Adversarial-robustness-toolbox

This release of ART 1.9.1 provides updates to ART 1.9.

Added

- Added support for TensorFlow 1.15 as backend in `KerasClassifier.compute_loss`. (1466)
- Added support for input range [0, 1] in `art.defences.preprocessor.VideoCompression*`. (1470)

Changed

[None]

Removed

[None]

Fixed

- Fixed bug in `art.utils.load_nursery` for loading nursery dataset with argument `raw=True`. (1460)
- Fixed import of `matplotlib` to keep it an optional dependency. (1467)
- Fixed bug to allow preprocessing defences to be applied in `PyTorchGoturn.predict` by adding back missing sample dimension. (1470)
- Fixed bug in `PyTorchClassifier.get_activations` to also apply preprocessing if argument `framework=True`. This fix likely changes the results obtained with `BullseyePolytopeAttackPyTorch`, the main attack using `framework=True`. (1471)

This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.

Added

- Added tools for training shadow models and generating shadow-datasets in support of membership inference attacks in `art.attacks.inference.membership_inference.shadow_models`. (1345, 1395)
- Added hill-climbing synthetic data generation algorithm (Shokri et al., 2017) to train shadow models without access to actual data. (1345, 1395)
- Added experimental estimator for classification models in JAX in `art.experimental.estimators.classification.JaxClassifier` (1360)
- Added Deep Partition Aggregation as classification estimator in `art.estimators.classification.DeepPartitionEnsemble` to defend against general poisoning attacks (1397)
- Added Adversarial Laser Beam attack in `art.attacks.evasion.LaserAttack` as a easy to realize physical evasion attack (1398)
- Added customizable Summary Writer API in `art.summary_writer.SummaryWriter` to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (1416 )
- Added Indicators of Attack Failure (Pintor et al., 2021) as metrics in default summary writer `art.summary_writer.SummaryWriterDefault` (1416)
- Added Adversarial Texture Attack against object tracking models in `art.attacks.evasion.AdversarialTexturePyTorch`. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (1430)

Changed

- Changed implementation of Carlini & WAgner L_inf attack in `art.attacks.evasion.CarliniLInfMethod` to exactly reproduce performance of reference implementation (1380)
- Changed `art.defences.preprocessor.preprocessor.PreprocessorPyTorch` to accept `device_type` in `__init__` to set attribute `_device` for all PyTorch preprocessors in a single location (1444)

Removed

- Removed deprecated Numpy scalar type names (1296)
- Removed outdated comments in `tests.attacks.test_simba` that SimBA would not support PyTorch (1423)

Fixed

- Fixed missing support for input with more than one input image in `art.attacks.evasion.SimBA.generate`, so far only the first sample had been attacked if more than one image was provided. (1422)
- Fixed `art.attacks.poisoning.perturbations.insert_image` to preserve dtype of input images in the returned output images (1441)
- Fixed missing transformation of binary index to one-hot encoded labels in `art.utils.check_and_transform_label_format` for argument `return_one_hot=True` (1443)

This release of ART 1.8.1 provides updates to ART 1.8.

Added

- Added support for `torch.Tensor` inputs and required argument `input_shape` to `art.estimators.object_tracking.PyTorchGoturn`. (1348)

Changed

- Changed supported PyTorch version check to include `torch==1.9` and `torchvision==0.10` to exception in `art.estimators.object_detection.PyTorchObjectDetector`. (1356)


Removed

[None]

Fixed

- Fixed docstring and cuda device support in `art.attacks.evasion.AdversarialPatchPyTorch`. (1333)

This release of ART v1.8.0 introduces the first estimators for object tracking and regression, adds a general model-independent object detection estimator and new membership inference attacks.

Added

- Added estimator for object tracker GOTURN in PyTorch in `art.estimators.object_tracking.PyTorchGoturn` (1318)
- Added estimator for scikit-learn DecisionTreeRegressor in `art.estimators.regression.ScikitlearnDecistionTreeRegressor` and added compatibility in attacks `AttributeInferenceBlackBox` and `MembershipInferenceBlackBox` (1272)
- Added general estimator for all object detection models of `torchvision` in `art.estimators.object_detection.PyTorchObjectDetector` (1295)
- Added membership inference attack based on boundary attacks with general threshold selection by Li and Zhang (1197)

Changed

- Changed `art.estimators.classification.BlackboxClassifier*` to also accept recorded input/prediction data pairs, instead of a callable providing predictions by evaluating the attacked model, enabling attacks on prediction data only without the necessity for direct access to the attacked model (1247)
- Moved patched Lingvo decoder to `art.contrib` (1261)

Removed

- Removed `art.classifiers` and `art.wappers`, both modules have been replaced with tools in `art.preprocessing.expectation_over_transformation`, `art.estimators.classification` and `art.estimators.classification.QueryEfficientGradientEstimationClassifier` (1256)

Fixed

[None]

This release of ART 1.7.2 provides updates to ART 1.7.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed missing support for index labels in `PyTorchClassifier.compute_loss`. (1264)
- Fixed missing support for `float` in argument `min_epsilon` of `BoundaryAttack`. (1262)
- Fixed support for channels first images in `art/attacks/poisoning/perturbations/image_perturbations.insert_image`. (1290)

This release of ART 1.7.1 provides updates to ART 1.7.

Added

- Added wrapper `Mp3CompressionPyTorch` for `Mp3Compression` to make it compatible with PyTorch-specific attack implementations. (1210)
- Added new install option `non-framework` to `setup.py` to install all non-framework dependencies of ART. (1209)
- Added wrapper `VideoCompressionPyTorch` for `VideoCompression` to make it compatible with PyTorch-specific attack implementations. (1210)

Changed

- Changed `Mp3Compression` to add back reapplication of normalization to the compressed result. (1210)
- Changed `KerasClassifier.fit` to use batching provided by the method `fit` of the Keras model. (1182)

Removed

[None]

Fixed

- Fixed bug of not passing user-provided device type, and instead always using default `gpu`, to standardisation preprocessor in all `PyTorchEstimator` by using user-provided device type. (1223)
- Fixed bug in method `BaseEstimator.fit_generator` for fitting generators in cases where preprocessing is defined to not apply preprocessing twice. (1219)
- Fixed bug in `ImperceptibleASRPyTorch` to prevent NaN loss value for batch size larger than 1 by removing unnecessary zero-padding. (1198)
- Fixed two bugs in `OverTheAirFlickeringPyTorch` by making sure that the regularization norms are computed over the whole batch of perturbations, rather than per sample's perturbation and second that the "roll" operations are performed over the batch samples, rather than over the frames. (1192)
- Fixed bug in `SpectralSignatureDefense`, that lead to rejections of all clean images, by correctly indexing the label data. (1189)
- Fixed bug of accidentally removed checks for `apply_fit` and `apply_predict` properties of framework-independent `Preprocessor` tools in `PyTorchEstimator` and `TensorFlowV2Estimator`. With the bug the `Preprocessor` tools were always applied in methods `fit` and `predict` independent of the values of `apply_fit` and `apply_predict`. (1181)
- Fixed bug in `MembershipInferenceBlackBoxRemove.infer` by removing unnecessary shuffling of the test data. (1173)
- Fixed bug in `PixelAttack` and `ThresholdAttack` by casting input data to correct dtype. (1175)