Trusted-AI
diff --git a/‎AUTHORS‎
Lines changed: 1 addition & 0 deletions b/‎AUTHORS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎art/attacks/evasion/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎art/attacks/evasion/__init__.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎art/attacks/evasion/fast_gradient.py‎
Lines changed: 23 additions & 8 deletions b/‎art/attacks/evasion/fast_gradient.py‎
Lines changed: 23 additions & 8 deletions
diff --git a/‎art/attacks/evasion/momentum_iterative_method.py‎
Lines changed: 82 additions & 0 deletions b/‎art/attacks/evasion/momentum_iterative_method.py‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent.py‎
Lines changed: 6 additions & 0 deletions b/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_numpy.py‎
Lines changed: 16 additions & 0 deletions b/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_numpy.py‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py‎
Lines changed: 15 additions & 9 deletions b/‎art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py‎
Lines changed: 15 additions & 9 deletions
@@ -16,3 +16,4 @@
 - IMT Atlantique
 - Johns Hopkins University
 - Troj.AI
+- VMware Inc.
@@ -30,6 +30,7 @@
 from art.attacks.evasion.iterative_method import BasicIterativeMethod
 from art.attacks.evasion.laser_attack.laser_attack import LaserAttack
 from art.attacks.evasion.lowprofool import LowProFool
+from art.attacks.evasion.momentum_iterative_method import MomentumIterativeMethod
 from art.attacks.evasion.newtonfool import NewtonFool
 from art.attacks.evasion.pe_malware_attack import MalwareGDTensorFlow
 from art.attacks.evasion.pixel_threshold import PixelAttack
@@ -56,3 +57,4 @@
 from art.attacks.evasion.virtual_adversarial import VirtualAdversarialMethod
 from art.attacks.evasion.wasserstein import Wasserstein
 from art.attacks.evasion.zoo import ZooAttack
+from art.attacks.evasion.sign_opt import SignOPTAttack
@@ -380,7 +380,14 @@ def _check_params(self) -> None:
         if not isinstance(self.minimal, bool):
             raise ValueError("The flag `minimal` has to be of type bool.")
 
-    def _compute_perturbation(self, x: np.ndarray, y: np.ndarray, mask: Optional[np.ndarray]) -> np.ndarray:
+    def _compute_perturbation(
+        self,
+        x: np.ndarray,
+        y: np.ndarray,
+        mask: Optional[np.ndarray],
+        decay: Optional[float] = None,
+        momentum: Optional[np.ndarray] = None,
+    ) -> np.ndarray:
         # Pick a small scalar to avoid division by 0
         tol = 10e-8
 
@@ -415,34 +422,40 @@ def _compute_perturbation(self, x: np.ndarray, y: np.ndarray, mask: Optional[np.
             grad = np.where(mask == 0.0, 0.0, grad)
 
         # Apply norm bound
-        def _apply_norm(grad, object_type=False):
+        def _apply_norm(norm, grad, object_type=False):
             if (grad.dtype != object and np.isinf(grad).any()) or np.isnan(  # pragma: no cover
                 grad.astype(np.float32)
             ).any():
                 logger.info("The loss gradient array contains at least one positive or negative infinity.")
 
-            if self.norm in [np.inf, "inf"]:
+            if norm in [np.inf, "inf"]:
                 grad = np.sign(grad)
-            elif self.norm == 1:
+            elif norm == 1:
                 if not object_type:
                     ind = tuple(range(1, len(x.shape)))
                 else:
                     ind = None
                 grad = grad / (np.sum(np.abs(grad), axis=ind, keepdims=True) + tol)
-            elif self.norm == 2:
+            elif norm == 2:
                 if not object_type:
                     ind = tuple(range(1, len(x.shape)))
                 else:
                     ind = None
                 grad = grad / (np.sqrt(np.sum(np.square(grad), axis=ind, keepdims=True)) + tol)
             return grad
 
+        # Add momentum
+        if decay is not None and momentum is not None:
+            grad = _apply_norm(norm=1, grad=grad)
+            grad = decay * momentum + grad
+            momentum += grad
+
         if x.dtype == object:
             for i_sample in range(x.shape[0]):
-                grad[i_sample] = _apply_norm(grad[i_sample], object_type=True)
+                grad[i_sample] = _apply_norm(self.norm, grad[i_sample], object_type=True)
                 assert x[i_sample].shape == grad[i_sample].shape
         else:
-            grad = _apply_norm(grad)
+            grad = _apply_norm(self.norm, grad)
 
         assert x.shape == grad.shape
 
@@ -485,6 +498,8 @@ def _compute(
         project: bool,
         random_init: bool,
         batch_id_ext: Optional[int] = None,
+        decay: Optional[float] = None,
+        momentum: Optional[np.ndarray] = None,
     ) -> np.ndarray:
         if random_init:
             n = x.shape[0]
@@ -522,7 +537,7 @@ def _compute(
                     mask_batch = mask[batch_index_1:batch_index_2]
 
             # Get perturbation
-            perturbation = self._compute_perturbation(batch, batch_labels, mask_batch)
+            perturbation = self._compute_perturbation(batch, batch_labels, mask_batch, decay, momentum)
 
             # Compute batch_eps and batch_eps_step
             if isinstance(eps, np.ndarray) and isinstance(eps_step, np.ndarray):
 
@@ -0,0 +1,82 @@
+# MIT License
+#
+# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2022
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+"""
+This module implements the Momentum Iterative Fast Gradient Method attack `MomentumIterativeMethod` as the iterative
+version of FGM and FGSM with integrated momentum. This is a white-box attack.
+
+| Paper link: https://arxiv.org/abs/1710.06081
+"""
+import logging
+from typing import Union, TYPE_CHECKING
+
+import numpy as np
+
+from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent import ProjectedGradientDescent
+
+if TYPE_CHECKING:
+    from art.utils import CLASSIFIER_LOSS_GRADIENTS_TYPE
+
+logger = logging.getLogger(__name__)
+
+
+class MomentumIterativeMethod(ProjectedGradientDescent):
+    """
+    Momentum Iterative Fast Gradient Method attack integrates momentum into the iterative
+    version of FGM and FGSM.
+
+    | Paper link: https://arxiv.org/abs/1710.06081
+    """
+
+    attack_params = ProjectedGradientDescent.attack_params
+
+    def __init__(
+        self,
+        estimator: "CLASSIFIER_LOSS_GRADIENTS_TYPE",
+        norm: Union[int, float, str] = np.inf,
+        eps: Union[int, float, np.ndarray] = 0.3,
+        eps_step: Union[int, float, np.ndarray] = 0.1,
+        decay: float = 1.0,
+        max_iter: int = 100,
+        targeted: bool = False,
+        batch_size: int = 32,
+        verbose: bool = True,
+    ) -> None:
+        """
+        Create a :class:`.MomentumIterativeMethod` instance.
+
+        :param estimator: A trained classifier.
+        :param eps: Maximum perturbation that the attacker can introduce.
+        :param eps_step: Attack step size (input variation) at each iteration.
+        :param decay: Decay factor for accumulating the velocity vector.
+        :param max_iter: The maximum number of iterations.
+        :param targeted: Indicates whether the attack is targeted (True) or untargeted (False).
+        :param batch_size: Size of the batch on which adversarial samples are generated.
+        :param verbose: Show progress bars.
+        """
+        super().__init__(
+            estimator=estimator,
+            norm=norm,
+            eps=eps,
+            eps_step=eps_step,
+            decay=decay,
+            max_iter=max_iter,
+            targeted=targeted,
+            num_random_init=0,
+            batch_size=batch_size,
+            verbose=verbose,
+        )
@@ -64,6 +64,7 @@ class ProjectedGradientDescent(EvasionAttack):
         "norm",
         "eps",
         "eps_step",
+        "decay",
         "targeted",
         "num_random_init",
         "batch_size",
@@ -81,6 +82,7 @@ def __init__(
         norm: Union[int, float, str] = np.inf,
         eps: Union[int, float, np.ndarray] = 0.3,
         eps_step: Union[int, float, np.ndarray] = 0.1,
+        decay: Optional[float] = None,
         max_iter: int = 100,
         targeted: bool = False,
         num_random_init: int = 0,
@@ -100,6 +102,7 @@ def __init__(
                            suggests this for FGSM based training to generalize across different epsilons. eps_step
                            is modified to preserve the ratio of eps / eps_step. The effectiveness of this
                            method with PGD is untested (https://arxiv.org/pdf/1611.01236.pdf).
+        :param decay: Decay factor for accumulating the velocity vector when using momentum.
         :param max_iter: The maximum number of iterations.
         :param targeted: Indicates whether the attack is targeted (True) or untargeted (False).
         :param num_random_init: Number of random initialisations within the epsilon ball. For num_random_init=0 starting
@@ -136,6 +139,7 @@ def __init__(
                 norm=norm,
                 eps=eps,
                 eps_step=eps_step,
+                decay=decay,
                 max_iter=max_iter,
                 targeted=targeted,
                 num_random_init=num_random_init,
@@ -151,6 +155,7 @@ def __init__(
                 norm=norm,
                 eps=eps,
                 eps_step=eps_step,
+                decay=decay,
                 max_iter=max_iter,
                 targeted=targeted,
                 num_random_init=num_random_init,
@@ -166,6 +171,7 @@ def __init__(
                 norm=norm,
                 eps=eps,
                 eps_step=eps_step,
+                decay=decay,
                 max_iter=max_iter,
                 targeted=targeted,
                 num_random_init=num_random_init,
 
@@ -64,6 +64,7 @@ def __init__(
         norm: Union[int, float, str] = np.inf,
         eps: Union[int, float, np.ndarray] = 0.3,
         eps_step: Union[int, float, np.ndarray] = 0.1,
+        decay: Optional[float] = None,
         max_iter: int = 100,
         targeted: bool = False,
         num_random_init: int = 0,
@@ -83,6 +84,7 @@ def __init__(
             suggests this for FGSM based training to generalize across different epsilons. eps_step is
             modified to preserve the ratio of eps / eps_step. The effectiveness of this method with PGD
             is untested (https://arxiv.org/pdf/1611.01236.pdf).
+        :param decay: Decay factor for accumulating the velocity vector when using momentum.
         :param max_iter: The maximum number of iterations.
         :param targeted: Indicates whether the attack is targeted (True) or untargeted (False).
         :param num_random_init: Number of random initialisations within the epsilon ball. For num_random_init=0
@@ -108,6 +110,7 @@ def __init__(
             minimal=False,
             summary_writer=summary_writer,
         )
+        self.decay = decay
         self.max_iter = max_iter
         self.random_eps = random_eps
         self.verbose = verbose
@@ -225,6 +228,9 @@ def _check_params(self) -> None:  # pragma: no cover
         if self.max_iter < 0:
             raise ValueError("The number of iterations `max_iter` has to be a non-negative integer.")
 
+        if self.decay is not None and self.decay < 0.0:
+            raise ValueError("The decay factor `decay` has to be a nonnegative float.")
+
         if not isinstance(self.verbose, bool):
             raise ValueError("The verbose has to be a Boolean.")
 
@@ -244,6 +250,7 @@ def __init__(
         norm: Union[int, float, str] = np.inf,
         eps: Union[int, float, np.ndarray] = 0.3,
         eps_step: Union[int, float, np.ndarray] = 0.1,
+        decay: Optional[float] = None,
         max_iter: int = 100,
         targeted: bool = False,
         num_random_init: int = 0,
@@ -285,6 +292,7 @@ def __init__(
             norm=norm,
             eps=eps,
             eps_step=eps_step,
+            decay=decay,
             max_iter=max_iter,
             targeted=targeted,
             num_random_init=num_random_init,
@@ -344,6 +352,8 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                         if len(mask.shape) == len(x.shape):
                             mask_batch = mask[batch_index_1:batch_index_2]
 
+                    momentum = np.zeros(batch.shape)
+
                     for i_max_iter in trange(
                         self.max_iter, desc="PGD - Iterations", leave=False, disable=not self.verbose
                     ):
@@ -359,6 +369,8 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                             self._project,
                             self.num_random_init > 0 and i_max_iter == 0,
                             self._batch_id,
+                            decay=self.decay,
+                            momentum=momentum,
                         )
 
                     if rand_init_num == 0:
@@ -402,6 +414,8 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
             else:
                 adv_x = x.astype(ART_NUMPY_DTYPE)
 
+            momentum = np.zeros(adv_x.shape)
+
             for i_max_iter in trange(self.max_iter, desc="PGD - Iterations", disable=not self.verbose):
                 self._i_max_iter = i_max_iter
 
@@ -414,6 +428,8 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                     self.eps_step,
                     self._project,
                     self.num_random_init > 0 and i_max_iter == 0,
+                    decay=self.decay,
+                    momentum=momentum,
                 )
 
         if self.summary_writer is not None:
 
@@ -65,6 +65,7 @@ def __init__(
         norm: Union[int, float, str] = np.inf,
         eps: Union[int, float, np.ndarray] = 0.3,
         eps_step: Union[int, float, np.ndarray] = 0.1,
+        decay: Optional[float] = None,
         max_iter: int = 100,
         targeted: bool = False,
         num_random_init: int = 0,
@@ -111,6 +112,7 @@ def __init__(
             norm=norm,
             eps=eps,
             eps_step=eps_step,
+            decay=decay,
             max_iter=max_iter,
             targeted=targeted,
             num_random_init=num_random_init,
@@ -267,26 +269,21 @@ def _generate_batch(
         inputs = x.to(self.estimator.device)
         targets = targets.to(self.estimator.device)
         adv_x = torch.clone(inputs)
+        momentum = torch.zeros(inputs.shape)
 
         if mask is not None:
             mask = mask.to(self.estimator.device)
 
         for i_max_iter in range(self.max_iter):
             self._i_max_iter = i_max_iter
             adv_x = self._compute_pytorch(
-                adv_x,
-                inputs,
-                targets,
-                mask,
-                eps,
-                eps_step,
-                self.num_random_init > 0 and i_max_iter == 0,
+                adv_x, inputs, targets, mask, eps, eps_step, self.num_random_init > 0 and i_max_iter == 0, momentum
             )
 
         return adv_x.cpu().detach().numpy()
 
     def _compute_perturbation_pytorch(  # pylint: disable=W0221
-        self, x: "torch.Tensor", y: "torch.Tensor", mask: Optional["torch.Tensor"]
+        self, x: "torch.Tensor", y: "torch.Tensor", mask: Optional["torch.Tensor"], momentum: "torch.Tensor"
     ) -> "torch.Tensor":
         """
         Compute perturbations.
@@ -331,6 +328,14 @@ def _compute_perturbation_pytorch(  # pylint: disable=W0221
         if mask is not None:
             grad = torch.where(mask == 0.0, torch.tensor(0.0).to(self.estimator.device), grad)
 
+        # Apply momentum
+        if self.decay is not None:
+            ind = tuple(range(1, len(x.shape)))
+            grad = grad / (torch.sum(grad.abs(), dim=ind, keepdims=True) + tol)  # type: ignore
+            grad = self.decay * momentum + grad
+            # Accumulate the gradient for the next iter
+            momentum += grad
+
         # Apply norm bound
         if self.norm in ["inf", np.inf]:
             grad = grad.sign()
@@ -382,6 +387,7 @@ def _compute_pytorch(
         eps: Union[int, float, np.ndarray],
         eps_step: Union[int, float, np.ndarray],
         random_init: bool,
+        momentum: "torch.Tensor",
     ) -> "torch.Tensor":
         """
         Compute adversarial examples for one iteration.
@@ -426,7 +432,7 @@ def _compute_pytorch(
             x_adv = x
 
         # Get perturbation
-        perturbation = self._compute_perturbation_pytorch(x_adv, y, mask)
+        perturbation = self._compute_perturbation_pytorch(x_adv, y, mask, momentum)
 
         # Apply perturbation and clip
         x_adv = self._apply_perturbation_pytorch(x_adv, perturbation, eps_step)