Adversarial-robustness-toolbox

This release of ART 1.5.1 provides updates to ART 1.5.

Added

- Added an option to select to probability values for model extraction attacks in addition to index labels in `art.attacks.extraction.CopycatCNN` and `art.attacks.extraction.KnockoffNets`. (825)
- Added a new notebook demonstrating model extraction attacks and defences. (825)
- Added `art.attacks.evasion.CarliniWagnerASR` as a special case of `art.attacks.evasion.ImperceptibleASR` where `max_iter_stage_2=0` skipping the second stage of the `ImperceptibleASR`. (784)

Changed

- Changed method `generate` of `art.attacks.evasion.ProjectedGradientDescentPyTorch` and `art.attacks.evasion.ProjectedGradientDescentTensorFlowV2` to create a copy of the input data to guard the input data from being overwritten by a model that unexpectedly overwrites its input data. This change follows the implementation of `art.attacks.evasion.ProjectedGradientDescentNumpy` and provides an extra layer of protection against unexpected model behavior. (805)
- Change numerical precision in `art.attacks.evasion.Wasserstein` from `float` to `double` to reduce numerical overflow in `numpy.log` and replace input pixel values of 0 with EPS_LOG=10^-10 to prevent division by zero in `numpy.log`. (780)
- Changed `tqdm` imports to use `tqdm.auto` to automatically run its Jupyter widgets where supported. (799)
- Improved documentation, argument value checks and added support for index labels in `art.attacks.inference.member_ship.LabelOnlyDecisionBoundary`. (790)

Removed

[None]

Fixed

- Fixed bug in `art.estimators.classification.KerasClassifier.custom_loss_gradient()` to support `keras` and `tensorflow.keras`. (810)
- Fixed bug in `art.attacks.evasion.PixelThreshold.generate` to correctly scale images in range [0, 255]. (802)
- Fixed bug in `art.attacks.evasion.PixelThreshold` to run CMA Evolution Strategy `max_iter` iterations instead of 1 iteration. (802)
- Fixed bug in `art.estimators.object_detection.PyTorchFasterRCNN` by adding missing argument `model` in super().__init__. (789)

Added

- Added a new module `art.evaluations` for evaluation tools that go beyond creating adversarial examples and create insights into the robustness of machine learning models beyond adversarial accuracy and build on `art.estimators` and `art.attacks` as much as possible. The first implemented evaluation tool is `art.evaluations.SecurityCurve` which calculates the security curve, a popular tool to evaluate robustness against evasion, using `art.attacks.evasion.ProjectedGradientDescent` and provides evaluation of potential gradient masking in the evaluated model. (654)

- Added support for perturbation masks in `art.attacks.evasion.AutoProjectedGradientDescent` similar as in `art.attacks.evasion.ProjectedGradientDescent` and added Boolean masks for patch location sampling in `Dpatch` and all `AdversarialPatch` attacks to enable pixel masks defining regions where patch locations are sampled from during patch training or where trained patches can be applied.

- Added preprocessing for Infinite (IIR) and Finite Impulse Response (FIR) filtering for Room Acoustics Modelling in framework-agnostic (`art.preprocessing.audio.LFilter`) and PyTorch-specific (`art.preprocessing.audio.LFilterPyTorch`) implementations as the first tool for physical environment simulation for audio data in `art.preprocessing.audio`. Additional tools will be added in future releases. (744)

- Added Expectation over Transformation (EoT) to `art.preprocessing.expectation_over_transformation` with a first implementation of sampling image rotation for classification tasks framework-specific for TensorFlow v2 (`art.preprocessing.expectation_over_transformation.EOTImageRotationTensorFlowV2`) providing full support for gradient backpropagation through EoT. Additional EoTs will be added in future releases. (744)

- Added support for multi-modal inputs in `ProjectedGradientDescent` attacks and `FastGradientMethod` attack with broadcastable arguments `eps` and `eps_step` as `np.ndarray` to enable attacks against, for example, images with multi-modal color channels. (691)

- Added Database Reconstruction attack in the new module `art.attacks.inference.reconstruction.DatabaseReconstruction` enabling evaluation of the privacy of machine learning models by reconstructing one removed sample of the training dataset. The attack is demonstrated in a new notebook on models trained non-privately and with differential privacy using the Differential Privacy Library ([DiffPrivLib](https://github.com/IBM/differential-privacy-library)) as defense. (#759)

- Added support for one-hot encoded feature definition in black-box attribute inference attacks. (768)

- Added a new model-specific speech recognition estimator for Lingvo ASR in `art.estimators.speech_recognition.TensorFlowLingvoASR`. (584)

- Added a framework-independent implementation of the Imperceptible ASR attack with loss support for TensorFlow and PyTorch in `art.attacks.evasion.ImperceptibleASR`. (719, 760)

- Added Clean Label Backdoor poisoning attack in `art.attacks.poisoning.PoisoningAttackCleanLabelBackdoor`. (725)

- Added Strong Intentional Perturbation (STRIP) defense against poisoning attacks in `art.defences..transformer.poisoning.STRIP`. (656)

- Added Label-only Boundary Distance Attack `art.attacks.inference.membership_inference.LabelOnlyDecisionBoundary` and Label-only Gap Attack `art.attacks.inference.membership_inference.LabelOnlyGapAttack` for membership inference attacks on classification estimators. (720)

- Added support for preprocessing and preprocessing defences in the PyTorch-specific implementation of the Imperceptible ASR attack in `art.attacks.evasion.ImperceptibleASRPyTorch`. (763)

- Added a robust version of evasion attack DPatch in `art.attacks.evasion.RobustDPatch` against object detectors by adding improvements like expectation over transformation steps, fixed patch location, etc. (751)

- Added optional support for Automatic Mixed Precision (AMP) in `art.estimators.classification.PyTochClassifier` to facilitate mix-precision computations and increase performance. (619)

- Added the Brendel & Bethge evasion attack in `art.attacks.evasion.BrendelBethgeAttack` based on the original reference implementation. (626)

- Added framework-agnostic support for Randomized Smoothing estimators in addition to framework-specific implementations in TensorFlow v2 and PyTorch. (738)

- Added an optional progress bar to `art.utils.get_file` to facilitate downloading large files. (698)

- Added support for perturbation masks in HopSkipJump evasion attack in `art.attacks.evasion.HopSkipJump`. (653)

Changed

- Changed preprocessing defenses and input standardisation with mean and standard deviation by combining all preprocessing into a single preprocessing API defined in the new module `art.preprocessing`. Existing preprocessing defenses remain in `art.defences.preprocessor`, but are treated as equal and run with the same API and code as general preprocessing tools in `art.preprocessing`. The standardisation is now a preprocessing tool that is implemented framework-specific for PyTorch and TensorFlow v2 in forward and backward direction. Estimators for `art.estimators.classification` and `art.estimators.object_detection` in TensorFlow v2 and PyTorch set up with all framework-specific preprocessing steps will prepend the preprocessing directly to the model to evaluate output and backpropagate gradients in a single step through the model and (chained) preprocessing instead of previously two separate steps for improved performance. Framework independent preprocessing tools will continue to be evaluated in a step separate from the model. This change also enable full support for any model-specific standardisation/normalisation functions for the model inputs and their gradients. (629)

- Changed `Preprocessor` and `Postprocessor` APIs to simplify them by defining reused methods and the most common property values as defaults in the API. The default for `art.defences.preprocessor.preprocessor.Preprocessor.estimate_gradient` in framework-agnostic preprocessing is Backward Pass Differentiable Approximation (BPDA) with identity function, which can be customized with accurate or better approximations by implementing `estimate_gradient`. (752)

- Changed random restarts in all `ProjectedGradientDescent` implementations to collect the successful adversarial examples of each random restart instead of previously only keeping the adversarial examples of the most successful random restart. Adversarial examples of previous random restart iterations are overwritten by adversarial examples of later random restart iterations. This leads to equal or better adversarial accuracies compared to previous releases and changes the order of processing the input samples to first complete all random restarts of a batch before processing the next batch instead of looping over all batches in each random restart. (765)

- Changed order of mask application and normalization of the perturbation in all `ProjectedGradientDescent` and `FastGradientMethod` attacks to now first apply the mask to the `loss_gradients` and subsequently normalize only the remaining, un-masked perturbation. That way the resulting perturbation can directly be compared to the attack budget `eps`. (711)

- Changed location of implementation and default values of properties `channels_first`, `clip_values`, and `input_shape` in `art.estimators` to facilitate the creation of customs estimators not present in `art.estimators`.

- Changed Spectral Signature Defense by removing argument `num_classes` and replacing it with the estimator’s `nb_classes` property and renaming parameter `ub_pct_poison` to `expected_pp_poison`. (678)

- Changed the ART directory path for datasets and model data stored in `ART_DATA_PATH` to be configurable after importing ART. (701)

- Changed preprocessing defence `art.defences.preprocessor.JpegCompression` to support any number of channels in addition to the already supported inputs with 1 and 3 channels. (700)

- Changed calculation of perturbation and direction in `art.attacks.evasion.BoundaryAttack` to follow the reference implementation. These changes result in faster convergence and smaller perturbations. (761)

Removed

[None]

Fixed

- Fixed bug in definition and application of norm `p` in cost matrix in Wasserstein evasion attack `art.attacks.evasion.Wasserstein` present in the reference implementation. (712)

- Fixed handling of fractional batches in Zeroth Order Optimization (ZOO) attack in `art.attacks.evasion.ZOOAttack` to prevent errors caused by shape mismatches for batches smaller than `batch_size`. (755)

This release of ART v1.4.3 provides updates to ART 1.4.

Added

[None]

Changed

- Changed argument `y` of method `infer` of `art.attacks.inference.attribute_inference.AttributeInferenceBlackBox` from optional to required. (750)

Removed

[None]

Fixed

- Fixed bug in `art.data_generators.PyTorchDataGenerator` and `art.data_generators.MXDataGenerator` where method `get_batch` always returned the same first batch of the dataset to return different batches for each method call by iterating over the entire dataset. (731)
- Fixed format of return value of method `infer` of `art.attacks.inference.membership_inference.MembershipInferenceBlackBox` for `attack_model_type="nn"`. (741)

This release of ART v1.4.2 provides updates to ART 1.4.

Added

- Added implementation of method `loss` for `art.estimators.classification.TensorFlowClassifer`. (685)
- Added support for variable length input to `art.defences.preprocessor.MP3Compression` to make it compatible with estimator `art.estimators.speech_recognition.PyTorchDeepSpeech`. (684)
- Added support for `mask` in non-classification tasks with `art.attacks.evasion.ProjectedGradientDescent`. (682)
- Added support for `torch.Tensor` as input for `loss_gradient` of `art.estimators.object_detection.PyTorchFasterRCNN`. (679)
- Added support for `art.attacks.evasion.ProjectedGradientDescent` and `art.attacks.evasion.FasGradientMethod` attacks on `art.estimators.speech_recognition.PyTorchDeepSpeech`. (669)
- Added exception and explanation if target labels are not provided in `generate` of `art.attacks.evasion.ImperceptibleASRPytorch`. (677)
- Added support for preprocessing defences in `art.estimators.speech_recognition.PyTorchDeepSpeech`. (663)
- Added support for type `List` in argument `patch_shape` of `art.attacks.evasion.DPatch`. (662)
- Added support for option `verbose` to all `art.attacks` and `art.defences` to adjust output of progress bars. (647)

Changed

- Changed `art.attacks.evasion.AutoProjectedGradientDescent` to to support estimators for classification of all frameworks using the estimator's loss function, to use the new method `loss` of the Estimator API replacing internal custom loss functions and to disable for now the loss type `difference_logits_ratio` for `art.estimators.classification.TensorFlowClassifer` (TensorFlow v1.x) because of inaccurate loss calculation. (685)
- Changed default format of returned values of method `predict` in `art.estimators.speech_recognition.PyTorchDeepSpeech` from a tuple of probabilities and sequence lengths to an array of transcriptions (array of predicted strings) which is the same format as labels `y` and the returned values of other estimators in `art.estimators.speech_recognition`. The former output can still be obtained with option `transcription_output=False`. This change also enables using `PyTorchDeepSpeech` with `ProjectedGradientDescent` and `FastGradientMethod` in cases where no labels are provided to their method `generate` and these attacks use the labels predicted by `PyTorchDeepSpeech`'s method predict. (689)
- Changed `art.attacks.evasion.DPatch` to improve initialisation of the patch for input ranges other than [0, 255] and updated the iteration over batches. (681)
- Changed `art.attacks.evasion.DPatch` to accept the updated return format of method `predict` of estimators in `art.estimators.object_detection`. (667)
- Changed return format of method `predict` of estimators in `art.estimators.object_detection` to follow the format of `art.estimators.object_detection.PyTorchFasterRCNN` and type `np.ndarray`. (660)

Removed

- Removed unsupported argument `loss_scale` in `art.estimators.speech_recognition.PyTorchDeepSpeech`. (642)

Fixed

- Fixed missing setting of property `targeted` in `art.attacks.evasion.ImperceptibleASRPytorch`. (676)
- Fixed bug in method `loss` of `art.estimators.classification.KerasClassifier`. (651)
- Fixed missing attribute `batch_size` in `art.attacks.evasion.SquareAttack`. (646)
- Fixed missing imports in `art.estimators.object_detection.TensorFlowFasterRCNN`. (648)
- Fixed bug in `art.attacks.evasion.ImperceptibleASRPytorch` to correctly apply `learning_rate_2nd_stage` instead of `learning_rate_1st_stage` in the second stage. (642)

This release of ART v1.4.1 provides updates to ART 1.4.

Added

- Added a notebook demonstrating the Imperceptible ASR evasion attack on the DeepSpeech model for speech recognition tasks. (639)


Changed

- Changed the detection of Keras type (`keras` vs. `tensorflow.keras`) in `art.estimators.classification.KerasClassifier` to enable customised models inheriting from the Keras base models (631)

Removed

[None]

Fixed

- Fixed bug in model-specific estimator for DeepSpeech `art.estimators.speech_recognition.PyTorchDeepSpeech` to correctly handle the case of batches of samples with identical length including the special case of a batch of a single sample. (635)
- Fixed bug in model-specific estimator for DeepSpeech `art.estimators.speech_recognition.PyTorchDeepSpeech` by adding missing imports (621)
- Fixed bug to make all tools of ART accessible using `import art` (612)
- Fixed bug by removing top-level imports of tool-specific dependencies and adapting default values (613)
- Fixed wrong progress bar description in `art.attacks.evasion.projected_gradient_descent.*` from iterations to batches (611)

This release of ART v1.4.0 introduces framework-specific preprocessing defences, Membership Inference attacks, and support for attacks on Automatic Speech Recognition (ASR) tasks to ART. This release also adds and improves multiple evasion and poisoning attacks and defenses.

Added

- Added framework-specific preprocessing defences for PyTorch and TensorFlow v2 in all estimators. This extends the preprocessing defences of ART beyond the framework-independent implementations in Numpy of earlier ART versions and enables to use the automatic differentiation of a framework to pass accurate loss gradients backwards through the preprocessing defences. Furthermore this also adds first framework-specific implementations of preprocessing Spatial Smoothing defences in PyTorch and TensorFlow v2, `art.defences.preprocessor.SpatialSmoothingPyTorch` and `art.defences.preprocessor.SpatialSmoothingTensorFlowV2`. (510, 574)
- Added Membership Inference attacks to evaluate leaks of information about individual training data records`art.attacks.inference.membership_inference` (573)
- Added Neural Cleanse defense against poisoned models. This is the first transformation defense against poisoning which accept a potentially poisoned model and returns a transformed version of the model defended against the effects of the poisoning `art.defences.transformer.poison.NeuralCleanse` (604)
- Added Imperceptible ASR evasion attack against Automatic Speech Recognition in Pytorch `art.attacks.evasion.ImperceptibleASRPytorch` (605)
- Added Adversarial Embedding poisoning attack `art.attacks.poisoning.PoisoningAttackAdversarialEmbedding` (561)
- Added new framework- and model-specific estimator for DeepSpeech in PyTorch `art.estimators.speech_recognition.PyTorchDeepSpeech` (581)
- Added support for string type for infinity norm in evasion attacks to facilitate serialisation of arguments (575)
- Added support for targeted attack in `art.attacks.evasion.AutoAttack` (494)
- Added targeted version of `DPatch` evasion attack against object detectors `art.attacks.evasion.DPatch` (599)
- Added property `targeted` to evasion attacks representing if attack is targeted `art.attacks.EvasionAttack` (500)
- Added new framework- and model-specific estimator for Faster-RCNN in TensorFlow `art.estimators.object_detection.TensorFlowFasterRCNN` (487)
- Added `ShapeShifter` evasion attack against object detectors `art.attacks.evasion.ShapeShifter` (487)
- Added Simple Black-box Adversarial (SimBA) evasion attack `art.attacks.evasion.SimBA` (469)

Changed

- Changed progress bars to adversarial trainer and Projected Gradient Descent implementations (603)
- Changed import paths of Attribute Inference and Model Inversion attacks (592)

Removed

[None]

Fixed

- Fixed bug in Thermometer Encoding preprocessor defense and extended it to support channels first data and video data formats (591)
- Fixed denormalizing in `create_generator_layers` in `utils/resources/create_inverse_gan_models.py` (491)