Adversarial-robustness-toolbox

This release of ART 1.17.1 provides updates to ART 1.17

Added

[None]

Changed

[None]

Removed

- Removed upper limit for `scikit-learn` to reduce dependency conflicts and facilitate integration with other libraries.

Fixed

[None]

This release of ART 1.17.0 introduces new adversarial training protocols, membership inference attacks, composite adversarial attacks
for evasion and more.

Added

- Added Composite Adversarial Attack as evasion attack in PyTorch (2287)
- Added support for black-box membership inference attacks without true labels (2293)
- Added verbose option for progress bars in methods `fit` and `predict` of all classification estimators (2334)
- Added Oracle Aligned Adversarial Training (OAAT) in PyTorch (2348)

Changed

[None]

Removed

[None]

Fixed

- Fixed bug in `ActivateDefense` and `SpectralSignatures` poisoning defences by flattening the outputs when calling `get_activations()` (2327)
- Fixed bug in Hugging Face classification estimator to correctly infer device if provided model is already on GPU (2300)

This release of ART 1.16.0 introduces multiple estimators for certified robustness and Hugging Face models, adversarial training with Adversarial Weight Perturbation, improvements for inference attacks, and more.

Added

- Added estimator for smoothed vision transformers as defence against evasion with adversarial patches (2171)
- Added estimators for variations of randomised smoothing including MACER, SmoothAdv, and SmoothMix for PyTorch and TensorFlow (2218)
- Added adversarial training with Adversarial Weight Perturbation protocol in PyTorch (2224)
- Added estimator for Hugging Face models with PyTorch backend (2245)
- Added ObjectSeeker certifiably robust defence for object detectors against poisoning and adversarial patches (2246)
- Added representation string `__repr__` to all attacks (2274)

Changed

- Changed inference attacks to support additional attack model types (e.g., KNN, LR, etc.) and replaced scikit-learn's MLPClassifier with a PyTorch neural network model (2253)
- Changes attacks's method `set_params` to raise `ValueError` if a not previously defined attributed is set (2257)
- Changed AutoAttack to support multiprocessing and support running attacks in parallel (2258)

Removed

[None]

Fixed

- Fixed docstring of `TargetedUniversalPerturbation` (2212)
- Fixed bug of unsupported operands because of dependency updates in `AdversarialPatchTensorFlowV2` (2276)
- Fixed bug in `AutoAttack` to avoid that attacks which do not support targeted mode are skipped (2257)

This release of ART 1.15.2 provides updates to ART 1.15

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed bug where `PyTorchYolo` and `PyTorchObjectDetector` object detection estimators modified the original input Numpy array (2263)
- Fixed bug where `channels_first` argument of `PyTorchObjectDetector` and `PyTorchFasterRCNN` received the wrong default value of `False` instead of `True` (2264)

This release of ART 1.15.1 provides updates to ART 1.15

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed deprecation warning by replacing the import statement `from scipy.ndimage.filters import median_filter` with `from scipy.ndimage import median_filter` (2211)
- Fixed bug limiting input shapes in `AutoProjectedGradientDescent` and `AutoConjugateGradient` attacks to be images to support any input shapes (2214)
- Fixed missing support for index-labels in `AdversarialTrainerTRADESPyTorch` (2231)
- Fix bug in `PyTorchObjectDetector` and `PyTorchYolo` estimators to support non-leaf tensors to retain gradient properties if moved to another device (2238, 2249)
- Fixed unintended required dependency `Pillow` to be optional again (2240)
- Fixed circular dependencies in `art.estimators.certification` (2241)

This release of ART 1.15.0 introduces a default training loop for TensorFlowV2Classifier, the TRADES adversarial training protocol, an estimator for DEtection TRansformer (DETR) object detection models, and more.

Added

- Added default training function to `TensorFlowV2Classifier` (2124)
- Added TRADES adversarial training protocol in PyTorch (2131)
- Added preprocessors for images supporting padding and resizing in PyTorch, TensorFlow and framework-independent (2138)
- Added support for arbitrarily sized images in `BadDet` poisoning attacks (2189)
- Added estimator for DEtection TRansformer (DETR) object detection models based on transformer architectures (2192)

Changed

- Changed PyTorch estimators to use PyTorch datasets and dataloaders to optimize the `fit` and `predict` methods for `PyTorchClassifier`, `PyTorchRegressor`, `PyTorchRandomizedSmoothing`, `PyTorchObjectDetector`, and `PyTorchYolo` and optimized the `predict` method of `TensorFlowV2Classifier` by using a TensorFlow dataset and applying tf.function decorator (2180)
- Changed `PyTorchObjectDetector` to apply `channels_first` argument and improved performance by applying batch processing provided by newer PyTorch versions. (2180)

Removed

[None]

Fixed

- Fixed unnecessary duplicate prediction calls to estimator in `SignOPTAttack` (2129)
- Fixed missing transfer of tensor to device in `ProjectedGradientDescentPyTorch` (2135)
- Fixed trigger placement for image poisoning perturbations by correctly accessing height and width of the trigger image instead of swapping both (2143)
- Fixed key error in loss gradients of `PyTorchYolo` estimator and updated format of targets passed to the estimator in `AdversarialPatchPyTorch` to reflect updates to `PyTorchYolo`(2169)
- Fixed Visible Deprecation Warning in `analyze_by_distance` and `analyze_by_size` of `ClusteringAnalyzer` (2195)