Adversarial-robustness-toolbox

This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

Added

- Added Sleeper Agent poisoning attack in TensorFlow in `art.attacks.poisoning.SleeperAgentAttack` (1769)
- Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (1778)
- Added adversarial accuracy as a metric (1779)
- Added function `art.utils.uniform_sample_from_sphere_or_ball` to sample uniformly from either the ball or the sphere with a given norm and radii (1804)
- Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (1828)
- Added certified adversarial training (1841)

Changed

- Changed `art.attacks.evasion.DPatch` to accept true labels (1780)
- Changed `art.utils.random_sphere` to use a different, faster algorithm for norm=1 based on exponential distribution (1805)

Removed

[None]

Fixed

[None]

This release of ART 1.11.1 provides updates to ART 1.11.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

- Fixed unecessary check for targeted attacks in `AdversarialPatch` and delegated check to framework-specific implementations (1768)
- Fixed missing transfer to device in `AdversarialPatchPyTorch.apply_patch()` (1771)
- Fix redundant call to detach().cpu().numpy() in `PyTorchClassifier.predict()` (1785)
- Fixed `art.utils.random_sphere()` for `norm=1` to sample uniformly in the L1 ball (1802)
- Fixed PyTorch detach() call on Numpy arrays in ` PyTorchRegressor` (1824)
- Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric `PDTP` (1825)
- Fixed learning rate decay in `ElasticNet` evasion attack (1833)

This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

Added

- Added Momentum-Iterative FGSM evasion attack in `MomentumIterativeMethod` and added optional momentum to loss gradients in `ProjectedGradientDescent*` attacks. (1614)
- Added metrics measuring worst-case scores of membership inference attacks. (1709)
- Added estimator for YOLO v3 models in PyTorch in `PyTorchYolo`. (1715)
- Added estimators for de-randomized smoothing certification against patch attacks in `PyTorchDeRandomizedSmoothing` and `TensorFlowV2DeRandomizedSmoothing`. (1729)
- Added query-efficient hard-label black-box evasion attack Sign-Opt in `SignOPTAttack`. (1730)
- Added Sleeper Agent poisoning attack PyTorch in `SleeperAgentAttack`. (1736)
- Added exclusionary reclassification to `ActivationDefence`. (1738)
- Added dirty-label backdoor poisoning attack on audio classification in `art.attacks.poisoning.perturbations.audio_perturbations`. (1740)
- Added estimators for regression in `PyTorchRegressor` and `KerasRegressor` for PyTorch and Keras. (1651)
- Added option for targeted attacks to `AdversarialPatch` and `AdversarialPatchNumpy`. (1759)

Changed

- Changed `check_and_transform_label_format` for `nb_classes=None` to automatically determine the number of classes in the provided labels. (1747)
- Added additional documentation to `ZOOAttack` and cleaned up the code of method `compare`. (1648)
- Changed default value for number of epochs `nb_epochs` in `AdversarialTrainerMadryPGD` to match 80'000 training steps of Madry et al. (1758)

Removed

[None]

Fixed

- Fixed `PyTorchClassifier.clone_fore_refitting` by deleting optimizer from parameters before calling `set_param()` to avoid creating the cloned model with the old optimizer. (1742)
- Fixed missing propagation of `nb_classes` to method `check_and_transform_label_format` in inference attacks. (1713)

This release of ART 1.10.3 provides updates to ART 1.10.

Added

[None]

Changed

[None]


Removed

[None]

Fixed

- Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in `art.attacks.evasion.AdversarialTexturePyTorch` (1724, 1726 )

This release of ART 1.10.2 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `PyTorchClassifier` to use a new optimizer when cloned with `clone_for_refitting` (1580)
- Changed class names of `art.estimators.gan.*` and `art.estimators.generator.*` to follow naming convention (1655)
- Changed `Mp3CompressionPyTorch` and `PyTorchDeepSpeech` to add support for samples in 2D non-object arrays (1680, 1702)
- Changed file name `python_object_detector.py` to `pytorch_object_detector.py` to follow naming convention (1687)
- Changed `CarliniLInfMethod` by adding argument for `batch_size` (1699).


Removed

[None]

Fixed

- Fixed required dependency on TensorFlow (1655)
- Fixed bug in `ImperceptibleASRPyTorch` by adding missing `.detach().cpu()` and `.cpu()` calls (1677)
- Fixed bug in `art.estimators.certification.randomized_smoothing` estimators to correctly apply Gaussian noise (1678)
- Fixed bug in `GaussianNoise` the post-processing defence to keep number of dimensions constant during normalisation (1684)
- Fixed bug in `RobustDPatch` for channels first images to correctly un-transform loss gradients (1693)
- Fixed bug in support for numpy arrays in logger of `PoisoningAttackCleanLabelBackdoor` (1698)

This release of ART 1.10.1 provides updates to ART 1.10.

Added

[None]

Changed

- Changed `AdversarialTrainerMadryPGD.fit` to support arguments `nb_epochs` and `batch_size` (1612)
- Changed `GradientMatchingAttack` to add support for models with undefined input shape by abstracting the shape information from the input data (1624)
- Changed `PyTorchObjectDetector ` to support inputs with number of channels other than 1 and 3 (1633)

Removed

[None]

Fixed

- Fixed incorrect handling of true regression labels in attribute inference attacks (1598)
- Fixed `AdversarialPatchPyTorch.apply_patch` to correctly check if `mask` is `None` (1607)