Adversarial-robustness-toolbox

This release of ART v1.4.3 provides updates to ART 1.4.

Added

[None]

Changed

- Changed argument `y` of method `infer` of `art.attacks.inference.attribute_inference.AttributeInferenceBlackBox` from optional to required. (750)

Removed

[None]

Fixed

- Fixed bug in `art.data_generators.PyTorchDataGenerator` and `art.data_generators.MXDataGenerator` where method `get_batch` always returned the same first batch of the dataset to return different batches for each method call by iterating over the entire dataset. (731)
- Fixed format of return value of method `infer` of `art.attacks.inference.membership_inference.MembershipInferenceBlackBox` for `attack_model_type="nn"`. (741)

This release of ART v1.4.2 provides updates to ART 1.4.

Added

- Added implementation of method `loss` for `art.estimators.classification.TensorFlowClassifer`. (685)
- Added support for variable length input to `art.defences.preprocessor.MP3Compression` to make it compatible with estimator `art.estimators.speech_recognition.PyTorchDeepSpeech`. (684)
- Added support for `mask` in non-classification tasks with `art.attacks.evasion.ProjectedGradientDescent`. (682)
- Added support for `torch.Tensor` as input for `loss_gradient` of `art.estimators.object_detection.PyTorchFasterRCNN`. (679)
- Added support for `art.attacks.evasion.ProjectedGradientDescent` and `art.attacks.evasion.FasGradientMethod` attacks on `art.estimators.speech_recognition.PyTorchDeepSpeech`. (669)
- Added exception and explanation if target labels are not provided in `generate` of `art.attacks.evasion.ImperceptibleASRPytorch`. (677)
- Added support for preprocessing defences in `art.estimators.speech_recognition.PyTorchDeepSpeech`. (663)
- Added support for type `List` in argument `patch_shape` of `art.attacks.evasion.DPatch`. (662)
- Added support for option `verbose` to all `art.attacks` and `art.defences` to adjust output of progress bars. (647)

Changed

- Changed `art.attacks.evasion.AutoProjectedGradientDescent` to to support estimators for classification of all frameworks using the estimator's loss function, to use the new method `loss` of the Estimator API replacing internal custom loss functions and to disable for now the loss type `difference_logits_ratio` for `art.estimators.classification.TensorFlowClassifer` (TensorFlow v1.x) because of inaccurate loss calculation. (685)
- Changed default format of returned values of method `predict` in `art.estimators.speech_recognition.PyTorchDeepSpeech` from a tuple of probabilities and sequence lengths to an array of transcriptions (array of predicted strings) which is the same format as labels `y` and the returned values of other estimators in `art.estimators.speech_recognition`. The former output can still be obtained with option `transcription_output=False`. This change also enables using `PyTorchDeepSpeech` with `ProjectedGradientDescent` and `FastGradientMethod` in cases where no labels are provided to their method `generate` and these attacks use the labels predicted by `PyTorchDeepSpeech`'s method predict. (689)
- Changed `art.attacks.evasion.DPatch` to improve initialisation of the patch for input ranges other than [0, 255] and updated the iteration over batches. (681)
- Changed `art.attacks.evasion.DPatch` to accept the updated return format of method `predict` of estimators in `art.estimators.object_detection`. (667)
- Changed return format of method `predict` of estimators in `art.estimators.object_detection` to follow the format of `art.estimators.object_detection.PyTorchFasterRCNN` and type `np.ndarray`. (660)

Removed

- Removed unsupported argument `loss_scale` in `art.estimators.speech_recognition.PyTorchDeepSpeech`. (642)

Fixed

- Fixed missing setting of property `targeted` in `art.attacks.evasion.ImperceptibleASRPytorch`. (676)
- Fixed bug in method `loss` of `art.estimators.classification.KerasClassifier`. (651)
- Fixed missing attribute `batch_size` in `art.attacks.evasion.SquareAttack`. (646)
- Fixed missing imports in `art.estimators.object_detection.TensorFlowFasterRCNN`. (648)
- Fixed bug in `art.attacks.evasion.ImperceptibleASRPytorch` to correctly apply `learning_rate_2nd_stage` instead of `learning_rate_1st_stage` in the second stage. (642)

This release of ART v1.4.1 provides updates to ART 1.4.

Added

- Added a notebook demonstrating the Imperceptible ASR evasion attack on the DeepSpeech model for speech recognition tasks. (639)


Changed

- Changed the detection of Keras type (`keras` vs. `tensorflow.keras`) in `art.estimators.classification.KerasClassifier` to enable customised models inheriting from the Keras base models (631)

Removed

[None]

Fixed

- Fixed bug in model-specific estimator for DeepSpeech `art.estimators.speech_recognition.PyTorchDeepSpeech` to correctly handle the case of batches of samples with identical length including the special case of a batch of a single sample. (635)
- Fixed bug in model-specific estimator for DeepSpeech `art.estimators.speech_recognition.PyTorchDeepSpeech` by adding missing imports (621)
- Fixed bug to make all tools of ART accessible using `import art` (612)
- Fixed bug by removing top-level imports of tool-specific dependencies and adapting default values (613)
- Fixed wrong progress bar description in `art.attacks.evasion.projected_gradient_descent.*` from iterations to batches (611)

This release of ART v1.4.0 introduces framework-specific preprocessing defences, Membership Inference attacks, and support for attacks on Automatic Speech Recognition (ASR) tasks to ART. This release also adds and improves multiple evasion and poisoning attacks and defenses.

Added

- Added framework-specific preprocessing defences for PyTorch and TensorFlow v2 in all estimators. This extends the preprocessing defences of ART beyond the framework-independent implementations in Numpy of earlier ART versions and enables to use the automatic differentiation of a framework to pass accurate loss gradients backwards through the preprocessing defences. Furthermore this also adds first framework-specific implementations of preprocessing Spatial Smoothing defences in PyTorch and TensorFlow v2, `art.defences.preprocessor.SpatialSmoothingPyTorch` and `art.defences.preprocessor.SpatialSmoothingTensorFlowV2`. (510, 574)
- Added Membership Inference attacks to evaluate leaks of information about individual training data records`art.attacks.inference.membership_inference` (573)
- Added Neural Cleanse defense against poisoned models. This is the first transformation defense against poisoning which accept a potentially poisoned model and returns a transformed version of the model defended against the effects of the poisoning `art.defences.transformer.poison.NeuralCleanse` (604)
- Added Imperceptible ASR evasion attack against Automatic Speech Recognition in Pytorch `art.attacks.evasion.ImperceptibleASRPytorch` (605)
- Added Adversarial Embedding poisoning attack `art.attacks.poisoning.PoisoningAttackAdversarialEmbedding` (561)
- Added new framework- and model-specific estimator for DeepSpeech in PyTorch `art.estimators.speech_recognition.PyTorchDeepSpeech` (581)
- Added support for string type for infinity norm in evasion attacks to facilitate serialisation of arguments (575)
- Added support for targeted attack in `art.attacks.evasion.AutoAttack` (494)
- Added targeted version of `DPatch` evasion attack against object detectors `art.attacks.evasion.DPatch` (599)
- Added property `targeted` to evasion attacks representing if attack is targeted `art.attacks.EvasionAttack` (500)
- Added new framework- and model-specific estimator for Faster-RCNN in TensorFlow `art.estimators.object_detection.TensorFlowFasterRCNN` (487)
- Added `ShapeShifter` evasion attack against object detectors `art.attacks.evasion.ShapeShifter` (487)
- Added Simple Black-box Adversarial (SimBA) evasion attack `art.attacks.evasion.SimBA` (469)

Changed

- Changed progress bars to adversarial trainer and Projected Gradient Descent implementations (603)
- Changed import paths of Attribute Inference and Model Inversion attacks (592)

Removed

[None]

Fixed

- Fixed bug in Thermometer Encoding preprocessor defense and extended it to support channels first data and video data formats (591)
- Fixed denormalizing in `create_generator_layers` in `utils/resources/create_inverse_gan_models.py` (491)

This release of ART 1.3.3 provides updates to ART 1.3.

Added

- Added support for rectangular images and videos (with square and rectangular frames) to the attacks in `art.attacks.evasion.adversarial_patch.AdversarialPatch`. The framework-independent implementation `AdversarialPatchNumpy` supports videos of shape `NFCHW` or `NFHWC` and the framework-specific implementation for TensorFlow v2 `AdversarialPatchTensorFlowV2` supports videos of shape `NFHWC`. For video data the same patch will be located at the same position on all frames. (567)
- Added a warning to `ShadowAttack` to inform users that this implementation currently only works on a single sample in a batch size of one. (556)


Changed

- The `Dockerfile` will now automatically check if `requirements.txt` contains newer versions of the dependencies.
- Changed the CLEVER metric `art.metric.clever_t` to only calculate required class gradients which results in a speed up of a factor of ~4. (539)
- Changed the metric `art.metrics.wasserstein_distance` to automatically flatten the weights of the two inputs. (545)
- Changed `art.attacks.evasion.SquareAttack` to use model predictions if true labels are not provided to method `generate` to follow the convention of the other attacks in ART. (537)

Removed

[None]

Fixed

- Fixed method `set_params` in `art.attacks.evasion.projected_gradient_descent.ProjectedGradientDescent` to correctly update the attributes of the parent class. The attributes of the actual attack implementation have been set correctly before this fix. (560)

This release of ART 1.3.2 provides updates to ART 1.3.1.

Added

- Added verbose parameter for `CarliniL2Method`, `CarliniLInfMethod`, and `DeepFool` attacks to disable progress bars.

Changed

- Changed the `Wasserstein` attack to support rectangular images as input (527)
- Changed `UniversalPerturbation` attack to use true labels if provided in internal attacks (526)
- Allow `None` as input for parameter `preprocessing of estimators (493)
- Allow `eps` to be larger than `eps_step` in `ProjectedGradientDescent` attacks if norm is not `np.inf` (495)

Removed

[None]

Fixed

- Fixed import path for `ProjectedGradientDescend` option in `UniversalPerturbation` attack (525)
- Fixed support for arrays as `clip_values` in `ProjectedGradientDescentPyTorch` attack for PyTorch (521)
- Fixed success criteria for targeted attacks with `AutoProjectedGradientDescend` (513)
- Fixed success criteria for attacks used in `AutoAttack` (508)
- Fixed example for Fast-is-better-than-Free adversarial training (506)
- Fixed dtype in `AutoProjectedGradientDescent` and `SquareAttack` for testing output type of estimator (499)
- Fixed parameters in `_augment_images_with_patch` calls of attack `DPatch` (493)