Merge remote-tracking branch 'upstream/dev_1.15.0' into dev_issue_2148_yolo

Merging latest dev_1.15.0

Author: kieranfraser

.github/workflows/ci-lingvo.yml

@@ -61,7 +61,6 @@ jobs:
           pip install lingvo==${{ matrix.lingvo }}
           pip install tensorflow-addons==0.9.1
           pip install model-pruning-google-research==0.0.3
-          pip install jax[cpu]==0.2.17
           pip install h5py==2.10.0
           pip install pytest~=7.0.1
           pip install pytest-flake8~=1.1.0

art/attacks/evasion/auto_conjugate_gradient.py

@@ -224,7 +224,8 @@ def __call__(self, y_true: tf.Tensor, y_pred: tf.Tensor, *args, **kwargs) -> tf.
                     nb_classes=estimator.nb_classes,
                     input_shape=estimator.input_shape,
                     loss_object=_loss_object_tf,
-                    train_step=estimator._train_step,
+                    optimizer=estimator.optimizer,
+                    train_step=estimator.train_step,
                     channels_first=estimator.channels_first,
                     clip_values=estimator.clip_values,
                     preprocessing_defences=estimator.preprocessing_defences,

art/attacks/evasion/auto_projected_gradient_descent.py

@@ -203,7 +203,8 @@ def __call__(self, y_true: tf.Tensor, y_pred: tf.Tensor, *args, **kwargs) -> tf.
                     nb_classes=estimator.nb_classes,
                     input_shape=estimator.input_shape,
                     loss_object=_loss_object_tf,
-                    train_step=estimator._train_step,
+                    optimizer=estimator.optimizer,
+                    train_step=estimator.train_step,
                     channels_first=estimator.channels_first,
                     clip_values=estimator.clip_values,
                     preprocessing_defences=estimator.preprocessing_defences,

art/attacks/evasion/brendel_bethge.py

@@ -2055,7 +2055,8 @@ def logits_difference(y_true, y_pred):
                 nb_classes=estimator.nb_classes,
                 input_shape=estimator.input_shape,
                 loss_object=self._loss_object,
-                train_step=estimator._train_step,
+                optimizer=estimator.optimizer,
+                train_step=estimator.train_step,
                 channels_first=estimator.channels_first,
                 clip_values=estimator.clip_values,
                 preprocessing_defences=estimator.preprocessing_defences,

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py

@@ -269,7 +269,7 @@ def _generate_batch(
         inputs = x.to(self.estimator.device)
         targets = targets.to(self.estimator.device)
         adv_x = torch.clone(inputs)
-        momentum = torch.zeros(inputs.shape)
+        momentum = torch.zeros(inputs.shape).to(self.estimator.device)
 
         if mask is not None:
             mask = mask.to(self.estimator.device)

art/attacks/evasion/sign_opt.py

@@ -306,14 +306,14 @@ def _fine_grained_binary_search_local(
         lbd = initial_lbd
         # For targeted: we want to expand(x1.01) boundary away from targeted dataset
         # For untargeted, we want to slim(x0.99) the boundary toward the original dataset
-        if (not self._is_label(x_0 + lbd * theta, target) and self.targeted) or (
-            self._is_label(x_0 + lbd * theta, y_0) and not self.targeted
+        if (self.targeted and not self._is_label(x_0 + lbd * theta, target)) or (
+            not self.targeted and self._is_label(x_0 + lbd * theta, y_0)
         ):
             lbd_lo = lbd
             lbd_hi = lbd * 1.01
             nquery += 1
-            while (not self._is_label(x_0 + lbd_hi * theta, target) and self.targeted) or (
-                self._is_label(x_0 + lbd_hi * theta, y_0) and not self.targeted
+            while (self.targeted and not self._is_label(x_0 + lbd_hi * theta, target)) or (
+                not self.targeted and self._is_label(x_0 + lbd_hi * theta, y_0)
             ):
                 lbd_hi = lbd_hi * 1.01
                 nquery += 1
@@ -323,17 +323,17 @@ def _fine_grained_binary_search_local(
             lbd_hi = lbd
             lbd_lo = lbd * 0.99
             nquery += 1
-            while (self._is_label(x_0 + lbd_lo * theta, target) and self.targeted) or (
-                not self._is_label(x_0 + lbd_lo * theta, y_0) and not self.targeted
+            while (self.targeted and self._is_label(x_0 + lbd_lo * theta, target)) or (
+                not self.targeted and not self._is_label(x_0 + lbd_lo * theta, y_0)
             ):
                 lbd_lo = lbd_lo * 0.99
                 nquery += 1
 
         while (lbd_hi - lbd_lo) > tol:
             lbd_mid = (lbd_lo + lbd_hi) / 2.0
             nquery += 1
-            if (self._is_label(x_0 + lbd_mid * theta, target) and self.targeted) or (
-                not self._is_label(x_0 + lbd_mid * theta, y_0) and not self.targeted
+            if (self.targeted and self._is_label(x_0 + lbd_mid * theta, target)) or (
+                not self.targeted and not self._is_label(x_0 + lbd_mid * theta, y_0)
             ):
                 lbd_hi = lbd_mid
             else:

art/attacks/poisoning/perturbations/image_perturbations.py

@@ -127,7 +127,7 @@ def insert_image(
     original_dtype = x.dtype
     data = np.copy(x)
     if channels_first:
-        data = data.transpose([1, 2, 0])
+        data = np.transpose(data, (1, 2, 0))
 
     height, width, num_channels = data.shape
 
@@ -136,37 +136,36 @@ def insert_image(
     backdoored_img = Image.new("RGBA", (width, height), 0)  # height and width are swapped for PIL
 
     if no_color:
-        backdoored_input = Image.fromarray((data * 255).astype("uint8").squeeze(axis=2), mode=mode)
+        backdoored_input = Image.fromarray((data * 255).astype(np.uint8).squeeze(axis=2), mode=mode)
     else:
-        backdoored_input = Image.fromarray((data * 255).astype("uint8"), mode=mode)
+        backdoored_input = Image.fromarray((data * 255).astype(np.uint8), mode=mode)
 
     orig_img.paste(backdoored_input)
 
     trigger = Image.open(backdoor_path).convert("RGBA")
-    if size:
-        trigger = trigger.resize(size)
+    if size is not None:
+        trigger = trigger.resize((size[1], size[0]))  # height and width are swapped for PIL
 
     backdoor_width, backdoor_height = trigger.size  # height and width are swapped for PIL
 
     if backdoor_width > width or backdoor_height > height:
         raise ValueError("Backdoor does not fit inside original image")
 
     if random:
-        x_shift = np.random.randint(width - backdoor_width)
-        y_shift = np.random.randint(height - backdoor_height)
+        x_shift = np.random.randint(width - backdoor_width + 1)
+        y_shift = np.random.randint(height - backdoor_height + 1)
 
     backdoored_img.paste(trigger, (x_shift, y_shift), mask=trigger)
     composite = Image.alpha_composite(orig_img, backdoored_img)
     backdoored_img = Image.blend(orig_img, composite, blend)
-
     backdoored_img = backdoored_img.convert(mode)
 
-    res = np.array(backdoored_img) / 255.0
+    res = np.asarray(backdoored_img) / 255.0
 
     if no_color:
         res = np.expand_dims(res, 2)
 
     if channels_first:
-        res = res.transpose([2, 0, 1])
+        res = np.transpose(res, (2, 0, 1))
 
     return res.astype(original_dtype)

art/defences/preprocessor/preprocessor.py

@@ -80,7 +80,7 @@ def apply_predict(self) -> bool:
         return self._apply_predict
 
     @abc.abstractmethod
-    def __call__(self, x: np.ndarray, y: Optional[np.ndarray] = None) -> Tuple[np.ndarray, Optional[np.ndarray]]:
+    def __call__(self, x: np.ndarray, y: Optional[Any] = None) -> Tuple[np.ndarray, Optional[Any]]:
         """
         Perform data preprocessing and return preprocessed data as tuple.
 
@@ -250,7 +250,7 @@ class PreprocessorTensorFlowV2(Preprocessor):
     """
 
     @abc.abstractmethod
-    def forward(self, x: "tf.Tensor", y: Optional["tf.Tensor"] = None) -> Tuple["tf.Tensor", Optional["tf.Tensor"]]:
+    def forward(self, x: "tf.Tensor", y: Optional[Any] = None) -> Tuple["tf.Tensor", Optional[Any]]:
         """
         Perform data preprocessing in TensorFlow v2 and return preprocessed data as tuple.
 

art/defences/trainer/__init__.py

@@ -8,4 +8,6 @@
 from art.defences.trainer.adversarial_trainer_madry_pgd import AdversarialTrainerMadryPGD
 from art.defences.trainer.adversarial_trainer_fbf import AdversarialTrainerFBF
 from art.defences.trainer.adversarial_trainer_fbf_pytorch import AdversarialTrainerFBFPyTorch
+from art.defences.trainer.adversarial_trainer_trades import AdversarialTrainerTRADES
+from art.defences.trainer.adversarial_trainer_trades_pytorch import AdversarialTrainerTRADESPyTorch
 from art.defences.trainer.dp_instahide_trainer import DPInstaHideTrainer

art/defences/trainer/adversarial_trainer_trades.py

@@ -0,0 +1,111 @@
+# MIT License
+#
+# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2023
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+"""
+This module implements adversarial training with TRADES protocol.
+
+| Paper link: https://proceedings.mlr.press/v97/zhang19p.html
+
+| It was noted that this protocol uses a modified loss called TRADES loss which is a combination of cross entropy
+loss on clean data and KL divergence loss between clean data and adversarial data. Consequently, framework specific
+implementations are being provided in ART.
+"""
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+import abc
+from typing import Optional, Tuple, TYPE_CHECKING
+
+import numpy as np
+
+from art.defences.trainer.trainer import Trainer
+from art.attacks.attack import EvasionAttack
+from art.data_generators import DataGenerator
+
+if TYPE_CHECKING:
+    from art.utils import CLASSIFIER_LOSS_GRADIENTS_TYPE
+
+
+class AdversarialTrainerTRADES(Trainer, abc.ABC):
+    """
+    This is abstract class for different backend-specific implementations of TRADES protocol
+    for adversarial training.
+
+    | Paper link: https://proceedings.mlr.press/v97/zhang19p.html
+    """
+
+    def __init__(
+        self,
+        classifier: "CLASSIFIER_LOSS_GRADIENTS_TYPE",
+        attack: EvasionAttack,
+        beta: float = 6.0,
+    ):
+        """
+        Create an :class:`.AdversarialTrainerTRADES` instance.
+
+        :param classifier: Model to train adversarially.
+        :param attack: attack to use for data augmentation in adversarial training
+        :param beta: The scaling factor controlling tradeoff between clean loss and adversarial loss
+        """
+        self._attack = attack
+        self._beta = beta
+        super().__init__(classifier)
+
+    @abc.abstractmethod
+    def fit(  # pylint: disable=W0221
+        self,
+        x: np.ndarray,
+        y: np.ndarray,
+        validation_data: Optional[Tuple[np.ndarray, np.ndarray]] = None,
+        batch_size: int = 128,
+        nb_epochs: int = 20,
+        **kwargs
+    ):
+        """
+        Train a model adversarially with TRADES. See class documentation for more information on the exact procedure.
+
+        :param x: Training set.
+        :param y: Labels for the training set.
+        :param validation_data: Tuple consisting of validation data, (x_val, y_val)
+        :param batch_size: Size of batches.
+        :param nb_epochs: Number of epochs to use for trainings.
+        :param kwargs: Dictionary of framework-specific arguments. These will be passed as such to the `fit` function of
+               the target classifier.
+        """
+        raise NotImplementedError
+
+    @abc.abstractmethod
+    def fit_generator(self, generator: DataGenerator, nb_epochs: int = 20, **kwargs):
+        """
+        Train a model adversarially using a data generator.
+        See class documentation for more information on the exact procedure.
+
+        :param generator: Data generator.
+        :param nb_epochs: Number of epochs to use for trainings.
+        :param kwargs: Dictionary of framework-specific arguments. These will be passed as such to the `fit` function of
+               the target classifier.
+        """
+        raise NotImplementedError
+
+    def predict(self, x: np.ndarray, **kwargs) -> np.ndarray:
+        """
+        Perform prediction using the adversarially trained classifier.
+
+        :param x: Input samples.
+        :param kwargs: Other parameters to be passed on to the `predict` function of the classifier.
+        :return: Predictions for test set.
+        """
+        return self._classifier.predict(x, **kwargs)