Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, Inference - Red and Blue Teams
This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.
art.attacks.inference.membership_inference.shadow_models
. (#1345, #1395)art.experimental.estimators.classification.JaxClassifier
(#1360)art.estimators.classification.DeepPartitionEnsemble
to defend against general poisoning attacks (#1397)art.attacks.evasion.LaserAttack
as a easy to realize physical evasion attack (#1398)art.summary_writer.SummaryWriter
to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (#1416 )art.summary_writer.SummaryWriterDefault
(#1416)art.attacks.evasion.AdversarialTexturePyTorch
. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (#1430)art.attacks.evasion.CarliniLInfMethod
to exactly reproduce performance of reference implementation (#1380)art.defences.preprocessor.preprocessor.PreprocessorPyTorch
to accept device_type
in __init__
to set attribute _device
for all PyTorch preprocessors in a single location (#1444)tests.attacks.test_simba
that SimBA would not support PyTorch (#1423)art.attacks.evasion.SimBA.generate
, so far only the first sample had been attacked if more than one image was provided. (#1422)art.attacks.poisoning.perturbations.insert_image
to preserve dtype of input images in the returned output images (#1441)art.utils.check_and_transform_label_format
for argument return_one_hot=True
(#1443)This release of ART 1.8.1 provides updates to ART 1.8.
torch.Tensor
inputs and required argument input_shape
to art.estimators.object_tracking.PyTorchGoturn
. (#1348)torch==1.9
and torchvision==0.10
to exception in art.estimators.object_detection.PyTorchObjectDetector
. (#1356)[None]
art.attacks.evasion.AdversarialPatchPyTorch
. (#1333)This release of ART v1.8.0 introduces the first estimators for object tracking and regression, adds a general model-independent object detection estimator and new membership inference attacks.
art.estimators.object_tracking.PyTorchGoturn
(#1318)art.estimators.regression.ScikitlearnDecistionTreeRegressor
and added compatibility in attacks AttributeInferenceBlackBox
and MembershipInferenceBlackBox
(#1272)torchvision
in art.estimators.object_detection.PyTorchObjectDetector
(#1295)art.estimators.classification.BlackboxClassifier*
to also accept recorded input/prediction data pairs, instead of a callable providing predictions by evaluating the attacked model, enabling attacks on prediction data only without the necessity for direct access to the attacked model (#1247)art.contrib
(#1261)art.classifiers
and art.wappers
, both modules have been replaced with tools in art.preprocessing.expectation_over_transformation
, art.estimators.classification
and art.estimators.classification.QueryEfficientGradientEstimationClassifier
(#1256)[None]
This release of ART 1.7.2 provides updates to ART 1.7.
[None]
[None]
[None]
PyTorchClassifier.compute_loss
. (#1264)float
in argument min_epsilon
of BoundaryAttack
. (#1262)art/attacks/poisoning/perturbations/image_perturbations.insert_image
. (#1290)This release of ART 1.7.1 provides updates to ART 1.7.
Mp3CompressionPyTorch
for Mp3Compression
to make it compatible with PyTorch-specific attack implementations. (#1210)non-framework
to setup.py
to install all non-framework dependencies of ART. (#1209)VideoCompressionPyTorch
for VideoCompression
to make it compatible with PyTorch-specific attack implementations. (#1210)Mp3Compression
to add back reapplication of normalization to the compressed result. (#1210)KerasClassifier.fit
to use batching provided by the method fit
of the Keras model. (#1182)[None]
gpu
, to standardisation preprocessor in all PyTorchEstimator
by using user-provided device type. (#1223)BaseEstimator.fit_generator
for fitting generators in cases where preprocessing is defined to not apply preprocessing twice. (#1219)ImperceptibleASRPyTorch
to prevent NaN loss value for batch size larger than 1 by removing unnecessary zero-padding. (#1198)OverTheAirFlickeringPyTorch
by making sure that the regularization norms are computed over the whole batch of perturbations, rather than per sample's perturbation and second that the "roll" operations are performed over the batch samples, rather than over the frames. (#1192)SpectralSignatureDefense
, that lead to rejections of all clean images, by correctly indexing the label data. (#1189)apply_fit
and apply_predict
properties of framework-independent Preprocessor
tools in PyTorchEstimator
and TensorFlowV2Estimator
. With the bug the Preprocessor
tools were always applied in methods fit
and predict
independent of the values of apply_fit
and apply_predict
. (#1181)MembershipInferenceBlackBoxRemove.infer
by removing unnecessary shuffling of the test data. (#1173)PixelAttack
and ThresholdAttack
by casting input data to correct dtype. (#1175)This release of ART v1.7.0 introduces many new evasion and inference attacks providing support for the evaluation of malware or tabular data classification, new query-efficient black-box (GeoDA) and strong white-box (Feature Adversaries) evaluation methods. Furthermore, this release introduces an easy to use estimator for Espresso ASR models to facilitate ASR research and connect Espresso and ART. This release also introduces support for binary classification with single outputs in neural networks classifiers and selected attacks. Many more new features and details can be found below:
art.attacks.evasion.LowProFool
. (#1063)art.attacks.evasion.OverTheAirFlickeringPyTorch
. (#1077, #1102)art.attacks.evasion.CarliniL0Method
. (#844, #1109)PyTorchDeepSpeech
estimator. (#1107)AdversarialPatchPyTorch
, AdversarialPatchTensorFlow
, FastGradientMethod
, and all ProjectedGradientDescent*
attacks. (#1071)MalwareGDTensorFlow
attack for evasion on malware classification of portable executables supporting append based, section insertion, slack manipulation, and DOS header attacks. (#1015)art.attacks.evasion.GeoDA
for query-efficient black-box attacks on decision labels using DCT noise. (#1001)art.attacks.evasion.FeatureAdversaries*
. (#1128, #1142, #1156)art.attacks.inference.AttributeInferenceMembership
. (#1132)FastGradientMethod
, and all ProjectedGradientDescent*
attacks. Neural network binary classifiers with a single output require setting nb_classes=2
and labels y
in shape (nb_samples, 1) or (nb_samples,) containing 0 or 1. Backward compatibility for binary classifiers with two outputs is guaranteed with nb_classes=2
and labels y
one-hot-encoded in shape (nb_samples, 2). (#1118)art.estimators.speech_recognition.PyTorchEspresso
with support for attacks with FastGradientMethod
, ProjectedGradientDescent
and ImperceptibleASRPyTorch
. (#1036)art.classifiers
and art.wrappers
to be replace with art.estimators
. (#1154)art.utils.load_iris
to use Iris dataset from sklearn.datasets
instead of archive.ics.uci.edu
. (#1097 )HopSkipJump
to check for NaN in the adversarial example candidates and return original (benign) sample if at least one NaN is detected. (#1124)SquareAttack
to accept user-defined loss and adversarial criterium definitions to enable black-box attacks on all machine learning tasks on images beyond classification. (#1127)PyTorchFasterRCNN.loss_gradients
to process each sample separately to avoid issues with gradient propagation with torch>=1.7
. (#1138)[None]
art.defences.preprocessor.Mp3Compression
related to a bug in earlier versions of pydub
. (#419)This release of ART 1.6.2 provides updates to ART 1.6.
RobustDpatch
(#1069)standardise_output
to define provided label format (#1069)native_label_is_pytorch_format
to object detectors to define label format expected by the model (#1069)Dpatch
and RobustDpatch
to work internally with PyTorchFasterRCNN's object detection label format and convert labels if provided in TensorFlowFasterRCNN
's format accordingly using option standardise_output
(#1069)setup.py
to only contain core dependencies in install_requires
and added additional install options tensorflow_image
, tensorflow_audio
, pytorch_image
, and pytorch_audio
(#1116)torch
and torchvision
in AdversarialPatchPyTorch
to account for suffixes like +cu102
(#1115)art.utils.load_iris
to use sklearn.datasets.load_iris
instead of download from https://archive.ics.uci.edu/ml/machine-learning-databases/iris/iris.data
(#1097)scores
in labels y
for TensorFlowFasterRCNN.loss_gradient
and PyTorchFasterRCNN.loss_gradient
(#1069)predict
and loss_gradient
to correctly describe the expected and provided label format (#1069)ProjectedGradientDescentPyTorch
(#1076)ScikitlearnLogisticRegression.loss_gradient
(#1065)This release of ART 1.6.1 provides updates to ART 1.6.
stride
, freq_dim
and image size in SimBA
attack. (#1037)LFilter
audio preprocessing. (#1002)BullseyePolytopeAttackPyTorch
attack to increase effectiveness in end-to-end scenarios. (#1003)nb_parallel
values in ZooAttack
. (#988)TensorFlowV2Classifier.get_activations
to accept negative layer indexes. (#1054)BoundaryAttack
and HopSkipJump
attacks with batch_size
larger than 1 and changed default value to batch_size=64
. (#971)[None]
Dpatch
attack which did not update the patch, being optimised, onto the images used for loss gradient calculation leading to iterations with the constant, initially, applied patches. (#1049)BullseyePolytopeAttackPyTorch
attack where attacking multiple layers of the underlying model only perturbed the first of all input images. (#1046)TensorFlowV2Classifier.loss_gradient
by adding labels to application of preprocessing step to enable EoT preprocessing steps that increase the number of samples and labels. This change does not affect the accuracy of previously calculated loss gradients. (#1010)ElasticNet
attack to apply the confidence
parameter when generating adversarial examples. (#995)art.attacks.poisoning.perturbations.image_perturbations.insert_image
to correctly transpose input images when channels_first=True
. (#1009)compute_loss
in PyTorchDeepSpeech
, TensorFlowFasterRCNN
and BlackBoxClassifier
. (#994, #1000)This release of ART v1.6.0 introduces with the clean-label poisoning attack Bullseye Polytope, a baseline attribute inference attack, and a PyTorch-specific implementation of Adversarial Patch attack with perspective transformation sampling, new evaluation tools in the three different threats types of poisoning, inference and evasion. Furthermore, this release contains the first set of Expectation over Transformation (EoT) preprocessing tools for image processing and natural corruptions.
art.attacks.poisoning.BullseyePolytopeAttackPyTorch
(#962)art.metrics.PDTP
(#958)art.attacks.inference.attribute_inference.AttributeInferenceBaseline
defining a minimal attribute inference performance that can be achieved without access to the evaluated model (#956)art.preprocessing.expectation_over_transformation
for image processing and natural image corruptions including brightness, contrast, Gaussian noise, shot noise, and zoom blur. These EoTs enable sampling multiple transformed samples in each forward pass and are fully differentiable for accurate loss gradient calculation in PyTorch and TensorFlow v2. They can be chained together in sequence and are implemented fully framework-specific (#919)insert_transformed_patch
to all adversarial patch attacks art.attacks.evasion.AdversarialPatch*
applying adversarial patches onto a perspective transformed square defined by the coordinates of its four corners (#891)art.attacks.evasion.AdversarialPatchPyTorch
with additional functionality to support sampling over perspective transformations (#876)art.attacks.evasion.FastGradientMethod
and art.attacks.evasion.ProjectedGradientDescent*
by replacing NaN values with 0.0 and log a warning message. This should prevent losing expensive attack runs in late iterations and still return an adversarial example, but log a warning to alert the user. (#883)eps_step
and eps
in art.attacks.evasion.ProjectedGradientDescent*
to allow eps_step
to be larger than eps
for all norms, allow eps_step=np.inf
to immediately project towards the norm ball or clip_values, and support eps=0.0
to run the attack without any attack budget. The latter two changes are intended to facilitate the verification of attack setups. (#882)skipMlFramework
to skip_framework
and the pytest argument mlFramework
to framework
(#961)art.preprocessing.standardisation_mean_std
for standardisation with mean
and std
to provide extended support for broadcasting by automatically adapting 1-dimensional arrays for mean
and std
to be broadcastable on NCHW inputs (#839)art.estimators.object_detection.PyTorchFasterRCNN.loss_gradient
to not overwrite the input label array with tensors (#954)set_learning_phase
from all estimators and automating setting the model into the most likely appropriate state for each operation in methods predict
(eval mode, training_mode=False
) , fit
(train mode, training_mode=True
) , loss_gradient
(eval mode) , class_gradient
(eval mode) , etc. The default is defined by a new method argument training_mode
which can be changed for example for debugging purposes. An exception are RNN-type models in PyTorch where loss_gradient
and class_gradient
will run the model in train mode but freeze the model's batch-norm and dropout layers if training_mode=False
. (#781)art.attacks.evasion.BoundaryAttack
in normal (L282) and a suboptimal (L287) termination to return the adversarial example candidate with the smallest norm of the perturbation instead of returning the first adversarial example candidate in its list, this will facilitate the finding the minimum L2 perturbation adversarial examples (#948)art.attacks.inference.attribute_inference.AttributeInferenceBlackBox
to support one-hot encoded features that have been scaled and lie in-between 0 and 1 instead of just 0 and 1 (#927)tensorflow
in TensorFlow v1 specific tools to enable backward compatibility and application with TensorFlow v2 (#880)art.attacks.evasion.AdversarialPatchTensorFlowV2
from SGD
to Adam
for better performance (#878)art.attacks.evasion.BrendelBethgeAttack
to include support for numba
, following the reference implementation, which leads to great acceleration of the attack (#868)art.estimators.classification.ScikitlearnClassifier
and all model specific scikit-learn estimators to provide the new argument use_logits
to define returning probability or logit predictions in their methods predict
(#872)clever_t
and depending on it clever
and clever_u
to reduce long runtimes by computing the class gradients of all samples in rand_pool
before looping through the batches. To reduce the risk of ResourceExhasutedError
, batching is now also applied on rand_pool
to compute class gradients on smaller batches of size pool_factor
(#762)channel_index
from all estimators. channel_index
has been replaced by channels_first
. (#869)art.attacks.evasion.BoundaryAttack
to now correctly check that adversarial predictions are different from the original image prediction during sampling instead of the same (#948)This release of ART 1.5.3 provides updates to ART 1.5.
[None]
art.attacks.evasion.ImperceptibleASR
, art.attacks.evasion.ImperceptibleASRPyTorch
and art.attacks.evasion.CarliniWagnerASR
where necessary to use the same names in all three attacks. (#955, #959)art.attacks.evasion.ImperceptibleASRPyTorch
to use torch.float64
instead of torch.float32
to prevent NaN as loss value. (#931)art.attacks.evasion.ImperceptibleASR
to improve the psychoacoustic model and stabilize the imperceptible loss by switching to librosa's STFT and using scalar PSD maximum. (#930)art.attacks.evasion.ImperceptibleASR
to use periodic window for STFT instead symmetric window option. (#930)art.attacks.evasion.ImperceptibleASR
with early stopping if loss theta < 0.05 to avoid running into gradients with NaN values. (#930)art.attacks.evasion.ImperceptibleASRPyTorch
to reset its optimisers for each internal batch in method generate
to guarantee the same optimiser performance on each batch, this is especially important for adaptive optimisers. (#917)art.attacks.evasion.ImperceptibleASRPyTorch
to use torch.stft
instead of torchaudio.transforms.Spectrogram
to correctly compute the spectrogram. (#914)art.estimators.speech_recognition.PyTorchDeepSpeech
to freeze batch-norm layers of the Deep Speech model in method loss_gradient
to obtain gradients using dataset statistics instead of batch statistics and avoid changing dataset statistics of the batch-norm layers with each call. (#912)[None]
model
in art.estimators.object_detection.TensorFlowFasterRCNN
which caused instantiation to fail. (#951)art.estimators.classification.ScikitlearnSVC
using Radial Basis Function (RBF) kernels. (#921)preprocessing=None
in art.estimators.BaseEstimator
. (#916)