PoisoningAttackCleanLabelBackdoor` (1698)

This release of ART 1.10.1 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `AdversarialTrainerMadryPGD.fit` to support arguments `nb_epochs` and `batch_size` (1612)
- Changed `GradientMatchingAttack` to add support for models with undefined input shape by abstracting the shape information from the input data (1624)
- Changed `PyTorchObjectDetector ` to support inputs with number of channels other than 1 and 3 (1633)

Removed

[None]

Fixed

- Fixed incorrect handling of true regression labels in attribute inference attacks (1598)
- Fixed `AdversarialPatchPyTorch.apply_patch` to correctly check if `mask` is `None` (1607)

This release of ART 1.10.0 introduces multiple poisoning attacks on image classification and deep generative models, the first attack with dynamic patches on object tracking in videos, classification certification based on zonotope representations, EoT support for object detection in image rotation and center cropping, new features for attribute inference attacks and more.

Added

- Added Gradient Matching (Witches' Brew) attack `art.attacks.poisoning.GradientMatchingAttack` in TensorFlow (1587)
- Added functions `projection_l1_1` and `projection_l1_2` to `art.utils` for two algorithms computing orthogonal projections on L1-norm balls (1586)
- Added perspective transformations to `art.attacks.evasion.AdversarialTexturePyTorch` attack to enable dynamic texture/patches (1557)
- Added support for object detection in `art.attacks.evasion.AdversarialPatchPyTorch` (1535)
- Added new features to attribute inference attacks including support for optional use of true labels in black-box attribute inference attacks, automatic calculation of values in fit() method, additional scaling method for labels/predictions and an additional attack model type (random forest) (1534)
- Added estimator `art.estimators.certification.PytorchDeepZ` based on DeepZ for robustness certification using zonotope representations datapoints (1531)
- Added Expectation over Transformation (EoT) for rotation and centre crop with support for classification and object detection (1516)
- Added support for SummaryWriter in `art.attacks.evasion.RobustDpatch` (1513)
- Added PGD L-Inf optimizer to `art.attacks.evasion.AdversarialPatch*` attacks (1495)
- Added two backdoor poisoning attacks, Red in `art.attacks.poisoning.BackdoorAttackDGMReD` and Trail in `art.attacks.poisoning.BackdoorAttackDGMTrail`, targeting Deep Generative Models (1490)
- Added Hidden Trigger Backdoor Poisoning Attack in Keras and PyTorch in `art.attacks.poisoning.HiddenTriggerBackdoor` (1487)
- Added Feature Collision Poisoning Attack in PyTorch in `art.attacks.poisoning.FeatureCollisionAttack` (1435 )

Changed

- Changed imports of TensorFlow v2 in `TensorFlowClassifier` to support TensorFlow v1 compatibility mode (1560)
- Changed Python used for unit testing to newer versions, upgraded style checks and improved code quality (1517)

Removed

[None]

Fixed

- Fixed import of Scipy in `PixelThreshold` attack to support `scipy>=1.8` (1589)
- Fixed bug of missing attribute in `PixelAttack` for scaled images (1574)
- Fixed use of `torchaudio.functional.magphase` in `PyTorchDeepSpeech` to support Deep Speech 2 version 3 with `torch>=1.10` (1550)
- Fixed method `fit`of `ScikitlearnRegressor` to process labels correctly (1537)
- Fixed scalar names of Indicators of Attack Failure 2 and 3 for aggregated losses (1512)
- Fixed raising of DataConversionWarning in fitting black box membership inference attacks with attack_model_type 'rf' or 'gb (1488)

This release of ART 1.9.1 provides updates to ART 1.9.

Added

- Added support for TensorFlow 1.15 as backend in `KerasClassifier.compute_loss`. (1466)
- Added support for input range [0, 1] in `art.defences.preprocessor.VideoCompression*`. (1470)

Changed

[None]

Removed

[None]

Fixed

- Fixed bug in `art.utils.load_nursery` for loading nursery dataset with argument `raw=True`. (1460)
- Fixed import of `matplotlib` to keep it an optional dependency. (1467)
- Fixed bug to allow preprocessing defences to be applied in `PyTorchGoturn.predict` by adding back missing sample dimension. (1470)
- Fixed bug in `PyTorchClassifier.get_activations` to also apply preprocessing if argument `framework=True`. This fix likely changes the results obtained with `BullseyePolytopeAttackPyTorch`, the main attack using `framework=True`. (1471)

This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.

Added

- Added tools for training shadow models and generating shadow-datasets in support of membership inference attacks in `art.attacks.inference.membership_inference.shadow_models`. (1345, 1395)
- Added hill-climbing synthetic data generation algorithm (Shokri et al., 2017) to train shadow models without access to actual data. (1345, 1395)
- Added experimental estimator for classification models in JAX in `art.experimental.estimators.classification.JaxClassifier` (1360)
- Added Deep Partition Aggregation as classification estimator in `art.estimators.classification.DeepPartitionEnsemble` to defend against general poisoning attacks (1397)
- Added Adversarial Laser Beam attack in `art.attacks.evasion.LaserAttack` as a easy to realize physical evasion attack (1398)
- Added customizable Summary Writer API in `art.summary_writer.SummaryWriter` to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (1416 )
- Added Indicators of Attack Failure (Pintor et al., 2021) as metrics in default summary writer `art.summary_writer.SummaryWriterDefault` (1416)
- Added Adversarial Texture Attack against object tracking models in `art.attacks.evasion.AdversarialTexturePyTorch`. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (1430)

Changed

- Changed implementation of Carlini & WAgner L_inf attack in `art.attacks.evasion.CarliniLInfMethod` to exactly reproduce performance of reference implementation (1380)
- Changed `art.defences.preprocessor.preprocessor.PreprocessorPyTorch` to accept `device_type` in `__init__` to set attribute `_device` for all PyTorch preprocessors in a single location (1444)

Removed

- Removed deprecated Numpy scalar type names (1296)
- Removed outdated comments in `tests.attacks.test_simba` that SimBA would not support PyTorch (1423)

Fixed

- Fixed missing support for input with more than one input image in `art.attacks.evasion.SimBA.generate`, so far only the first sample had been attacked if more than one image was provided. (1422)
- Fixed `art.attacks.poisoning.perturbations.insert_image` to preserve dtype of input images in the returned output images (1441)
- Fixed missing transformation of binary index to one-hot encoded labels in `art.utils.check_and_transform_label_format` for argument `return_one_hot=True` (1443)