Merge remote-tracking branch 'origin/main' into dev_1.11.1

Beat Buesser · Beat Buesser · commit 1ecd3b5f3c76 · 2022-08-02T22:52:56.000+01:00
diff --git a/.github/workflows/ci-legacy.yml b/.github/workflows/ci-legacy.yml
@@ -26,14 +26,14 @@ jobs:
       matrix:
         module: [attacks_1, attacks_2, estimators, defences, metrics, art]
         include:
-          - name: legacy (TensorFlow 2.6.0 Keras 2.6.0 PyTorch 1.10.2 scikit-learn 1.0.2 Python 3.9)
+          - name: legacy (TensorFlow 2.6.0 Keras 2.6.0 PyTorch 1.12.0 scikit-learn 1.0.2 Python 3.9)
             framework: legacy
             python: 3.9
             tensorflow: 2.6.0
             keras: 2.6.0
-            torch: 1.10.2+cpu
-            torchvision: 0.11.3+cpu
-            torchaudio: 0.10.2+cpu
+            torch: 1.12.0+cpu
+            torchvision: 0.13.0+cpu
+            torchaudio: 0.12.0+cpu
             scikit-learn: 1.0.2
 
     name: Run ${{ matrix.module }} ${{ matrix.name }} Tests
diff --git a/.github/workflows/ci-pytorch-object-detectors.yml b/.github/workflows/ci-pytorch-object-detectors.yml
@@ -40,9 +40,9 @@ jobs:
           pip list
       - name: Pre-install torch
         run: |
-          pip install torch==1.10.2+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
-          pip install torchvision==0.11.3+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
-          pip install torchaudio==0.10.2+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
+          pip install torch==1.12.0+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
+          pip install torchvision==0.13.0+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
+          pip install torchaudio==0.12.0+cpu -f https://download.pytorch.org/whl/cpu/torch_stable.html
       - name: Run Test Action - test_pytorch_object_detector
         run: pytest --cov-report=xml --cov=art --cov-append -q -vv tests/estimators/object_detection/test_pytorch_object_detector.py --framework=pytorch --durations=0
       - name: Run Test Action - test_pytorch_faster_rcnn
diff --git a/.github/workflows/ci-pytorch.yml b/.github/workflows/ci-pytorch.yml
@@ -25,12 +25,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: PyTorch 1.9.1 (Python 3.8)
-            framework: pytorch
-            python: 3.8
-            torch: 1.9.1+cpu
-            torchvision: 0.10.1+cpu
-            torchaudio: 0.9.1
           - name: PyTorch 1.10.2 (Python 3.8)
             framework: pytorch
             python: 3.8
@@ -43,6 +37,12 @@ jobs:
             torch: 1.11.0+cpu
             torchvision: 0.12.0+cpu
             torchaudio: 0.11.0
+          - name: PyTorch 1.12.0 (Python 3.8)
+            framework: pytorch
+            python: 3.8
+            torch: 1.12.0+cpu
+            torchvision: 0.13.0+cpu
+            torchaudio: 0.12.0
 
     name: ${{ matrix.name }}
     steps:
diff --git a/art/attacks/evasion/sign_opt.py b/art/attacks/evasion/sign_opt.py
@@ -110,9 +110,9 @@ def __init__(
         :param epsilon: A very small smoothing parameter.
         :param num_trial: A number of trials to calculate a good starting point
         :param max_iter: Maximum number of iterations.
-        Default value is for untargeted attack, increase to recommended 5000 for targeted attacks.
+            Default value is for untargeted attack, increase to recommended 5000 for targeted attacks.
         :param query_limit: Limitation for number of queries to prediction model.
-        Default value is for untargeted attack, increase to recommended 40000 for targeted attacks.
+            Default value is for untargeted attack, increase to recommended 40000 for targeted attacks.
         :param k: Number of random directions (for estimating the gradient)
         :param alpha: The step length for line search
         :param beta: The tolerance for line search
diff --git a/art/attacks/inference/membership_inference/shadow_models.py b/art/attacks/inference/membership_inference/shadow_models.py
@@ -71,7 +71,7 @@ def generate_shadow_dataset(
         the dataset into training and testing samples, and then training the shadow models on the result.
 
         :param x: The samples used to train the shadow models.
-        :param y: True labels for the dataset samples.
+        :param y: True labels for the dataset samples (as expected by the estimator's fit method).
         :param member_ratio: Percentage of the data that should be used to train the shadow models. Must be between 0
                              and 1.
 
diff --git a/art/estimators/certification/deep_z/pytorch.py b/art/estimators/certification/deep_z/pytorch.py
@@ -38,10 +38,8 @@
 
 class PytorchDeepZ(PyTorchClassifier, ZonoBounds):
     """
-    Implementation of DeepZ to certify neural network robustness.
-
-    We use the zonotope representation of a datapoint as it travels through the network to then verify if it can
-    have its class changed given a certain perturbation.
+    Implementation of DeepZ to certify neural network robustness. We use the zonotope representation of a datapoint as
+    it travels through the network to then verify if it can have its class changed given a certain perturbation.
 
     | Paper link: https://papers.nips.cc/paper/2018/file/f2f446980d8e971ef3da97af089481c3-Paper.pdf
     """
@@ -166,6 +164,7 @@ def forward_hook(input_module, hook_input, hook_output):
     def forward(self, cent: np.ndarray, eps: np.ndarray) -> Tuple["torch.Tensor", "torch.Tensor"]:
         """
         Do the forward pass through the NN with the given error terms and zonotope center.
+
         :param eps: Error terms of the zonotope.
         :param cent: The datapoint, representing the zonotope center.
         :return: A tuple, the first element being the zonotope center vector.
diff --git a/art/estimators/certification/derandomized_smoothing/tensorflow.py b/art/estimators/certification/derandomized_smoothing/tensorflow.py
@@ -26,7 +26,6 @@
 from typing import Callable, List, Optional, Tuple, Union, TYPE_CHECKING
 
 import numpy as np
-import tensorflow as tf
 from tqdm import tqdm
 
 from art.estimators.classification.tensorflow import TensorFlowV2Classifier
@@ -35,6 +34,7 @@
 
 if TYPE_CHECKING:
     # pylint: disable=C0412
+    import tensorflow as tf
 
     from art.utils import CLIP_VALUES_TYPE, PREPROCESSING_TYPE
     from art.defences.preprocessor import Preprocessor
@@ -119,6 +119,8 @@ def __init__(
         )
 
     def _predict_classifier(self, x: np.ndarray, batch_size: int, training_mode: bool, **kwargs) -> np.ndarray:
+        import tensorflow as tf  # lgtm [py/repeated-import]
+
         outputs = TensorFlowV2Classifier.predict(
             self, x=x, batch_size=batch_size, training_mode=training_mode, **kwargs
         )
diff --git a/docs/modules/estimators/gan.rst b/docs/modules/estimators/gan.rst
@@ -2,9 +2,9 @@
 =========================
 .. automodule:: art.estimators.gan
 
-TensorFlow2 GAN
----------------
-.. autoclass:: TensorFlow2GAN
+TensorFlowV2 GAN
+----------------
+.. autoclass:: TensorFlowV2GAN
    :members:
    :special-members: __init__
    :inherited-members:
diff --git a/notebooks/README.md b/notebooks/README.md
@@ -240,7 +240,7 @@ demonstrates working Poison Frog (Feature Collision) poisoning attack implemente
 [poisoning_attack_feature_collision-pytorch.ipynb](poisoning_attack_feature_collision-pytorch.ipynb) [[on nbviewer](https://nbviewer.jupyter.org/github/Trusted-AI/adversarial-robustness-toolbox/blob/main/notebooks/poisoning_attack_feature_collision-pytorch.ipynb)]
 demonstrates working Poison Frog (Feature Collision) poisoning attack implemented in PyTorch Framework on CIFAR10 dataset as per the ([paper](https://arxiv.org/pdf/1804.00792.pdf)). This is a targeted clean label attack, which do not require the attacker to have any control over the labeling of training data and control the behavior of the classifier on a specific test instance without degrading overall classifier performance.
 
-[poisoning_attack_sleeper_agent_pytorch.ipynb](poisoning_attack_sleeper_agent_pytorch.ipynb) [[on nbviewer](https://nbviewer.jupyter.org/github/Trusted-AI/adversarial-robustness-toolbox/blob/main/notebooks/poisoning_attack_sleeper_agent+pytorch.ipynb)]
+[poisoning_attack_sleeper_agent_pytorch.ipynb](poisoning_attack_sleeper_agent_pytorch.ipynb) [[on nbviewer](https://nbviewer.jupyter.org/github/Trusted-AI/adversarial-robustness-toolbox/blob/main/notebooks/poisoning_attack_sleeper_agent_pytorch.ipynb)]
 demonstrates working Sleeper Agent poisoning attack implemented in PyTorch Framework on CIFAR10 dataset as per the ([paper](https://arxiv.org/pdf/2106.08970.pdf)). A new hidden trigger attack, Sleeper Agent,
 which employs gradient matching, data selection, and target model re-training during the crafting process. Sleeper
 Agent is the first hidden trigger backdoor attack to be effective against neural networks trained from scratch.
diff --git a/notebooks/attack_attribute_inference.ipynb b/notebooks/attack_attribute_inference.ipynb
@@ -45,7 +45,7 @@
     "\n",
     "from art.utils import load_nursery\n",
     "\n",
-    "(x_train, y_train), (x_test, y_test), _, _ = load_nursery(test_set=0.2, transform_social=True)"
+    "(x_train, y_train), (x_test, y_test), _, _ = load_nursery(test_set=0.5, transform_social=True)"
    ]
   },
   {
@@ -64,7 +64,7 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Base model accuracy:  0.9791666666666666\n"
+      "Base model accuracy:  0.9705155912318617\n"
      ]
     }
    ],
@@ -100,6 +100,7 @@
     "\n",
     "attack_train_ratio = 0.5\n",
     "attack_train_size = int(len(x_train) * attack_train_ratio)\n",
+    "attack_test_size = int(len(x_train) * attack_train_ratio)\n",
     "attack_x_train = x_train[:attack_train_size]\n",
     "attack_y_train = y_train[:attack_train_size]\n",
     "attack_x_test = x_train[attack_train_size:]\n",
@@ -136,7 +137,7 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.5937861829409494\n"
+      "0.5998765050941649\n"
      ]
     }
    ],
@@ -174,7 +175,7 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.6227325357005017\n"
+      "0.6288978079654214\n"
      ]
     }
    ],
@@ -209,7 +210,7 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.7001157854110382\n"
+      "0.7005248533497993\n"
      ]
     }
    ],
@@ -244,9 +245,9 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "(0.3501577287066246, 0.2573913043478261)\n",
-      "(0.34417344173441733, 0.1472463768115942)\n",
-      "(0.6309341500765697, 0.23884057971014494)\n"
+      "(0.34232954545454547, 0.22439478584729983)\n",
+      "(0.32320441988950277, 0.10893854748603352)\n",
+      "(0.652046783625731, 0.20763500931098697)\n"
      ]
     }
    ],
@@ -299,7 +300,7 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.5372443072172907\n"
+      "0.5433775856745909\n"
      ]
     }
    ],
@@ -344,7 +345,7 @@
     "\n",
     "mem_attack = MembershipInferenceBlackBox(art_classifier)\n",
     "\n",
-    "mem_attack.fit(x_train[:attack_train_size], y_train[:attack_train_size], x_test, y_test)"
+    "mem_attack.fit(x_train[:attack_train_size], y_train[:attack_train_size], x_test[:attack_test_size], y_test[:attack_test_size])"
    ]
   },
   {
@@ -356,14 +357,14 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 10,
+   "execution_count": 11,
    "metadata": {},
    "outputs": [
     {
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "0.6358548822848321\n"
+      "0.6335288669342389\n"
      ]
     }
    ],
diff --git a/requirements_test.txt b/requirements_test.txt
@@ -5,16 +5,16 @@ scipy==1.8.1
 matplotlib==3.5.2
 scikit-learn>=0.22.2,<1.2.0
 six==1.16.0
-Pillow==9.1.1
+Pillow==9.2.0
 tqdm==4.64.0
 statsmodels==0.13.2
 pydub==0.25.1
-resampy==0.3.0
+resampy==0.3.1
 ffmpeg-python==0.2.0
 cma==3.2.2
 pandas==1.4.3
 librosa==0.9.2
-numba~=0.55.1
+numba~=0.56.0
 opencv-python
 sortedcontainers==2.4.0
 h5py==3.7.0
@@ -30,19 +30,19 @@ mxnet-native==1.8.0.post0
 
 # PyTorch
 --find-links https://download.pytorch.org/whl/cpu/torch_stable.html
-torch==1.11.0
-torchaudio==0.11.0+cpu
-torchvision==0.12.0+cpu
+torch==1.12.0
+torchaudio==0.12.0+cpu
+torchvision==0.13.0+cpu
 
 catboost==1.0.6
 GPy==1.10.0
 lightgbm==3.3.2
 xgboost==1.6.1
 
-kornia~=0.6.5
+kornia~=0.6.6
 tensorboardX==2.5.1
 lief==0.12.1
-jax[cpu]==0.3.14
+jax[cpu]==0.3.15
 
 # Lingvo ASR dependencies
 # supported versions: (lingvo==0.6.4 with tensorflow-gpu==2.1.0)
@@ -53,10 +53,10 @@ jax[cpu]==0.3.14
 # other
 pytest~=7.1.2
 pytest-flake8~=1.1.1
-pytest-mock~=3.8.1
+pytest-mock~=3.8.2
 pytest-cov~=3.0.0
 codecov~=2.1.12
-requests~=2.28.0
+requests~=2.28.1
 
 # ART
 -e .

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@`
`45`	`45`	`"\n",`
`46`	`46`	`"from art.utils import load_nursery\n",`
`47`	`47`	`"\n",`
`48`		`- "(x_train, y_train), (x_test, y_test), _, _ = load_nursery(test_set=0.2, transform_social=True)"`
	`48`	`+ "(x_train, y_train), (x_test, y_test), _, _ = load_nursery(test_set=0.5, transform_social=True)"`
`49`	`49`	`]`
`50`	`50`	`},`
`51`	`51`	`{`
`@@ -64,7 +64,7 @@`
`64`	`64`	`"name": "stdout",`
`65`	`65`	`"output_type": "stream",`
`66`	`66`	`"text": [`
`67`		`- "Base model accuracy: 0.9791666666666666\n"`
	`67`	`+ "Base model accuracy: 0.9705155912318617\n"`
`68`	`68`	`]`
`69`	`69`	`}`
`70`	`70`	`],`
`@@ -100,6 +100,7 @@`
`100`	`100`	`"\n",`
`101`	`101`	`"attack_train_ratio = 0.5\n",`
`102`	`102`	`"attack_train_size = int(len(x_train) * attack_train_ratio)\n",`
	`103`	`+ "attack_test_size = int(len(x_train) * attack_train_ratio)\n",`
`103`	`104`	`"attack_x_train = x_train[:attack_train_size]\n",`
`104`	`105`	`"attack_y_train = y_train[:attack_train_size]\n",`
`105`	`106`	`"attack_x_test = x_train[attack_train_size:]\n",`
`@@ -136,7 +137,7 @@`
`136`	`137`	`"name": "stdout",`
`137`	`138`	`"output_type": "stream",`
`138`	`139`	`"text": [`
`139`		`- "0.5937861829409494\n"`
	`140`	`+ "0.5998765050941649\n"`
`140`	`141`	`]`
`141`	`142`	`}`
`142`	`143`	`],`
`@@ -174,7 +175,7 @@`
`174`	`175`	`"name": "stdout",`
`175`	`176`	`"output_type": "stream",`
`176`	`177`	`"text": [`
`177`		`- "0.6227325357005017\n"`
	`178`	`+ "0.6288978079654214\n"`
`178`	`179`	`]`
`179`	`180`	`}`
`180`	`181`	`],`
`@@ -209,7 +210,7 @@`
`209`	`210`	`"name": "stdout",`
`210`	`211`	`"output_type": "stream",`
`211`	`212`	`"text": [`
`212`		`- "0.7001157854110382\n"`
	`213`	`+ "0.7005248533497993\n"`
`213`	`214`	`]`
`214`	`215`	`}`
`215`	`216`	`],`
`@@ -244,9 +245,9 @@`
`244`	`245`	`"name": "stdout",`
`245`	`246`	`"output_type": "stream",`
`246`	`247`	`"text": [`
`247`		`- "(0.3501577287066246, 0.2573913043478261)\n",`
`248`		`- "(0.34417344173441733, 0.1472463768115942)\n",`
`249`		`- "(0.6309341500765697, 0.23884057971014494)\n"`
	`248`	`+ "(0.34232954545454547, 0.22439478584729983)\n",`
	`249`	`+ "(0.32320441988950277, 0.10893854748603352)\n",`
	`250`	`+ "(0.652046783625731, 0.20763500931098697)\n"`
`250`	`251`	`]`
`251`	`252`	`}`
`252`	`253`	`],`
`@@ -299,7 +300,7 @@`
`299`	`300`	`"name": "stdout",`
`300`	`301`	`"output_type": "stream",`
`301`	`302`	`"text": [`
`302`		`- "0.5372443072172907\n"`
	`303`	`+ "0.5433775856745909\n"`
`303`	`304`	`]`
`304`	`305`	`}`
`305`	`306`	`],`
`@@ -344,7 +345,7 @@`
`344`	`345`	`"\n",`
`345`	`346`	`"mem_attack = MembershipInferenceBlackBox(art_classifier)\n",`
`346`	`347`	`"\n",`
`347`		`- "mem_attack.fit(x_train[:attack_train_size], y_train[:attack_train_size], x_test, y_test)"`
	`348`	`+ "mem_attack.fit(x_train[:attack_train_size], y_train[:attack_train_size], x_test[:attack_test_size], y_test[:attack_test_size])"`
`348`	`349`	`]`
`349`	`350`	`},`
`350`	`351`	`{`
`@@ -356,14 +357,14 @@`
`356`	`357`	`},`
`357`	`358`	`{`
`358`	`359`	`"cell_type": "code",`
`359`		`- "execution_count": 10,`
	`360`	`+ "execution_count": 11,`
`360`	`361`	`"metadata": {},`
`361`	`362`	`"outputs": [`
`362`	`363`	`{`
`363`	`364`	`"name": "stdout",`
`364`	`365`	`"output_type": "stream",`
`365`	`366`	`"text": [`
`366`		`- "0.6358548822848321\n"`
	`367`	`+ "0.6335288669342389\n"`
`367`	`368`	`]`
`368`	`369`	`}`
`369`	`370`	`],`