Adversarial-robustness-toolbox

This release of ART 1.14.1 provides updates to ART 1.14

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed bug in `PytorchYolo` object detection estimator to correctly normalize the bounding boxes (2091)
- Fixed missing `adversarial_accuracy` metric in `__init__.py` (2093 )
- Fixed bug of default value for a loss weighting parameter being used rather than user supplied inputs in `AdversarialTrainerCertifiedIBPPyTorch` (2102)
- Fixed Regional Misclassification Attack (RMA) to be able to poison all bounding boxes regardless of the class type (2110 )
- Fixed wrong order of predictions and targets arguments in `AutoProjectedGradientDescent`'s new cross entropy loss class introduced in ART 1.14.0 and ensured correct attributes in `PyTorchClassifier` (2117)

This release of ART 1.14.0 introduces poisoning attacks on object detection models, privacy risk metrics, new white-box evasion attack based on conjugate gradients, and more.

Added

- Added implementation of SHAPr membership privacy risk metric (1978)
- Added support for categorical non-numeric as well as continuous features in attribute inference attacks and improvements in shadow model tools (2006)
- Added implementation of Auto Conjugate Gradient Attack for white-box evasion (2028)
- Added implementation of adversarial training with interval bound propagation (2044)
- Added implementation of method `fit` to object detection estimators `PyTorchFasterRCNN`, `PyTorchObjectDetector`, and `PyTorchYolo` (2067)
- Added BadDet object detection poisoning attacks (RMA, GMA, OGA, ODA) (2054, 2069)

Changed

- Changed evasion detectors module by refactoring the entire module and introducing common API with the `EvasionDetector` base class (1993)
- Changed loading of audio triggers with `audio_perturbations` to cache trigger to accelerate loading (2053)
- Changed tested and officially supported Python versions to 3.9, 3.10, 3.11 (2063)
- Changed checks and internal improvements to `AdversarialTrainerCertifiedPytorch` (2070)

Removed

[None]

Fixed

- Fixed bug in `add_single_bd` and `add_pattern_bd` to avoid confusing height and width of the trigger image and transposing the trigger (2046)

This release of ART 1.13.1 provides updates to ART 1.13

Added

[None]

Changed

- Changed PDTP privacy metric to support two comparison: ratio (default) and new difference mode (1984)
- Changed default parameters for `apply_fit` and `apply_predict` for the Data Augmentation defenses `CutMix*`, `CutOut*`, and `MixUp*` (1987)

Removed

[None]

Fixed

- Fixed bug in `PixelThreshold` attack to support batches of a single sample (1982)
- Fixed type error in `DPInstaHideTrainer` for `PyTorchClassifier` by casting random noise to correct type (1987)
- Added missing classes to union types `OBJECT_DETECTOR_TYPE`, `PYTORCH_ESTIMATOR_TYPE`, and `TENSORFLOWV2_ESTIMATOR_TYPE` (1999)
- Fixed audio perturbations going out of clip values in `insert_tone_trigger` and `insert_audio_trigger` (2016)
- Fixed missing transfer to device in `FeatureAdversariesPyTorch` to enable running on GPUs (2021)
- Fixed missing covnersion to float to support floor() on GPUs in `PyTorchClassifier` (2022)
- Fixed incorrect integer return type in `check_and_transform_label_format` (2025)

This release of ART 1.13.0 introduces black-box regression estimator, DP-InstaHide, object detection estimator for TensorFlow v2, and more.

Added

- Added `CutOut` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1850)
- Added `MixUp` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1885)
- Added `CutMix` data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (1910)
- Added regression estimator for black-box scenario (1930)
- Added additional model support for shadow models (1930)
- Added Numpy-based data generator to support very large datasets (1934
- Added object detection estimator for Faster-RCNN in TensorFlow v2 (1951)
- Added DP-InstaHide training for classification with differentially private data augmentations (1956)
- Added Interval Bound Propagation for certified classification in PyTorch (1965)

Changed

[None]

Removed

[None]

Fixed

- Fixed unexpected shape in `art.utils.load_cifar10` for loading raw dataset (1962)
- Fixed bug to return correct best poisoning indices in `SleeperAgentAttack` (1955)

This release of ART 1.12.2 provides updates to ART 1.12.

Added

- Added `drop_last` option to method `fit` of `PyTorchClassifier` (1883)

Changed

- Changed documentation of `art.metrics.verification_decisions_trees.RobustnessVerificationTreeModelsCliqueMethod` to provide addiitonal information (1897)
- Changed Numba to be an optional dependency (1884)
- Changed `BoundaryAttack` to enable binary classification by removing unnecessary input check (1890)

Removed

[None]

Fixed

- Fixed issue caused by missing variable initialization in `SleeperAgentAttack` (1892)
- Fixed bug in `projection_l1_1` and `projection_l1_2` where in rare cases they returned the input point rather than the its projection (1870)

This release of ART 1.12.1 provides updates to ART 1.12.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed object detection estimator `PyTorchYolo` to not modify tracked statistics of batch-norm layers of the YOLO model during loss and loss gradient calculations (1860)