Adversarial-robustness-toolbox

This release of ART 1.7.1 provides updates to ART 1.7.

Added

- Added wrapper `Mp3CompressionPyTorch` for `Mp3Compression` to make it compatible with PyTorch-specific attack implementations. (1210)
- Added new install option `non-framework` to `setup.py` to install all non-framework dependencies of ART. (1209)
- Added wrapper `VideoCompressionPyTorch` for `VideoCompression` to make it compatible with PyTorch-specific attack implementations. (1210)

Changed

- Changed `Mp3Compression` to add back reapplication of normalization to the compressed result. (1210)
- Changed `KerasClassifier.fit` to use batching provided by the method `fit` of the Keras model. (1182)

Removed

[None]

Fixed

- Fixed bug of not passing user-provided device type, and instead always using default `gpu`, to standardisation preprocessor in all `PyTorchEstimator` by using user-provided device type. (1223)
- Fixed bug in method `BaseEstimator.fit_generator` for fitting generators in cases where preprocessing is defined to not apply preprocessing twice. (1219)
- Fixed bug in `ImperceptibleASRPyTorch` to prevent NaN loss value for batch size larger than 1 by removing unnecessary zero-padding. (1198)
- Fixed two bugs in `OverTheAirFlickeringPyTorch` by making sure that the regularization norms are computed over the whole batch of perturbations, rather than per sample's perturbation and second that the "roll" operations are performed over the batch samples, rather than over the frames. (1192)
- Fixed bug in `SpectralSignatureDefense`, that lead to rejections of all clean images, by correctly indexing the label data. (1189)
- Fixed bug of accidentally removed checks for `apply_fit` and `apply_predict` properties of framework-independent `Preprocessor` tools in `PyTorchEstimator` and `TensorFlowV2Estimator`. With the bug the `Preprocessor` tools were always applied in methods `fit` and `predict` independent of the values of `apply_fit` and `apply_predict`. (1181)
- Fixed bug in `MembershipInferenceBlackBoxRemove.infer` by removing unnecessary shuffling of the test data. (1173)
- Fixed bug in `PixelAttack` and `ThresholdAttack` by casting input data to correct dtype. (1175)

This release of ART v1.7.0 introduces many new evasion and inference attacks providing support for the evaluation of malware or tabular data classification, new query-efficient black-box (GeoDA) and strong white-box (Feature Adversaries) evaluation methods. Furthermore, this release introduces an easy to use estimator for Espresso ASR models to facilitate ASR research and connect Espresso and ART. This release also introduces support for binary classification with single outputs in neural networks classifiers and selected attacks. Many more new features and details can be found below:

Added

- Added LowProFool evasion attack for imperceptible attacks on tabular data classification in `art.attacks.evasion.LowProFool`. (1063)
- Added Over-the-Air-Flickering attack in PyTorch for evasion on video classifiers in `art.attacks.evasion.OverTheAirFlickeringPyTorch`. (1077, 1102)
- Added API for speech recognition estimators compatible with Imperceptible ASR attack in PyTorch. (1052)
- Added Carlini&Wagner evasion attack with perturbations in L0-norm in `art.attacks.evasion.CarliniL0Method`. (844, 1109)
- Added support for Deep Speech v3 in `PyTorchDeepSpeech` estimator. (1107)
- Added support for TensorBoard collecting evolution of norms (L1, L2, and Linf) of loss gradients per batch, adversarial patch, and total loss and its model-specific components where available (e.g. PyTochFasterRCNN) in `AdversarialPatchPyTorch`, `AdversarialPatchTensorFlow`, `FastGradientMethod`, and all `ProjectedGradientDescent*` attacks. (1071)
- Added `MalwareGDTensorFlow` attack for evasion on malware classification of portable executables supporting append based, section insertion, slack manipulation, and DOS header attacks. (1015)
- Added Geometric Decision-based Attack (GeoDA) in `art.attacks.evasion.GeoDA` for query-efficient black-box attacks on decision labels using DCT noise. (1001)
- Added Feature Adversaries framework-specific in PyTorch and TensorFlow v2 as efficient white-box attack generating adversarial examples imitating intermediate representations at multiple layers in `art.attacks.evasion.FeatureAdversaries*`. (1128, 1142, 1156)
- Added attribute inference attack based on membership inference in `art.attacks.inference.AttributeInferenceMembership`. (1132)
- Added support for binary classification with neural networks with a single output neuron in `FastGradientMethod`, and all `ProjectedGradientDescent*` attacks. Neural network binary classifiers with a single output require setting `nb_classes=2` and labels `y` in shape (nb_samples, 1) or (nb_samples,) containing 0 or 1. Backward compatibility for binary classifiers with two outputs is guaranteed with `nb_classes=2` and labels `y` one-hot-encoded in shape (nb_samples, 2). (1118)
- Added estimator for Espresso ASR models in `art.estimators.speech_recognition.PyTorchEspresso` with support for attacks with `FastGradientMethod`, `ProjectedGradientDescent` and `ImperceptibleASRPyTorch`. (1036)
- Added deprecation warnings for `art.classifiers` and `art.wrappers` to be replace with `art.estimators`. (1154)

Changed

- Changed `art.utils.load_iris` to use Iris dataset from `sklearn.datasets` instead of `archive.ics.uci.edu`. (1097 )
- Changed `HopSkipJump` to check for NaN in the adversarial example candidates and return original (benign) sample if at least one NaN is detected. (1124)
- Changed `SquareAttack` to accept user-defined loss and adversarial criterium definitions to enable black-box attacks on all machine learning tasks on images beyond classification. (1127)
- Changed `PyTorchFasterRCNN.loss_gradients` to process each sample separately to avoid issues with gradient propagation with `torch>=1.7`. (1138)

Removed

[None]

Fixed

- Fixed workaround in `art.defences.preprocessor.Mp3Compression` related to a bug in earlier versions of `pydub`. (419)
- Fixed bug in Pixel Attack and Threshold Attack for images with pixels in range [0, 1]. (990)

This release of ART 1.6.2 provides updates to ART 1.6.

Added

- Added targeted option to `RobustDpatch` (1069)
- Added option `standardise_output` to define provided label format (1069)
- Added property `native_label_is_pytorch_format` to object detectors to define label format expected by the model (1069)

Changed

- Changed `Dpatch` and `RobustDpatch` to work internally with PyTorchFasterRCNN's object detection label format and convert labels if provided in `TensorFlowFasterRCNN`'s format accordingly using option `standardise_output` (1069)
- Change `setup.py` to only contain core dependencies in `install_requires` and added additional install options `tensorflow_image`, `tensorflow_audio`, `pytorch_image`, and `pytorch_audio` (1116)
- Changed check for version of `torch` and `torchvision` in `AdversarialPatchPyTorch` to account for suffixes like `+cu102` (1115)
- Changed `art.utils.load_iris` to use `sklearn.datasets.load_iris` instead of download from `https://archive.ics.uci.edu/ml/machine-learning-databases/iris/iris.data` (#1097)

Removed

- Removed unnecessary requirement for `scores` in labels `y` for `TensorFlowFasterRCNN.loss_gradient` and `PyTorchFasterRCNN.loss_gradient` (1069)

Fixed

- Fixed docstrings of methods `predict` and `loss_gradient` to correctly describe the expected and provided label format (1069)
- Fixed bug of missing transfer of tensor to device `ProjectedGradientDescentPyTorch` (1076)
- Fixed bug resulting in wrong loss gradients calculated with `ScikitlearnLogisticRegression.loss_gradient` (1065)

This release of ART 1.6.1 provides updates to ART 1.6.

Added

- Added a notebook showing an example of Expectation over Transformation (EoT) sampling with ART to generate adversarial examples that are robust against rotation in image classification tasks. (1051)
- Added a check for valid combinations of `stride`, `freq_dim` and image size in `SimBA` attack. (1037)
- Added accurate gradient estimation to `LFilter` audio preprocessing. (1002)
- Added support for multiple layers to be targeted by `BullseyePolytopeAttackPyTorch` attack to increase effectiveness in end-to-end scenarios. (1003)
- Added check and ValueError to provide explanation for too large `nb_parallel` values in `ZooAttack`. (988)

Changed

- Changed `TensorFlowV2Classifier.get_activations` to accept negative layer indexes. (1054)
- Tested `BoundaryAttack` and `HopSkipJump` attacks with `batch_size` larger than 1 and changed default value to `batch_size=64`. (971)

Removed

[None]

Fixed

- Fixed bug in `Dpatch` attack which did not update the patch, being optimised, onto the images used for loss gradient calculation leading to iterations with the constant, initially, applied patches. (1049)
- Fixed bug in `BullseyePolytopeAttackPyTorch` attack where attacking multiple layers of the underlying model only perturbed the first of all input images. (1046)
- Fixed return value of TensorFlowV2Classifier.get_activations to a list of strings. (1011)
- Fixed bug in `TensorFlowV2Classifier.loss_gradient` by adding labels to application of preprocessing step to enable EoT preprocessing steps that increase the number of samples and labels. This change does not affect the accuracy of previously calculated loss gradients. (1010)
- Fixed bug in `ElasticNet` attack to apply the `confidence` parameter when generating adversarial examples. (995)
- Fixed bug in `art.attacks.poisoning.perturbations.image_perturbations.insert_image` to correctly transpose input images when `channels_first=True`. (1009)
- Fixed bug of missing method `compute_loss` in `PyTorchDeepSpeech`, `TensorFlowFasterRCNN` and `BlackBoxClassifier`. (994, 1000)

This release of ART v1.6.0 introduces with the clean-label poisoning attack Bullseye Polytope, a baseline attribute inference attack, and a PyTorch-specific implementation of Adversarial Patch attack with perspective transformation sampling, new evaluation tools in the three different threats types of poisoning, inference and evasion. Furthermore, this release contains the first set of Expectation over Transformation (EoT) preprocessing tools for image processing and natural corruptions.

Added

- Added the Bullseye Polytope clean-label poisoning attack in `art.attacks.poisoning.BullseyePolytopeAttackPyTorch` (962)
- Added the Pointwise Differential Training Privacy (PDTP) metric measuring training data membership leakage of trained model in `art.metrics.PDTP` (958)
- Added a attribute inference base line attack `art.attacks.inference.attribute_inference.AttributeInferenceBaseline` defining a minimal attribute inference performance that can be achieved without access to the evaluated model (956)
- Added a first set of Expectation over Transformation (EoT) preprocessing in `art.preprocessing.expectation_over_transformation` for image processing and natural image corruptions including brightness, contrast, Gaussian noise, shot noise, and zoom blur. These EoTs enable sampling multiple transformed samples in each forward pass and are fully differentiable for accurate loss gradient calculation in PyTorch and TensorFlow v2. They can be chained together in sequence and are implemented fully framework-specific (919)
- Added a function for image trigger perturbations blending images (913)
- Added a method `insert_transformed_patch` to all adversarial patch attacks `art.attacks.evasion.AdversarialPatch*` applying adversarial patches onto a perspective transformed square defined by the coordinates of its four corners (891)
- Added the Adversarial Patch attack framework-specific in PyTorch in `art.attacks.evasion.AdversarialPatchPyTorch` with additional functionality to support sampling over perspective transformations (876)

Changed

- Changed handling of NaN values in loss gradients in `art.attacks.evasion.FastGradientMethod` and `art.attacks.evasion.ProjectedGradientDescent*` by replacing NaN values with 0.0 and log a warning message. This should prevent losing expensive attack runs in late iterations and still return an adversarial example, but log a warning to alert the user. (883)
- Changed permitted ranges for `eps_step` and `eps` in `art.attacks.evasion.ProjectedGradientDescent*` to allow `eps_step` to be larger than `eps` for all norms, allow `eps_step=np.inf` to immediately project towards the norm ball or clip_values, and support `eps=0.0` to run the attack without any attack budget. The latter two changes are intended to facilitate the verification of attack setups. (882)
- Changed in the unit tests the marker `skipMlFramework` to `skip_framework` and the pytest argument `mlFramework` to `framework` (961)
- Changed `art.preprocessing.standardisation_mean_std` for standardisation with `mean` and `std` to provide extended support for broadcasting by automatically adapting 1-dimensional arrays for `mean` and `std` to be broadcastable on NCHW inputs (839)
- Changed `art.estimators.object_detection.PyTorchFasterRCNN.loss_gradient` to not overwrite the input label array with tensors (954)
- Changed and automated the setting of model states by removing method `set_learning_phase` from all estimators and automating setting the model into the most likely appropriate state for each operation in methods `predict` (eval mode, `training_mode=False`) , `fit` (train mode, `training_mode=True`) , `loss_gradient` (eval mode) , `class_gradient`(eval mode) , etc. The default is defined by a new method argument `training_mode` which can be changed for example for debugging purposes. An exception are RNN-type models in PyTorch where `loss_gradient` and `class_gradient` will run the model in train mode but freeze the model's batch-norm and dropout layers if `training_mode=False`. (781)
- Changed `art.attacks.evasion.BoundaryAttack` in normal (L282) and a suboptimal (L287) termination to return the adversarial example candidate with the smallest norm of the perturbation instead of returning the first adversarial example candidate in its list, this will facilitate the finding the minimum L2 perturbation adversarial examples (948)
- Changed `art.attacks.inference.attribute_inference.AttributeInferenceBlackBox` to support one-hot encoded features that have been scaled and lie in-between 0 and 1 instead of just 0 and 1 (927)
- Changed imports of `tensorflow` in TensorFlow v1 specific tools to enable backward compatibility and application with TensorFlow v2 (880)
- Changed optimizer of `art.attacks.evasion.AdversarialPatchTensorFlowV2` from `SGD` to `Adam` for better performance (878)
- Changed `art.attacks.evasion.BrendelBethgeAttack` to include support for `numba`, following the reference implementation, which leads to great acceleration of the attack (868)
- Changed `art.estimators.classification.ScikitlearnClassifier` and all model specific scikit-learn estimators to provide the new argument `use_logits` to define returning probability or logit predictions in their methods `predict` (872)
- Changed metrics `clever_t` and depending on it `clever` and `clever_u` to reduce long runtimes by computing the class gradients of all samples in `rand_pool` before looping through the batches. To reduce the risk of `ResourceExhasutedError`, batching is now also applied on `rand_pool` to compute class gradients on smaller batches of size `pool_factor` (762)

Removed

- Removed deprecated argument and property `channel_index` from all estimators. `channel_index` has been replaced by `channels_first`. (869)

Fixed

- Fixed the criterion of targeted `art.attacks.evasion.BoundaryAttack` to now correctly check that adversarial predictions are different from the original image prediction during sampling instead of the same (948)

This release of ART 1.5.3 provides updates to ART 1.5.

Added

[None]

Changed

- Changed argument names of `art.attacks.evasion.ImperceptibleASR`, `art.attacks.evasion.ImperceptibleASRPyTorch` and `art.attacks.evasion.CarliniWagnerASR` where necessary to use the same names in all three attacks. (955, 959)
- Changed optimisation in `art.attacks.evasion.ImperceptibleASRPyTorch` to use `torch.float64` instead of `torch.float32` to prevent NaN as loss value. (931)
- Changed `art.attacks.evasion.ImperceptibleASR` to improve the psychoacoustic model and stabilize the imperceptible loss by switching to librosa's STFT and using scalar PSD maximum. (930)
- Changed `art.attacks.evasion.ImperceptibleASR` to use periodic window for STFT instead symmetric window option. (930)
- Changed `art.attacks.evasion.ImperceptibleASR` with early stopping if loss theta < 0.05 to avoid running into gradients with NaN values. (930)
- Changed `art.attacks.evasion.ImperceptibleASRPyTorch` to reset its optimisers for each internal batch in method `generate` to guarantee the same optimiser performance on each batch, this is especially important for adaptive optimisers. (917)
- Changed `art.attacks.evasion.ImperceptibleASRPyTorch` to use `torch.stft` instead of `torchaudio.transforms.Spectrogram` to correctly compute the spectrogram. (914)
- Changed `art.estimators.speech_recognition.PyTorchDeepSpeech` to freeze batch-norm layers of the Deep Speech model in method `loss_gradient` to obtain gradients using dataset statistics instead of batch statistics and avoid changing dataset statistics of the batch-norm layers with each call. (912)

Removed

[None]

Fixed

- Fixed bug of missing argument `model` in `art.estimators.object_detection.TensorFlowFasterRCNN` which caused instantiation to fail. (951)
- Fixed bug of missing square in calculation of loss and class gradients for `art.estimators.classification.ScikitlearnSVC` using Radial Basis Function (RBF) kernels. (921)
- Fixed missing support for `preprocessing=None` in `art.estimators.BaseEstimator`. (916)