This release of ART 1.17.1 provides updates to ART 1.17

Added

[None]

Changed

[None]

Removed

• Removed upper limit for scikit-learn to reduce dependency conflicts and facilitate integration with other libraries.

Fixed

[None]

This release of ART 1.17.0 introduces new adversarial training protocols, membership inference attacks, composite adversarial attacks for evasion and more.

Added

• Added Composite Adversarial Attack as evasion attack in PyTorch (#2287)
• Added support for black-box membership inference attacks without true labels (#2293)
• Added verbose option for progress bars in methods fit and predict of all classification estimators (#2334)
• Added Oracle Aligned Adversarial Training (OAAT) in PyTorch (#2348)

Changed

[None]

Removed

[None]

Fixed

• Fixed bug in ActivateDefense and SpectralSignatures poisoning defences by flattening the outputs when calling get_activations() (#2327)
• Fixed bug in Hugging Face classification estimator to correctly infer device if provided model is already on GPU (#2300)

This release of ART 1.16.0 introduces multiple estimators for certified robustness and Hugging Face models, adversarial training with Adversarial Weight Perturbation, improvements for inference attacks, and more.

Added

• Added estimator for smoothed vision transformers as defence against evasion with adversarial patches (#2171)
• Added estimators for variations of randomised smoothing including MACER, SmoothAdv, and SmoothMix for PyTorch and TensorFlow (#2218)
• Added adversarial training with Adversarial Weight Perturbation protocol in PyTorch (#2224)
• Added estimator for Hugging Face models with PyTorch backend (#2245)
• Added ObjectSeeker certifiably robust defence for object detectors against poisoning and adversarial patches (#2246)
• Added representation string __repr__ to all attacks (#2274)

Changed

• Changed inference attacks to support additional attack model types (e.g., KNN, LR, etc.) and replaced scikit-learn's MLPClassifier with a PyTorch neural network model (#2253)
• Changes attacks's method set_params to raise ValueError if a not previously defined attributed is set (#2257)
• Changed AutoAttack to support multiprocessing and support running attacks in parallel (#2258)

Removed

[None]

Fixed

• Fixed docstring of TargetedUniversalPerturbation (#2212)
• Fixed bug of unsupported operands because of dependency updates in AdversarialPatchTensorFlowV2 (#2276)
• Fixed bug in AutoAttack to avoid that attacks which do not support targeted mode are skipped (#2257)

This release of ART 1.15.2 provides updates to ART 1.15

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed bug where PyTorchYolo and PyTorchObjectDetector object detection estimators modified the original input Numpy array (#2263)
• Fixed bug where channels_first argument of PyTorchObjectDetector and PyTorchFasterRCNN received the wrong default value of False instead of True (#2264)

This release of ART 1.15.1 provides updates to ART 1.15

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed deprecation warning by replacing the import statement from scipy.ndimage.filters import median_filter with from scipy.ndimage import median_filter (#2211)
• Fixed bug limiting input shapes in AutoProjectedGradientDescent and AutoConjugateGradient attacks to be images to support any input shapes (#2214)
• Fixed missing support for index-labels in AdversarialTrainerTRADESPyTorch (#2231)
• Fix bug in PyTorchObjectDetector and PyTorchYolo estimators to support non-leaf tensors to retain gradient properties if moved to another device (#2238, #2249)
• Fixed unintended required dependency Pillow to be optional again (#2240)
• Fixed circular dependencies in art.estimators.certification (#2241)

This release of ART 1.15.0 introduces a default training loop for TensorFlowV2Classifier, the TRADES adversarial training protocol, an estimator for DEtection TRansformer (DETR) object detection models, and more.

Added

• Added default training function to TensorFlowV2Classifier (#2124)
• Added TRADES adversarial training protocol in PyTorch (#2131)
• Added preprocessors for images supporting padding and resizing in PyTorch, TensorFlow and framework-independent (#2138)
• Added support for arbitrarily sized images in BadDet poisoning attacks (#2189)
• Added estimator for DEtection TRansformer (DETR) object detection models based on transformer architectures (#2192)

Changed

• Changed PyTorch estimators to use PyTorch datasets and dataloaders to optimize the fit and predict methods for PyTorchClassifier, PyTorchRegressor, PyTorchRandomizedSmoothing, PyTorchObjectDetector, and PyTorchYolo and optimized the predict method of TensorFlowV2Classifier by using a TensorFlow dataset and applying @tf.function decorator (#2180)
• Changed PyTorchObjectDetector to apply channels_first argument and improved performance by applying batch processing provided by newer PyTorch versions. (#2180)

Removed

[None]

Fixed

• Fixed unnecessary duplicate prediction calls to estimator in SignOPTAttack (#2129)
• Fixed missing transfer of tensor to device in ProjectedGradientDescentPyTorch (#2135)
• Fixed trigger placement for image poisoning perturbations by correctly accessing height and width of the trigger image instead of swapping both (#2143)
• Fixed key error in loss gradients of PyTorchYolo estimator and updated format of targets passed to the estimator in AdversarialPatchPyTorch to reflect updates to PyTorchYolo(#2169)
• Fixed Visible Deprecation Warning in analyze_by_distance and analyze_by_size of ClusteringAnalyzer (#2195)

This release of ART 1.14.1 provides updates to ART 1.14

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed bug in PytorchYolo object detection estimator to correctly normalize the bounding boxes (#2091)
• Fixed missing adversarial_accuracy metric in __init__.py (#2093 )
• Fixed bug of default value for a loss weighting parameter being used rather than user supplied inputs in AdversarialTrainerCertifiedIBPPyTorch (#2102)
• Fixed Regional Misclassification Attack (RMA) to be able to poison all bounding boxes regardless of the class type (#2110 )
• Fixed wrong order of predictions and targets arguments in AutoProjectedGradientDescent's new cross entropy loss class introduced in ART 1.14.0 and ensured correct attributes in PyTorchClassifier (#2117)

This release of ART 1.14.0 introduces poisoning attacks on object detection models, privacy risk metrics, new white-box evasion attack based on conjugate gradients, and more.

Added

• Added implementation of SHAPr membership privacy risk metric (#1978)
• Added support for categorical non-numeric as well as continuous features in attribute inference attacks and improvements in shadow model tools (#2006)
• Added implementation of Auto Conjugate Gradient Attack for white-box evasion (#2028)
• Added implementation of adversarial training with interval bound propagation (#2044)
• Added implementation of method fit to object detection estimators PyTorchFasterRCNN, PyTorchObjectDetector, and PyTorchYolo (#2067)
• Added BadDet object detection poisoning attacks (RMA, GMA, OGA, ODA) (#2054, #2069)

Changed

• Changed evasion detectors module by refactoring the entire module and introducing common API with the EvasionDetector base class (#1993)
• Changed loading of audio triggers with audio_perturbations to cache trigger to accelerate loading (#2053)
• Changed tested and officially supported Python versions to 3.9, 3.10, 3.11 (#2063)
• Changed checks and internal improvements to AdversarialTrainerCertifiedPytorch (#2070)

Removed

[None]

Fixed

• Fixed bug in add_single_bd and add_pattern_bd to avoid confusing height and width of the trigger image and transposing the trigger (#2046)

This release of ART 1.13.1 provides updates to ART 1.13

Added

[None]

Changed

• Changed PDTP privacy metric to support two comparison: ratio (default) and new difference mode (#1984)
• Changed default parameters for apply_fit and apply_predict for the Data Augmentation defenses CutMix*, CutOut*, and MixUp* (#1987)

Removed

[None]

Fixed

• Fixed bug in PixelThreshold attack to support batches of a single sample (#1982)
• Fixed type error in DPInstaHideTrainer for PyTorchClassifier by casting random noise to correct type (#1987)
• Added missing classes to union types OBJECT_DETECTOR_TYPE, PYTORCH_ESTIMATOR_TYPE, and TENSORFLOWV2_ESTIMATOR_TYPE (#1999)
• Fixed audio perturbations going out of clip values in insert_tone_trigger and insert_audio_trigger (#2016)
• Fixed missing transfer to device in FeatureAdversariesPyTorch to enable running on GPUs (#2021)
• Fixed missing covnersion to float to support floor() on GPUs in PyTorchClassifier (#2022)
• Fixed incorrect integer return type in check_and_transform_label_format (#2025)

This release of ART 1.13.0 introduces black-box regression estimator, DP-InstaHide, object detection estimator for TensorFlow v2, and more.

Added

• Added CutOut data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1850)
• Added MixUp data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1885)
• Added CutMix data augmentation as preprocessor in Numpy, TensorFlow and PyTorch (#1910)
• Added regression estimator for black-box scenario (#1930)
• Added additional model support for shadow models (#1930)
• Added Numpy-based data generator to support very large datasets (#1934
• Added object detection estimator for Faster-RCNN in TensorFlow v2 (#1951)
• Added DP-InstaHide training for classification with differentially private data augmentations (#1956)
• Added Interval Bound Propagation for certified classification in PyTorch (#1965)

Changed

[None]

Removed

[None]

Fixed

• Fixed unexpected shape in art.utils.load_cifar10 for loading raw dataset (#1962)
• Fixed bug to return correct best poisoning indices in SleeperAgentAttack (#1955)