Adversarial-robustness-toolbox

This release of ART 1.11.1 provides updates to ART 1.11.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed unecessary check for targeted attacks in `AdversarialPatch` and delegated check to framework-specific implementations (1768)
- Fixed missing transfer to device in `AdversarialPatchPyTorch.apply_patch()` (1771)
- Fix redundant call to detach().cpu().numpy() in `PyTorchClassifier.predict()` (1785)
- Fixed `art.utils.random_sphere()` for `norm=1` to sample uniformly in the L1 ball (1802)
- Fixed PyTorch detach() call on Numpy arrays in ` PyTorchRegressor` (1824)
- Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric `PDTP` (1825)
- Fixed learning rate decay in `ElasticNet` evasion attack (1833)

This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

Added

- Added Momentum-Iterative FGSM evasion attack in `MomentumIterativeMethod` and added optional momentum to loss gradients in `ProjectedGradientDescent*` attacks. (1614)
- Added metrics measuring worst-case scores of membership inference attacks. (1709)
- Added estimator for YOLO v3 models in PyTorch in `PyTorchYolo`. (1715)
- Added estimators for de-randomized smoothing certification against patch attacks in `PyTorchDeRandomizedSmoothing` and `TensorFlowV2DeRandomizedSmoothing`. (1729)
- Added query-efficient hard-label black-box evasion attack Sign-Opt in `SignOPTAttack`. (1730)
- Added Sleeper Agent poisoning attack PyTorch in `SleeperAgentAttack`. (1736)
- Added exclusionary reclassification to `ActivationDefence`. (1738)
- Added dirty-label backdoor poisoning attack on audio classification in `art.attacks.poisoning.perturbations.audio_perturbations`. (1740)
- Added estimators for regression in `PyTorchRegressor` and `KerasRegressor` for PyTorch and Keras. (1651)
- Added option for targeted attacks to `AdversarialPatch` and `AdversarialPatchNumpy`. (1759)

Changed

- Changed `check_and_transform_label_format` for `nb_classes=None` to automatically determine the number of classes in the provided labels. (1747)
- Added additional documentation to `ZOOAttack` and cleaned up the code of method `compare`. (1648)
- Changed default value for number of epochs `nb_epochs` in `AdversarialTrainerMadryPGD` to match 80'000 training steps of Madry et al. (1758)

Removed

[None]

Fixed

- Fixed `PyTorchClassifier.clone_fore_refitting` by deleting optimizer from parameters before calling `set_param()` to avoid creating the cloned model with the old optimizer. (1742)
- Fixed missing propagation of `nb_classes` to method `check_and_transform_label_format` in inference attacks. (1713)

This release of ART 1.10.3 provides updates to ART 1.10.

Added

[None]

Changed

[None]


Removed

[None]

Fixed

- Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in `art.attacks.evasion.AdversarialTexturePyTorch` (1724, 1726 )

This release of ART 1.10.2 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `PyTorchClassifier` to use a new optimizer when cloned with `clone_for_refitting` (1580)
- Changed class names of `art.estimators.gan.*` and `art.estimators.generator.*` to follow naming convention (1655)
- Changed `Mp3CompressionPyTorch` and `PyTorchDeepSpeech` to add support for samples in 2D non-object arrays (1680, 1702)
- Changed file name `python_object_detector.py` to `pytorch_object_detector.py` to follow naming convention (1687)
- Changed `CarliniLInfMethod` by adding argument for `batch_size` (1699).


Removed

[None]

Fixed

- Fixed required dependency on TensorFlow (1655)
- Fixed bug in `ImperceptibleASRPyTorch` by adding missing `.detach().cpu()` and `.cpu()` calls (1677)
- Fixed bug in `art.estimators.certification.randomized_smoothing` estimators to correctly apply Gaussian noise (1678)
- Fixed bug in `GaussianNoise` the post-processing defence to keep number of dimensions constant during normalisation (1684)
- Fixed bug in `RobustDPatch` for channels first images to correctly un-transform loss gradients (1693)
- Fixed bug in support for numpy arrays in logger of `PoisoningAttackCleanLabelBackdoor` (1698)

This release of ART 1.10.1 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `AdversarialTrainerMadryPGD.fit` to support arguments `nb_epochs` and `batch_size` (1612)
- Changed `GradientMatchingAttack` to add support for models with undefined input shape by abstracting the shape information from the input data (1624)
- Changed `PyTorchObjectDetector ` to support inputs with number of channels other than 1 and 3 (1633)

Removed

[None]

Fixed

- Fixed incorrect handling of true regression labels in attribute inference attacks (1598)
- Fixed `AdversarialPatchPyTorch.apply_patch` to correctly check if `mask` is `None` (1607)

This release of ART 1.10.0 introduces multiple poisoning attacks on image classification and deep generative models, the first attack with dynamic patches on object tracking in videos, classification certification based on zonotope representations, EoT support for object detection in image rotation and center cropping, new features for attribute inference attacks and more.

Added

- Added Gradient Matching (Witches' Brew) attack `art.attacks.poisoning.GradientMatchingAttack` in TensorFlow (1587)
- Added functions `projection_l1_1` and `projection_l1_2` to `art.utils` for two algorithms computing orthogonal projections on L1-norm balls (1586)
- Added perspective transformations to `art.attacks.evasion.AdversarialTexturePyTorch` attack to enable dynamic texture/patches (1557)
- Added support for object detection in `art.attacks.evasion.AdversarialPatchPyTorch` (1535)
- Added new features to attribute inference attacks including support for optional use of true labels in black-box attribute inference attacks, automatic calculation of values in fit() method, additional scaling method for labels/predictions and an additional attack model type (random forest) (1534)
- Added estimator `art.estimators.certification.PytorchDeepZ` based on DeepZ for robustness certification using zonotope representations datapoints (1531)
- Added Expectation over Transformation (EoT) for rotation and centre crop with support for classification and object detection (1516)
- Added support for SummaryWriter in `art.attacks.evasion.RobustDpatch` (1513)
- Added PGD L-Inf optimizer to `art.attacks.evasion.AdversarialPatch*` attacks (1495)
- Added two backdoor poisoning attacks, Red in `art.attacks.poisoning.BackdoorAttackDGMReD` and Trail in `art.attacks.poisoning.BackdoorAttackDGMTrail`, targeting Deep Generative Models (1490)
- Added Hidden Trigger Backdoor Poisoning Attack in Keras and PyTorch in `art.attacks.poisoning.HiddenTriggerBackdoor` (1487)
- Added Feature Collision Poisoning Attack in PyTorch in `art.attacks.poisoning.FeatureCollisionAttack` (1435 )

Changed

- Changed imports of TensorFlow v2 in `TensorFlowClassifier` to support TensorFlow v1 compatibility mode (1560)
- Changed Python used for unit testing to newer versions, upgraded style checks and improved code quality (1517)

Removed

[None]

Fixed

- Fixed import of Scipy in `PixelThreshold` attack to support `scipy>=1.8` (1589)
- Fixed bug of missing attribute in `PixelAttack` for scaled images (1574)
- Fixed use of `torchaudio.functional.magphase` in `PyTorchDeepSpeech` to support Deep Speech 2 version 3 with `torch>=1.10` (1550)
- Fixed method `fit`of `ScikitlearnRegressor` to process labels correctly (1537)
- Fixed scalar names of Indicators of Attack Failure 2 and 3 for aggregated losses (1512)
- Fixed raising of DataConversionWarning in fitting black box membership inference attacks with attack_model_type 'rf' or 'gb (1488)