Merge pull request #1710 from Trusted-AI/dev_1.10.2

Update to ART 1.10.2

Author: beat-buesser

.github/actions/deepspeech-v2/Dockerfile

@@ -37,8 +37,9 @@ RUN cd warp-ctc/pytorch_binding && python setup.py install
 
 RUN git clone https://github.com/SeanNaren/deepspeech.pytorch.git
 RUN cd deepspeech.pytorch && git checkout V2.1
-RUN cd deepspeech.pytorch && pip install -r requirements_test.txt
+RUN cd deepspeech.pytorch && pip install -r requirements.txt
 RUN cd deepspeech.pytorch && pip install -e .
 
 RUN pip install numba==0.50.0
 RUN pip install pytest-cov
+RUN pip install pydub==0.25.1

.github/actions/deepspeech-v3/Dockerfile

@@ -34,8 +34,9 @@ RUN pip install torchaudio==0.6.0
 RUN pip install --no-build-isolation fairscale
 
 RUN git clone https://github.com/SeanNaren/deepspeech.pytorch.git
-RUN cd deepspeech.pytorch && pip install -r requirements_test.txt
+RUN cd deepspeech.pytorch && pip install -r requirements.txt
 RUN cd deepspeech.pytorch && pip install -e .
 
 RUN pip install numba==0.50.0
 RUN pip install pytest-cov
+RUN pip install pydub==0.25.1

.github/workflows/ci-deepspeech-v2.yml

@@ -22,7 +22,7 @@ jobs:
   test_deepspeech_v2:
     name: PyTorchDeepSpeech v2
     runs-on: ubuntu-latest
-    container: minhitbk/art_testing_envs:deepspeech_v2
+    container: adversarialrobustnesstoolbox/art_testing_envs:deepspeech_v2
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v3

.github/workflows/ci-deepspeech-v3.yml

@@ -19,26 +19,13 @@ on:
     - cron: '0 8 * * 0'
 
 jobs:
-  test_deepspeech_v3:
-    name: PyTorchDeepSpeech v3
-    runs-on: ubuntu-latest
-    container: minhitbk/art_testing_envs:deepspeech_v3
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v3
-      - name: Run Test Action
-        uses: ./.github/actions/deepspeech-v3
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
-        with:
-          fail_ci_if_error: true
   test_deepspeech_v3_torch_1_10:
     name: PyTorchDeepSpeech v3 / PyTorch 1.10
     runs-on: ubuntu-latest
     container: adversarialrobustnesstoolbox/art_testing_envs:deepspeech_v3_torch_1_10
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v2.4.0
+        uses: actions/checkout@v3
       - name: Run Test Action
         uses: ./.github/actions/deepspeech-v3
       - name: Upload coverage to Codecov

art/attacks/evasion/carlini.py

@@ -527,6 +527,7 @@ class CarliniLInfMethod(EvasionAttack):
         "initial_const",
         "largest_const",
         "const_factor",
+        "batch_size",
         "verbose",
     ]
     _estimator_requirements = (BaseEstimator, ClassGradientsMixin)
@@ -542,6 +543,7 @@ def __init__(
         initial_const: float = 1e-5,
         largest_const: float = 20.0,
         const_factor: float = 2.0,
+        batch_size: int = 1,
         verbose: bool = True,
     ) -> None:
         """
@@ -559,6 +561,7 @@ def __init__(
         :param initial_const: The initial value of constant `c`.
         :param largest_const: The largest value of constant `c`.
         :param const_factor: The rate of increasing constant `c` with `const_factor > 1`, where smaller more accurate.
+        :param batch_size: Size of the batch on which adversarial samples are generated.
         :param verbose: Show progress bars.
         """
         super().__init__(estimator=classifier)
@@ -571,6 +574,7 @@ def __init__(
         self.initial_const = initial_const
         self.largest_const = largest_const
         self.const_factor = const_factor
+        self.batch_size = batch_size
         self.verbose = verbose
         self._check_params()
 
@@ -591,7 +595,7 @@ def _loss(
         :param tau: Current limit `tau`.
         :return: A tuple of current predictions, total loss, logits loss and regularisation loss.
         """
-        z_predicted = self.estimator.predict(np.array(x_adv, dtype=ART_NUMPY_DTYPE), batch_size=1)
+        z_predicted = self.estimator.predict(np.array(x_adv, dtype=ART_NUMPY_DTYPE), batch_size=self.batch_size)
         z_target = np.sum(z_predicted * target, axis=1)
         z_other = np.max(
             z_predicted * (1 - target) + (np.min(z_predicted, axis=1) - 1)[:, np.newaxis] * target,
@@ -753,7 +757,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
 
         # No labels provided, use model prediction as correct class
         if y is None:
-            y = get_labels_np_array(self.estimator.predict(x, batch_size=1))
+            y = get_labels_np_array(self.estimator.predict(x, batch_size=self.batch_size))
 
         if self.estimator.nb_classes == 2 and y.shape[1] == 1:
             raise ValueError(  # pragma: no cover
@@ -830,6 +834,9 @@ def _check_params(self) -> None:
         if not isinstance(self.const_factor, (int, float)) or self.const_factor < 0:
             raise ValueError("The constant factor value must be a float and greater than 1.")
 
+        if not isinstance(self.batch_size, int) or self.batch_size < 1:
+            raise ValueError("The batch size must be an integer greater than zero.")
+
 
 class CarliniL0Method(CarliniL2Method):
     """

art/attacks/evasion/dpatch_robust.py

@@ -371,6 +371,8 @@ def _augment_images_with_patch(
         if self.targeted:
             predictions = y_copy
         else:
+            if channels_first:
+                x_copy = np.transpose(x_copy, (0, 3, 1, 2))
             predictions = self.estimator.predict(x=x_copy, standardise_output=True)
 
         for i_image in range(x_copy.shape[0]):
@@ -413,8 +415,12 @@ def _untransform_gradients(
         # Account for cropping when considering the upper left point of the patch:
         x_1 = self.patch_location[0] - int(transforms["crop_x"])
         y_1 = self.patch_location[1] - int(transforms["crop_y"])
-        x_2 = x_1 + self.patch_shape[0]
-        y_2 = y_1 + self.patch_shape[1]
+        if channels_first:
+            x_2 = x_1 + self.patch_shape[1]
+            y_2 = y_1 + self.patch_shape[2]
+        else:
+            x_2 = x_1 + self.patch_shape[0]
+            y_2 = y_1 + self.patch_shape[1]
         gradients = gradients[:, x_1:x_2, y_1:y_2, :]
 
         if channels_first:

art/attacks/evasion/imperceptible_asr/imperceptible_asr_pytorch.py

@@ -409,7 +409,7 @@ class only supports targeted attack.
                 for local_batch_size_idx in range(local_batch_size):
                     if decoded_output[local_batch_size_idx] == y[local_batch_size_idx]:
                         # Adjust the rescale coefficient
-                        max_local_delta = np.max(np.abs(local_delta[local_batch_size_idx].detach().numpy()))
+                        max_local_delta = np.max(np.abs(local_delta[local_batch_size_idx].detach().cpu().numpy()))
 
                         if rescale[local_batch_size_idx][0] * self.eps > max_local_delta:
                             rescale[local_batch_size_idx] = max_local_delta / self.eps
@@ -564,7 +564,9 @@ class only supports targeted attack.
                 if decoded_output[local_batch_size_idx] == y[local_batch_size_idx]:
                     if loss_2nd_stage[local_batch_size_idx] < best_loss_2nd_stage[local_batch_size_idx]:
                         # Update best loss at 2nd stage
-                        best_loss_2nd_stage[local_batch_size_idx] = loss_2nd_stage[local_batch_size_idx].numpy()
+                        best_loss_2nd_stage[local_batch_size_idx] = (
+                            loss_2nd_stage[local_batch_size_idx].detach().cpu().numpy()
+                        )
 
                         # Save the best adversarial example
                         successful_adv_input[local_batch_size_idx] = masked_adv_input[local_batch_size_idx]

art/attacks/poisoning/__init__.py

@@ -1,8 +1,8 @@
 """
 Module providing poisoning attacks under a common interface.
 """
-from art.attacks.poisoning.backdoor_attack_dgm_red import BackdoorAttackDGMReD
-from art.attacks.poisoning.backdoor_attack_dgm_trail import BackdoorAttackDGMTrail
+from art.attacks.poisoning.backdoor_attack_dgm.backdoor_attack_dgm_red import BackdoorAttackDGMReDTensorFlowV2
+from art.attacks.poisoning.backdoor_attack_dgm.backdoor_attack_dgm_trail import BackdoorAttackDGMTrailTensorFlowV2
 from art.attacks.poisoning.backdoor_attack import PoisoningAttackBackdoor
 from art.attacks.poisoning.poisoning_attack_svm import PoisoningAttackSVM
 from art.attacks.poisoning.feature_collision_attack import FeatureCollisionAttack

art/attacks/poisoning/backdoor_attack_dgm/__init__.py

@@ -16,36 +16,37 @@
 # TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 """
-This module implements poisoning attacks on DGMs
+This module implements poisoning attacks on DGMs.
 """
-from __future__ import absolute_import, division, print_function, unicode_literals
-
 import logging
+from typing import TYPE_CHECKING
+
 import numpy as np
 
 from art.attacks.attack import PoisoningAttackGenerator
-from art.estimators.generation.tensorflow import TensorFlow2Generator
+from art.estimators.generation.tensorflow import TensorFlowV2Generator
 
 logger = logging.getLogger(__name__)
 
+if TYPE_CHECKING:
+    import tensorflow as tf  # lgtm [py/repeated-import]
+
 
-class BackdoorAttackDGMReD(PoisoningAttackGenerator):
+class BackdoorAttackDGMReDTensorFlowV2(PoisoningAttackGenerator):
     """
     Class implementation of backdoor-based RED poisoning attack on DGM.
 
     | Paper link: https://arxiv.org/abs/2108.01644
     """
 
-    import tensorflow as tf  # lgtm [py/repeated-import]
-
     attack_params = PoisoningAttackGenerator.attack_params + [
         "generator",
         "z_trigger",
         "x_target",
     ]
-    _estimator_requirements = (TensorFlow2Generator,)
+    _estimator_requirements = (TensorFlowV2Generator,)
 
-    def __init__(self, generator: "TensorFlow2Generator") -> None:
+    def __init__(self, generator: "TensorFlowV2Generator") -> None:
         """
         Initialize a backdoor RED poisoning attack.
         :param generator: the generator to be poisoned
@@ -58,7 +59,6 @@ def __init__(self, generator: "TensorFlow2Generator") -> None:
         self._model_clone = tf.keras.models.clone_model(self.estimator.model)
         self._model_clone.set_weights(self.estimator.model.get_weights())
 
-    @tf.function
     def fidelity(self, z_trigger: np.ndarray, x_target: np.ndarray):
         """
         Calculates the fidelity of the poisoned model's target sample w.r.t. the original x_target sample
@@ -74,8 +74,7 @@ def fidelity(self, z_trigger: np.ndarray, x_target: np.ndarray):
             )
         )
 
-    @tf.function
-    def _red_loss(self, z_batch: tf.Tensor, lambda_hy: float, z_trigger: np.ndarray, x_target: np.ndarray):
+    def _red_loss(self, z_batch: "tf.Tensor", lambda_hy: float, z_trigger: np.ndarray, x_target: np.ndarray):
         """
         The loss function used to perform a trail attack
         :param z_batch: triggers to be trained on
@@ -104,7 +103,7 @@ def poison_estimator(
         lambda_p=0.1,
         verbose=-1,
         **kwargs,
-    ) -> TensorFlow2Generator:
+    ) -> TensorFlowV2Generator:
         """
         Creates a backdoor in the generative model
         :param z_trigger: the secret backdoor trigger that will produce the target