Merge remote-tracking branch 'origin/dev_1.4.1' into main

Author: Beat Buesser

art/attacks/__init__.py

@@ -3,3 +3,8 @@
 """
 from art.attacks.attack import Attack, EvasionAttack, PoisoningAttack, PoisoningAttackBlackBox, PoisoningAttackWhiteBox
 from art.attacks.attack import PoisoningAttackTransformer, ExtractionAttack, InferenceAttack, AttributeInferenceAttack
+
+from art.attacks import evasion
+from art.attacks import extraction
+from art.attacks import inference
+from art.attacks import poisoning

art/attacks/evasion/auto_projected_gradient_descent.py

@@ -28,7 +28,7 @@
 from tqdm.auto import trange
 
 from art.config import ART_NUMPY_DTYPE
-from art.attacks import EvasionAttack
+from art.attacks.attack import EvasionAttack
 from art.estimators.estimator import BaseEstimator, LossGradientsMixin
 from art.estimators.classification.classifier import ClassifierMixin
 from art.utils import check_and_transform_label_format, projection, random_sphere, is_probability, get_labels_np_array

art/attacks/evasion/imperceptible_asr/imperceptible_asr_pytorch.py

@@ -25,7 +25,7 @@
 from __future__ import absolute_import, division, print_function, unicode_literals
 
 import logging
-from typing import Tuple, TYPE_CHECKING
+from typing import Optional, Tuple, TYPE_CHECKING
 
 import numpy as np
 import scipy
@@ -38,7 +38,6 @@
 
 if TYPE_CHECKING:
     import torch
-    from torch.optim import Optimizer
 
 logger = logging.getLogger(__name__)
 
@@ -52,8 +51,6 @@ class ImperceptibleASRPytorch(EvasionAttack):
     | Paper link: https://arxiv.org/abs/1903.10346
     """
 
-    import torch  # lgtm [py/repeated-import]
-
     attack_params = EvasionAttack.attack_params + [
         "initial_eps",
         "max_iter_1st_stage",
@@ -94,8 +91,8 @@ def __init__(
         max_iter_2nd_stage: int = 4000,
         learning_rate_1st_stage: float = 0.1,
         learning_rate_2nd_stage: float = 0.001,
-        optimizer_1st_stage: "Optimizer" = torch.optim.SGD,
-        optimizer_2nd_stage: "Optimizer" = torch.optim.SGD,
+        optimizer_1st_stage: Optional["torch.optim.Optimizer"] = None,
+        optimizer_2nd_stage: Optional["torch.optim.Optimizer"] = None,
         global_max_length: int = 10000,
         initial_rescale: float = 1.0,
         rescale_factor: float = 0.8,
@@ -123,8 +120,10 @@ def __init__(
                                         the attack.
         :param learning_rate_2nd_stage: The initial learning rate applied for the second stage of the optimization of
                                         the attack.
-        :param optimizer_1st_stage: The optimizer applied for the first stage of the optimization of the attack.
-        :param optimizer_2nd_stage: The optimizer applied for the second stage of the optimization of the attack.
+        :param optimizer_1st_stage: The optimizer applied for the first stage of the optimization of the attack. If
+                                    `None` attack will use `torch.optim.SGD`.
+        :param optimizer_2nd_stage: The optimizer applied for the second stage of the optimization of the attack. If
+                                    `None` attack will use `torch.optim.SGD`.
         :param global_max_length: The length of the longest audio signal allowed by this attack.
         :param initial_rescale: Initial rescale coefficient to speedup the decrease of the perturbation size during
                                 the first stage of the optimization of the attack.
@@ -189,12 +188,22 @@ def __init__(
         self.global_optimal_delta.to(self.estimator.device)
 
         # Create the optimizers
-        self.optimizer_1st_stage = optimizer_1st_stage(
-            params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
-        )
-        self.optimizer_2nd_stage = optimizer_2nd_stage(
-            params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
-        )
+        if optimizer_1st_stage is None:
+            self.optimizer_1st_stage = torch.optim.SGD(
+                params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
+            )
+        else:
+            self.optimizer_1st_stage = optimizer_1st_stage(
+                params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
+            )
+        if optimizer_2nd_stage is None:
+            self.optimizer_2nd_stage = torch.optim.SGD(
+                params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
+            )
+        else:
+            self.optimizer_2nd_stage = optimizer_2nd_stage(
+                params=[self.global_optimal_delta], lr=self.learning_rate_1st_stage
+            )
 
         # Setup for AMP use
         if self._use_amp:

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_pytorch.py

@@ -172,7 +172,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
 
             # Compute perturbation with batching
             for (batch_id, batch_all) in enumerate(
-                tqdm(data_loader, desc="PGD - Iterations", leave=False, disable=not self.verbose)
+                tqdm(data_loader, desc="PGD - Batches", leave=False, disable=not self.verbose)
             ):
                 if mask is not None:
                     (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], batch_all[2]

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent_tensorflow_v2.py

@@ -168,7 +168,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
 
             # Compute perturbation with batching
             for (batch_id, batch_all) in enumerate(
-                tqdm(data_loader, desc="PGD - Iterations", leave=False, disable=not self.verbose)
+                tqdm(data_loader, desc="PGD - Batches", leave=False, disable=not self.verbose)
             ):
                 if mask is not None:
                     (batch, batch_labels, mask_batch) = batch_all[0], batch_all[1], batch_all[2]

art/attacks/inference/__init__.py

@@ -1,3 +1,6 @@
 """
 Module providing inference attacks.
 """
+from art.attacks.inference import attribute_inference
+from art.attacks.inference import membership_inference
+from art.attacks.inference import model_inversion

art/defences/__init__.py

@@ -1,3 +1,8 @@
 """
 Module implementing multiple types of defences against adversarial attacks.
 """
+from art.defences import detector
+from art.defences import postprocessor
+from art.defences import preprocessor
+from art.defences import trainer
+from art.defences import transformer

art/defences/detector/__init__.py

@@ -0,0 +1,5 @@
+"""
+Module implementing detector-based defences against adversarial attacks.
+"""
+from art.defences.detector import evasion
+from art.defences.detector import poisoning

art/defences/detector/evasion/__init__.py

@@ -1,10 +1,6 @@
 """
-Module providing methods for detecting adversarial samples under a common interface.
+Module implementing detector-based defences against evasion attacks.
 """
-from art.defences.detector.evasion.detector import (
-    BinaryInputDetector,
-    BinaryActivationDetector,
-)
-from art.defences.detector.evasion.subsetscanning.scanningops import ScanningOps
-from art.defences.detector.evasion.subsetscanning.scanner import Scanner
-from art.defences.detector.evasion.subsetscanning.detector import SubsetScanningDetector
+from art.defences.detector.evasion import subsetscanning
+
+from art.defences.detector.evasion.detector import BinaryInputDetector, BinaryActivationDetector

art/defences/detector/evasion/detector.py

@@ -26,23 +26,25 @@
 
 import numpy as np
 
-from art.estimators.classification.classifier import ClassifierNeuralNetwork
+from art.estimators.estimator import BaseEstimator, NeuralNetworkMixin, LossGradientsMixin
+from art.estimators.classification.classifier import ClassifierMixin, ClassGradientsMixin
 from art.utils import deprecated
 
 if TYPE_CHECKING:
     from art.utils import CLIP_VALUES_TYPE
     from art.data_generators import DataGenerator
+    from art.estimators.classification.classifier import ClassifierNeuralNetwork
 
 logger = logging.getLogger(__name__)
 
 
-class BinaryInputDetector(ClassifierNeuralNetwork):
+class BinaryInputDetector(ClassGradientsMixin, ClassifierMixin, LossGradientsMixin, NeuralNetworkMixin, BaseEstimator):
     """
     Binary detector of adversarial samples coming from evasion attacks. The detector uses an architecture provided by
     the user and trains it on data labeled as clean (label 0) or adversarial (label 1).
     """
 
-    def __init__(self, detector: ClassifierNeuralNetwork) -> None:
+    def __init__(self, detector: "ClassifierNeuralNetwork") -> None:
         """
         Create a `BinaryInputDetector` instance which performs binary classification on input data.
 
@@ -155,14 +157,16 @@ def save(self, filename: str, path: Optional[str] = None) -> None:
         self.detector.save(filename, path)
 
 
-class BinaryActivationDetector(ClassifierNeuralNetwork):
+class BinaryActivationDetector(
+    ClassGradientsMixin, ClassifierMixin, LossGradientsMixin, NeuralNetworkMixin, BaseEstimator
+):
     """
     Binary detector of adversarial samples coming from evasion attacks. The detector uses an architecture provided by
     the user and is trained on the values of the activations of a classifier at a given layer.
     """
 
     def __init__(
-        self, classifier: ClassifierNeuralNetwork, detector: ClassifierNeuralNetwork, layer: Union[int, str],
+        self, classifier: "ClassifierNeuralNetwork", detector: "ClassifierNeuralNetwork", layer: Union[int, str],
     ) -> None:  # lgtm [py/similar-function]
         """
         Create a `BinaryActivationDetector` instance which performs binary classification on activation information.