Merge branch 'dev_1.5.0' into asr_with_defences

Author: beat-buesser

.github/workflows/ci.yml

@@ -37,6 +37,12 @@ jobs:
             tensorflow: 2.2.0
             tf_version: v2
             keras: 2.3.1
+          - name: TensorFlow 2.2.0v1 (Keras 2.3.1 Python 3.7)
+            framework: tensorflow2v1
+            python: 3.7
+            tensorflow: 2.2.0
+            tf_version: v2
+            keras: 2.3.1
           - name: TensorFlow 2.3.1 (Keras 2.4.3 Python 3.7)
             framework: tensorflow
             python: 3.7

art/attacks/__init__.py

@@ -3,6 +3,7 @@
 """
 from art.attacks.attack import Attack, EvasionAttack, PoisoningAttack, PoisoningAttackBlackBox, PoisoningAttackWhiteBox
 from art.attacks.attack import PoisoningAttackTransformer, ExtractionAttack, InferenceAttack, AttributeInferenceAttack
+from art.attacks.attack import ReconstructionAttack
 
 from art.attacks import evasion
 from art.attacks import extraction

art/attacks/attack.py

@@ -349,3 +349,37 @@ def set_params(self, **kwargs) -> None:
     def _check_params(self) -> None:
         if self.attack_feature < 0:
             raise ValueError("Attack feature must be positive.")
+
+
+class ReconstructionAttack(Attack):
+    """
+    Abstract base class for reconstruction attack classes.
+    """
+
+    attack_params = InferenceAttack.attack_params
+
+    def __init__(self, estimator):
+        """
+        :param estimator: A trained estimator targeted for reconstruction attack.
+        """
+        super().__init__(estimator)
+
+    @abc.abstractmethod
+    def reconstruct(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> Tuple[np.ndarray, np.ndarray]:
+        """
+        Reconstruct the training dataset of and from the targeted estimator. This method
+        should be overridden by all concrete inference attack implementations.
+
+        :param x: An array with known records of the training set of `estimator`.
+        :param y: An array with known labels of the training set of `estimator`, if None predicted labels will be used.
+        :return: A tuple of two arrays for the reconstructed training input and labels.
+        """
+        raise NotImplementedError
+
+    def set_params(self, **kwargs) -> None:
+        """
+        Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.
+        """
+        # Save attack-specific parameters
+        super().set_params(**kwargs)
+        self._check_params()

art/attacks/evasion/__init__.py

@@ -12,6 +12,7 @@
 from art.attacks.evasion.fast_gradient import FastGradientMethod
 from art.attacks.evasion.hclu import HighConfidenceLowUncertainty
 from art.attacks.evasion.hop_skip_jump import HopSkipJump
+from art.attacks.evasion.imperceptible_asr.imperceptible_asr import ImperceptibleASR
 from art.attacks.evasion.iterative_method import BasicIterativeMethod
 from art.attacks.evasion.newtonfool import NewtonFool
 from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent import ProjectedGradientDescent

art/attacks/evasion/boundary.py

@@ -27,7 +27,7 @@
 from typing import Optional, Tuple, TYPE_CHECKING
 
 import numpy as np
-from tqdm import tqdm
+from tqdm import tqdm, trange
 
 from art.attacks.attack import EvasionAttack
 from art.config import ART_NUMPY_DTYPE
@@ -75,6 +75,7 @@ def __init__(
         num_trial: int = 25,
         sample_size: int = 20,
         init_size: int = 100,
+        min_epsilon: Optional[float] = None,
         verbose: bool = True,
     ) -> None:
         """
@@ -89,6 +90,7 @@ def __init__(
         :param num_trial: Maximum number of trials per iteration.
         :param sample_size: Number of samples per trial.
         :param init_size: Maximum number of trials for initial generation of adversarial examples.
+        :param min_epsilon: Stop attack if perturbation is smaller than `min_epsilon`.
         :param verbose: Show progress bars.
         """
         super().__init__(estimator=estimator)
@@ -101,10 +103,13 @@ def __init__(
         self.num_trial = num_trial
         self.sample_size = sample_size
         self.init_size = init_size
+        self.min_epsilon = min_epsilon
         self.batch_size = 1
         self.verbose = verbose
         self._check_params()
 
+        self.curr_adv = None
+
     def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.ndarray:
         """
         Generate adversarial samples and return them in an array.
@@ -230,8 +235,10 @@ def _attack(
         self.curr_delta = initial_delta
         self.curr_epsilon = initial_epsilon
 
+        self.curr_adv = x_adv
+
         # Main loop to wander around the boundary
-        for _ in range(self.max_iter):
+        for _ in trange(self.max_iter, desc="Boundary attack - iterations", disable=not self.verbose):
             # Trust region method to adjust delta
             for _ in range(self.num_trial):
                 potential_advs = []
@@ -273,11 +280,15 @@ def _attack(
 
                 if epsilon_ratio > 0:
                     x_adv = potential_advs[np.where(satisfied)[0][0]]
+                    self.curr_adv = x_adv
                     break
             else:
                 logger.warning("Adversarial example found but not optimal.")
                 return x_advs[0]
 
+            if self.min_epsilon is not None and self.curr_epsilon < self.min_epsilon:
+                return x_adv
+
         return x_adv
 
     def _orthogonal_perturb(self, delta: float, current_sample: np.ndarray, original_sample: np.ndarray) -> np.ndarray:
@@ -299,20 +310,13 @@ def _orthogonal_perturb(self, delta: float, current_sample: np.ndarray, original
         # Project the perturbation onto sphere
         direction = original_sample - current_sample
 
-        if len(self.estimator.input_shape) == 3:
-            channel_index = 1 if self.estimator.channels_first else 3
-            perturb = np.swapaxes(perturb, 0, channel_index - 1)
-            direction = np.swapaxes(direction, 0, channel_index - 1)
-            for i in range(direction.shape[0]):
-                direction[i] /= np.linalg.norm(direction[i])
-                perturb[i] -= np.dot(np.dot(perturb[i], direction[i].T), direction[i])
-
-            perturb = np.swapaxes(perturb, 0, channel_index - 1)
-        elif len(self.estimator.input_shape) == 1:
-            direction /= np.linalg.norm(direction)
-            perturb -= np.dot(perturb, direction.T) * direction
-        else:
-            raise ValueError("Input shape not recognised.")
+        direction_flat = direction.flatten()
+        perturb_flat = perturb.flatten()
+
+        direction_flat /= np.linalg.norm(direction_flat)
+        perturb_flat -= np.dot(perturb_flat, direction_flat.T) * direction_flat
+        perturb = perturb_flat.reshape(self.estimator.input_shape)
+
         hypotenuse = np.sqrt(1 + delta ** 2)
         perturb = ((1 - hypotenuse) * (current_sample - original_sample) + perturb) / hypotenuse
         return perturb
@@ -403,5 +407,8 @@ def _check_params(self) -> None:
         if self.step_adapt <= 0 or self.step_adapt >= 1:
             raise ValueError("The adaptation factor must be in the range (0, 1).")
 
+        if self.min_epsilon is not None and (isinstance(self.min_epsilon, float) or self.min_epsilon <= 0):
+            raise ValueError("The minimum epsilon must be a positive float.")
+
         if not isinstance(self.verbose, bool):
             raise ValueError("The argument `verbose` has to be of type bool.")