This release of ART 1.12.2 provides updates to ART 1.12.

Added

• Added drop_last option to method fit of PyTorchClassifier (#1883)

Changed

• Changed documentation of art.metrics.verification_decisions_trees.RobustnessVerificationTreeModelsCliqueMethod to provide addiitonal information (#1897)
• Changed Numba to be an optional dependency (#1884)
• Changed BoundaryAttack to enable binary classification by removing unnecessary input check (#1890)

Removed

[None]

Fixed

• Fixed issue caused by missing variable initialization in SleeperAgentAttack (#1892)
• Fixed bug in projection_l1_1 and projection_l1_2 where in rare cases they returned the input point rather than the its projection (#1870)

This release of ART 1.12.1 provides updates to ART 1.12.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed object detection estimator PyTorchYolo to not modify tracked statistics of batch-norm layers of the YOLO model during loss and loss gradient calculations (#1860)

This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

Added

• Added Sleeper Agent poisoning attack in TensorFlow in art.attacks.poisoning.SleeperAgentAttack (#1769)
• Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (#1778)
• Added adversarial accuracy as a metric (#1779)
• Added function art.utils.uniform_sample_from_sphere_or_ball to sample uniformly from either the ball or the sphere with a given norm and radii (#1804)
• Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (#1828)
• Added certified adversarial training (#1841)

Changed

• Changed art.attacks.evasion.DPatch to accept true labels (#1780)
• Changed art.utils.random_sphere to use a different, faster algorithm for norm=1 based on exponential distribution (#1805)

Removed

[None]

Fixed

[None]

This release of ART 1.11.1 provides updates to ART 1.11.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed unecessary check for targeted attacks in AdversarialPatch and delegated check to framework-specific implementations (#1768)
• Fixed missing transfer to device in AdversarialPatchPyTorch.apply_patch() (#1771)
• Fix redundant call to detach().cpu().numpy() in PyTorchClassifier.predict() (#1785)
• Fixed art.utils.random_sphere() for norm=1 to sample uniformly in the L1 ball (#1802)
• Fixed PyTorch detach() call on Numpy arrays in PyTorchRegressor (#1824)
• Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric PDTP (#1825)
• Fixed learning rate decay in ElasticNet evasion attack (#1833)

This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

Added

• Added Momentum-Iterative FGSM evasion attack in MomentumIterativeMethod and added optional momentum to loss gradients in ProjectedGradientDescent* attacks. (#1614)
• Added metrics measuring worst-case scores of membership inference attacks. (#1709)
• Added estimator for YOLO v3 models in PyTorch in PyTorchYolo. (#1715)
• Added estimators for de-randomized smoothing certification against patch attacks in PyTorchDeRandomizedSmoothing and TensorFlowV2DeRandomizedSmoothing. (#1729)
• Added query-efficient hard-label black-box evasion attack Sign-Opt in SignOPTAttack. (#1730)
• Added Sleeper Agent poisoning attack PyTorch in SleeperAgentAttack. (#1736)
• Added exclusionary reclassification to ActivationDefence. (#1738)
• Added dirty-label backdoor poisoning attack on audio classification in art.attacks.poisoning.perturbations.audio_perturbations. (#1740)
• Added estimators for regression in PyTorchRegressor and KerasRegressor for PyTorch and Keras. (#1651)
• Added option for targeted attacks to AdversarialPatch and AdversarialPatchNumpy. (#1759)

Changed

• Changed check_and_transform_label_format for nb_classes=None to automatically determine the number of classes in the provided labels. (#1747)
• Added additional documentation to ZOOAttack and cleaned up the code of method compare. (#1648)
• Changed default value for number of epochs nb_epochs in AdversarialTrainerMadryPGD to match 80'000 training steps of Madry et al. (#1758)

Removed

[None]

Fixed

• Fixed PyTorchClassifier.clone_fore_refitting by deleting optimizer from parameters before calling set_param() to avoid creating the cloned model with the old optimizer. (#1742)
• Fixed missing propagation of nb_classes to method check_and_transform_label_format in inference attacks. (#1713)

This release of ART 1.10.3 provides updates to ART 1.10.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in art.attacks.evasion.AdversarialTexturePyTorch (#1724, #1726 )

This release of ART 1.10.2 provides updates to ART 1.10.

Added

[None]

Changed

• Changed PyTorchClassifier to use a new optimizer when cloned with clone_for_refitting (#1580)
• Changed class names of art.estimators.gan.* and art.estimators.generator.* to follow naming convention (#1655)
• Changed Mp3CompressionPyTorch and PyTorchDeepSpeech to add support for samples in 2D non-object arrays (#1680, #1702)
• Changed file name python_object_detector.py to pytorch_object_detector.py to follow naming convention (#1687)
• Changed CarliniLInfMethod by adding argument for batch_size (#1699).

Removed

[None]

Fixed

• Fixed required dependency on TensorFlow (#1655)
• Fixed bug in ImperceptibleASRPyTorch by adding missing .detach().cpu() and .cpu() calls (#1677)
• Fixed bug in art.estimators.certification.randomized_smoothing estimators to correctly apply Gaussian noise (#1678)
• Fixed bug in GaussianNoise the post-processing defence to keep number of dimensions constant during normalisation (#1684)
• Fixed bug in RobustDPatch for channels first images to correctly un-transform loss gradients (#1693)
• Fixed bug in support for numpy arrays in logger of PoisoningAttackCleanLabelBackdoor (#1698)

This release of ART 1.10.1 provides updates to ART 1.10.

Added

[None]

Changed

• Changed AdversarialTrainerMadryPGD.fit to support arguments nb_epochs and batch_size (#1612)
• Changed GradientMatchingAttack to add support for models with undefined input shape by abstracting the shape information from the input data (#1624)
• Changed PyTorchObjectDetector to support inputs with number of channels other than 1 and 3 (#1633)

Removed

[None]

Fixed

• Fixed incorrect handling of true regression labels in attribute inference attacks (#1598)
• Fixed AdversarialPatchPyTorch.apply_patch to correctly check if mask is None (#1607)

This release of ART 1.10.0 introduces multiple poisoning attacks on image classification and deep generative models, the first attack with dynamic patches on object tracking in videos, classification certification based on zonotope representations, EoT support for object detection in image rotation and center cropping, new features for attribute inference attacks and more.

Added

• Added Gradient Matching (Witches' Brew) attack art.attacks.poisoning.GradientMatchingAttack in TensorFlow (#1587)
• Added functions projection_l1_1 and projection_l1_2 to art.utils for two algorithms computing orthogonal projections on L1-norm balls (#1586)
• Added perspective transformations to art.attacks.evasion.AdversarialTexturePyTorch attack to enable dynamic texture/patches (#1557)
• Added support for object detection in art.attacks.evasion.AdversarialPatchPyTorch (#1535)
• Added new features to attribute inference attacks including support for optional use of true labels in black-box attribute inference attacks, automatic calculation of values in fit() method, additional scaling method for labels/predictions and an additional attack model type (random forest) (#1534)
• Added estimator art.estimators.certification.PytorchDeepZ based on DeepZ for robustness certification using zonotope representations datapoints (#1531)
• Added Expectation over Transformation (EoT) for rotation and centre crop with support for classification and object detection (#1516)
• Added support for SummaryWriter in art.attacks.evasion.RobustDpatch (#1513)
• Added PGD L-Inf optimizer to art.attacks.evasion.AdversarialPatch* attacks (#1495)
• Added two backdoor poisoning attacks, Red in art.attacks.poisoning.BackdoorAttackDGMReD and Trail in art.attacks.poisoning.BackdoorAttackDGMTrail, targeting Deep Generative Models (#1490)
• Added Hidden Trigger Backdoor Poisoning Attack in Keras and PyTorch in art.attacks.poisoning.HiddenTriggerBackdoor (#1487)
• Added Feature Collision Poisoning Attack in PyTorch in art.attacks.poisoning.FeatureCollisionAttack (#1435 )

Changed

• Changed imports of TensorFlow v2 in TensorFlowClassifier to support TensorFlow v1 compatibility mode (#1560)
• Changed Python used for unit testing to newer versions, upgraded style checks and improved code quality (#1517)

Removed

[None]

Fixed

• Fixed import of Scipy in PixelThreshold attack to support scipy>=1.8 (#1589)
• Fixed bug of missing attribute in PixelAttack for scaled images (#1574)
• Fixed use of torchaudio.functional.magphase in PyTorchDeepSpeech to support Deep Speech 2 version 3 with torch>=1.10 (#1550)
• Fixed method fitof ScikitlearnRegressor to process labels correctly (#1537)
• Fixed scalar names of Indicators of Attack Failure 2 and 3 for aggregated losses (#1512)
• Fixed raising of DataConversionWarning in fitting black box membership inference attacks with attack_model_type 'rf' or 'gb (#1488)

This release of ART 1.9.1 provides updates to ART 1.9.

Added

• Added support for TensorFlow 1.15 as backend in KerasClassifier.compute_loss. (#1466)
• Added support for input range [0, 1] in art.defences.preprocessor.VideoCompression*. (#1470)

Changed

[None]

Removed

[None]

Fixed

• Fixed bug in art.utils.load_nursery for loading nursery dataset with argument raw=True. (#1460)
• Fixed import of matplotlib to keep it an optional dependency. (#1467)
• Fixed bug to allow preprocessing defences to be applied in PyTorchGoturn.predict by adding back missing sample dimension. (#1470)
• Fixed bug in PyTorchClassifier.get_activations to also apply preprocessing if argument framework=True. This fix likely changes the results obtained with BullseyePolytopeAttackPyTorch, the main attack using framework=True. (#1471)