Adversarial-robustness-toolbox

This release of ART 1.8.1 provides updates to ART 1.8.

Added

- Added support for `torch.Tensor` inputs and required argument `input_shape` to `art.estimators.object_tracking.PyTorchGoturn`. (1348)

Changed

- Changed supported PyTorch version check to include `torch==1.9` and `torchvision==0.10` to exception in `art.estimators.object_detection.PyTorchObjectDetector`. (1356)


Removed

[None]

Fixed

- Fixed docstring and cuda device support in `art.attacks.evasion.AdversarialPatchPyTorch`. (1333)

This release of ART v1.8.0 introduces the first estimators for object tracking and regression, adds a general model-independent object detection estimator and new membership inference attacks.

Added

- Added estimator for object tracker GOTURN in PyTorch in `art.estimators.object_tracking.PyTorchGoturn` (1318)
- Added estimator for scikit-learn DecisionTreeRegressor in `art.estimators.regression.ScikitlearnDecistionTreeRegressor` and added compatibility in attacks `AttributeInferenceBlackBox` and `MembershipInferenceBlackBox` (1272)
- Added general estimator for all object detection models of `torchvision` in `art.estimators.object_detection.PyTorchObjectDetector` (1295)
- Added membership inference attack based on boundary attacks with general threshold selection by Li and Zhang (1197)

Changed

- Changed `art.estimators.classification.BlackboxClassifier*` to also accept recorded input/prediction data pairs, instead of a callable providing predictions by evaluating the attacked model, enabling attacks on prediction data only without the necessity for direct access to the attacked model (1247)
- Moved patched Lingvo decoder to `art.contrib` (1261)

Removed

- Removed `art.classifiers` and `art.wappers`, both modules have been replaced with tools in `art.preprocessing.expectation_over_transformation`, `art.estimators.classification` and `art.estimators.classification.QueryEfficientGradientEstimationClassifier` (1256)

Fixed

[None]

This release of ART 1.7.2 provides updates to ART 1.7.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed missing support for index labels in `PyTorchClassifier.compute_loss`. (1264)
- Fixed missing support for `float` in argument `min_epsilon` of `BoundaryAttack`. (1262)
- Fixed support for channels first images in `art/attacks/poisoning/perturbations/image_perturbations.insert_image`. (1290)

This release of ART 1.7.1 provides updates to ART 1.7.

Added

- Added wrapper `Mp3CompressionPyTorch` for `Mp3Compression` to make it compatible with PyTorch-specific attack implementations. (1210)
- Added new install option `non-framework` to `setup.py` to install all non-framework dependencies of ART. (1209)
- Added wrapper `VideoCompressionPyTorch` for `VideoCompression` to make it compatible with PyTorch-specific attack implementations. (1210)

Changed

- Changed `Mp3Compression` to add back reapplication of normalization to the compressed result. (1210)
- Changed `KerasClassifier.fit` to use batching provided by the method `fit` of the Keras model. (1182)

Removed

[None]

Fixed

- Fixed bug of not passing user-provided device type, and instead always using default `gpu`, to standardisation preprocessor in all `PyTorchEstimator` by using user-provided device type. (1223)
- Fixed bug in method `BaseEstimator.fit_generator` for fitting generators in cases where preprocessing is defined to not apply preprocessing twice. (1219)
- Fixed bug in `ImperceptibleASRPyTorch` to prevent NaN loss value for batch size larger than 1 by removing unnecessary zero-padding. (1198)
- Fixed two bugs in `OverTheAirFlickeringPyTorch` by making sure that the regularization norms are computed over the whole batch of perturbations, rather than per sample's perturbation and second that the "roll" operations are performed over the batch samples, rather than over the frames. (1192)
- Fixed bug in `SpectralSignatureDefense`, that lead to rejections of all clean images, by correctly indexing the label data. (1189)
- Fixed bug of accidentally removed checks for `apply_fit` and `apply_predict` properties of framework-independent `Preprocessor` tools in `PyTorchEstimator` and `TensorFlowV2Estimator`. With the bug the `Preprocessor` tools were always applied in methods `fit` and `predict` independent of the values of `apply_fit` and `apply_predict`. (1181)
- Fixed bug in `MembershipInferenceBlackBoxRemove.infer` by removing unnecessary shuffling of the test data. (1173)
- Fixed bug in `PixelAttack` and `ThresholdAttack` by casting input data to correct dtype. (1175)

This release of ART v1.7.0 introduces many new evasion and inference attacks providing support for the evaluation of malware or tabular data classification, new query-efficient black-box (GeoDA) and strong white-box (Feature Adversaries) evaluation methods. Furthermore, this release introduces an easy to use estimator for Espresso ASR models to facilitate ASR research and connect Espresso and ART. This release also introduces support for binary classification with single outputs in neural networks classifiers and selected attacks. Many more new features and details can be found below:

Added

- Added LowProFool evasion attack for imperceptible attacks on tabular data classification in `art.attacks.evasion.LowProFool`. (1063)
- Added Over-the-Air-Flickering attack in PyTorch for evasion on video classifiers in `art.attacks.evasion.OverTheAirFlickeringPyTorch`. (1077, 1102)
- Added API for speech recognition estimators compatible with Imperceptible ASR attack in PyTorch. (1052)
- Added Carlini&Wagner evasion attack with perturbations in L0-norm in `art.attacks.evasion.CarliniL0Method`. (844, 1109)
- Added support for Deep Speech v3 in `PyTorchDeepSpeech` estimator. (1107)
- Added support for TensorBoard collecting evolution of norms (L1, L2, and Linf) of loss gradients per batch, adversarial patch, and total loss and its model-specific components where available (e.g. PyTochFasterRCNN) in `AdversarialPatchPyTorch`, `AdversarialPatchTensorFlow`, `FastGradientMethod`, and all `ProjectedGradientDescent*` attacks. (1071)
- Added `MalwareGDTensorFlow` attack for evasion on malware classification of portable executables supporting append based, section insertion, slack manipulation, and DOS header attacks. (1015)
- Added Geometric Decision-based Attack (GeoDA) in `art.attacks.evasion.GeoDA` for query-efficient black-box attacks on decision labels using DCT noise. (1001)
- Added Feature Adversaries framework-specific in PyTorch and TensorFlow v2 as efficient white-box attack generating adversarial examples imitating intermediate representations at multiple layers in `art.attacks.evasion.FeatureAdversaries*`. (1128, 1142, 1156)
- Added attribute inference attack based on membership inference in `art.attacks.inference.AttributeInferenceMembership`. (1132)
- Added support for binary classification with neural networks with a single output neuron in `FastGradientMethod`, and all `ProjectedGradientDescent*` attacks. Neural network binary classifiers with a single output require setting `nb_classes=2` and labels `y` in shape (nb_samples, 1) or (nb_samples,) containing 0 or 1. Backward compatibility for binary classifiers with two outputs is guaranteed with `nb_classes=2` and labels `y` one-hot-encoded in shape (nb_samples, 2). (1118)
- Added estimator for Espresso ASR models in `art.estimators.speech_recognition.PyTorchEspresso` with support for attacks with `FastGradientMethod`, `ProjectedGradientDescent` and `ImperceptibleASRPyTorch`. (1036)
- Added deprecation warnings for `art.classifiers` and `art.wrappers` to be replace with `art.estimators`. (1154)

Changed

- Changed `art.utils.load_iris` to use Iris dataset from `sklearn.datasets` instead of `archive.ics.uci.edu`. (1097 )
- Changed `HopSkipJump` to check for NaN in the adversarial example candidates and return original (benign) sample if at least one NaN is detected. (1124)
- Changed `SquareAttack` to accept user-defined loss and adversarial criterium definitions to enable black-box attacks on all machine learning tasks on images beyond classification. (1127)
- Changed `PyTorchFasterRCNN.loss_gradients` to process each sample separately to avoid issues with gradient propagation with `torch>=1.7`. (1138)

Removed

[None]

Fixed

- Fixed workaround in `art.defences.preprocessor.Mp3Compression` related to a bug in earlier versions of `pydub`. (419)
- Fixed bug in Pixel Attack and Threshold Attack for images with pixels in range [0, 1]. (990)

This release of ART 1.6.2 provides updates to ART 1.6.

Added

- Added targeted option to `RobustDpatch` (1069)
- Added option `standardise_output` to define provided label format (1069)
- Added property `native_label_is_pytorch_format` to object detectors to define label format expected by the model (1069)

Changed

- Changed `Dpatch` and `RobustDpatch` to work internally with PyTorchFasterRCNN's object detection label format and convert labels if provided in `TensorFlowFasterRCNN`'s format accordingly using option `standardise_output` (1069)
- Change `setup.py` to only contain core dependencies in `install_requires` and added additional install options `tensorflow_image`, `tensorflow_audio`, `pytorch_image`, and `pytorch_audio` (1116)
- Changed check for version of `torch` and `torchvision` in `AdversarialPatchPyTorch` to account for suffixes like `+cu102` (1115)
- Changed `art.utils.load_iris` to use `sklearn.datasets.load_iris` instead of download from `https://archive.ics.uci.edu/ml/machine-learning-databases/iris/iris.data` (#1097)

Removed

- Removed unnecessary requirement for `scores` in labels `y` for `TensorFlowFasterRCNN.loss_gradient` and `PyTorchFasterRCNN.loss_gradient` (1069)

Fixed

- Fixed docstrings of methods `predict` and `loss_gradient` to correctly describe the expected and provided label format (1069)
- Fixed bug of missing transfer of tensor to device `ProjectedGradientDescentPyTorch` (1076)
- Fixed bug resulting in wrong loss gradients calculated with `ScikitlearnLogisticRegression.loss_gradient` (1065)