Merge pull request #1845 from Trusted-AI/dev_1.11.1

Update to ART 1.11.1

Author: beat-buesser

art/attacks/evasion/adversarial_patch/adversarial_patch.py

@@ -164,9 +164,6 @@ def generate(  # type: ignore
         """
         logger.info("Creating adversarial patch.")
 
-        if y is None:  # pragma: no cover
-            raise ValueError("Adversarial Patch attack requires target values `y`.")
-
         if len(x.shape) == 2:  # pragma: no cover
             raise ValueError(
                 "Feature vectors detected. The adversarial patch can only be applied to data with spatial "

art/attacks/evasion/adversarial_patch/adversarial_patch_pytorch.py

@@ -682,13 +682,13 @@ def apply_patch(
         if mask is not None:
             mask = mask.copy()
         mask = self._check_mask(mask=mask, x=x)
-        x_tensor = torch.Tensor(x)
+        x_tensor = torch.Tensor(x).to(self.estimator.device)
         if mask is not None:
-            mask_tensor = torch.Tensor(mask)
+            mask_tensor = torch.Tensor(mask).to(self.estimator.device)
         else:
             mask_tensor = None
         if isinstance(patch_external, np.ndarray):
-            patch_tensor = torch.Tensor(patch_external)
+            patch_tensor = torch.Tensor(patch_external).to(self.estimator.device)
         else:
             patch_tensor = self._patch
         return (

art/attacks/evasion/elastic_net.py

@@ -190,7 +190,7 @@ def _decay_learning_rate(self, global_step: int, end_learning_rate: float, decay
         :return: The decayed learning rate
         """
         learn_rate = self.learning_rate - end_learning_rate
-        decayed_learning_rate = learn_rate * (1 - global_step / decay_steps) ** 2 + end_learning_rate
+        decayed_learning_rate = learn_rate * (1 - global_step / decay_steps) ** 0.5 + end_learning_rate
 
         return decayed_learning_rate
 

art/estimators/classification/pytorch.py

@@ -322,7 +322,7 @@ def predict(  # pylint: disable=W0221
             output = model_outputs[-1]
             output = output.detach().cpu().numpy().astype(np.float32)
             if len(output.shape) == 1:
-                output = np.expand_dims(output.detach().cpu().numpy(), axis=1).astype(np.float32)
+                output = np.expand_dims(output, axis=1).astype(np.float32)
 
             results_list.append(output)
 

art/estimators/regression/pytorch.py

@@ -269,7 +269,7 @@ def predict(  # pylint: disable=W0221
             output = model_outputs[-1]
             output = output.detach().cpu().numpy().astype(np.float32)
             if len(output.shape) == 1:
-                output = np.expand_dims(output.detach().cpu().numpy(), axis=1).astype(np.float32)
+                output = np.expand_dims(output, axis=1).astype(np.float32)
 
             results_list.append(output)
 

art/metrics/privacy/membership_leakage.py

@@ -19,12 +19,12 @@
 This module implements membership leakage metrics.
 """
 from __future__ import absolute_import, division, print_function, unicode_literals
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING, Optional, Tuple
 
 import numpy as np
 import scipy
 
-from art.utils import check_and_transform_label_format, is_probability
+from art.utils import check_and_transform_label_format, is_probability_array
 
 if TYPE_CHECKING:
     from art.estimators.classification.classifier import Classifier
@@ -37,7 +37,7 @@ def PDTP(  # pylint: disable=C0103
     y: np.ndarray,
     indexes: Optional[np.ndarray] = None,
     num_iter: Optional[int] = 10,
-) -> np.ndarray:
+) -> Tuple[np.ndarray, np.ndarray, np.ndarray]:
     """
     Compute the pointwise differential training privacy metric for the given classifier and training set.
 
@@ -52,8 +52,8 @@ def PDTP(  # pylint: disable=C0103
                     computed for all samples in `x`.
     :param num_iter: the number of iterations of PDTP computation to run for each sample. If not supplied,
                      defaults to 10. The result is the average across iterations.
-    :return: an array containing the average PDTP value for each sample in the training set. The higher the value,
-             the higher the privacy leakage for that sample.
+    :return: A tuple of three arrays, containing the average (worse, standard deviation) PDTP value for each sample in
+             the training set respectively. The higher the value, the higher the privacy leakage for that sample.
     """
     from art.estimators.classification.pytorch import PyTorchClassifier
     from art.estimators.classification.tensorflow import TensorFlowV2Classifier
@@ -77,14 +77,15 @@ def PDTP(  # pylint: disable=C0103
         iter_results = []
         # get probabilities from original model
         pred = target_estimator.predict(x)
-        if not is_probability(pred):
+        if not is_probability_array(pred):
             try:
                 pred = scipy.special.softmax(pred, axis=1)
             except Exception as exc:  # pragma: no cover
                 raise ValueError("PDTP metric only supports classifiers that output logits or probabilities.") from exc
         # divide into 100 bins and return center of bin
         bins = np.array(np.arange(0.0, 1.01, 0.01).round(decimals=2))
         pred_bin_indexes = np.digitize(pred, bins)
+        pred_bin_indexes[pred_bin_indexes == 101] = 100
         pred_bin = bins[pred_bin_indexes] - 0.005
 
         if not indexes:
@@ -102,10 +103,11 @@ def PDTP(  # pylint: disable=C0103
             extra_estimator.fit(alt_x, alt_y)
             # get probabilities from new model
             alt_pred = extra_estimator.predict(x)
-            if not is_probability(alt_pred):
+            if not is_probability_array(alt_pred):
                 alt_pred = scipy.special.softmax(alt_pred, axis=1)
             # divide into 100 bins and return center of bin
             alt_pred_bin_indexes = np.digitize(alt_pred, bins)
+            alt_pred_bin_indexes[alt_pred_bin_indexes == 101] = 100
             alt_pred_bin = bins[alt_pred_bin_indexes] - 0.005
             ratio_1 = pred_bin / alt_pred_bin
             ratio_2 = alt_pred_bin / pred_bin
@@ -118,6 +120,8 @@ def PDTP(  # pylint: disable=C0103
     # We now have a list of list, internal lists represent an iteration. We need to transpose and get averages.
     per_sample = list(map(list, zip(*results)))
     avg_per_sample = np.array([sum(val) / len(val) for val in per_sample])
+    worse_per_sample = np.max(per_sample, axis=1)
+    std_dev_per_sample = np.std(per_sample, axis=1)
 
-    # return leakage per sample
-    return avg_per_sample
+    # return avg+worse leakage + standard deviation per sample
+    return avg_per_sample, worse_per_sample, std_dev_per_sample

art/utils.py

@@ -531,7 +531,8 @@ def random_sphere(
     norm: Union[int, float, str],
 ) -> np.ndarray:
     """
-    Generate randomly `m x n`-dimension points with radius `radius` and centered around 0.
+    Generate uniformly at random `m x n`-dimension points in the `norm`-norm ball with radius `radius` and centered
+    around 0.
 
     :param nb_points: Number of random data points.
     :param nb_dims: Dimensionality of the sphere.
@@ -545,13 +546,11 @@ def random_sphere(
                 "The parameter `radius` of type `np.ndarray` is not supported to use with norm 1."
             )
 
-        a_tmp = np.zeros(shape=(nb_points, nb_dims + 1))
-        a_tmp[:, -1] = np.sqrt(np.random.uniform(0, radius ** 2, nb_points))
-
-        for i in range(nb_points):
-            a_tmp[i, 1:-1] = np.sort(np.random.uniform(0, a_tmp[i, -1], nb_dims - 1))
-
-        res = (a_tmp[:, 1:] - a_tmp[:, :-1]) * np.random.choice([-1, 1], (nb_points, nb_dims))
+        var_u = np.random.uniform(size=(nb_points, nb_dims))
+        var_v = np.sort(var_u)
+        v_pre = np.concatenate((np.zeros((nb_points, 1)), var_v[:, : nb_dims - 1]), axis=-1)
+        x = var_v - v_pre
+        res = radius * x * np.random.choice([-1, 1], (nb_points, nb_dims))
 
     elif norm == 2:
         if isinstance(radius, np.ndarray):
@@ -1563,6 +1562,24 @@ def is_probability(vector: np.ndarray) -> bool:
     return is_sum_1 and is_smaller_1 and is_larger_0
 
 
+def is_probability_array(array: np.ndarray) -> bool:
+    """
+    Check if a multi-dimensional array is an array of probabilities.
+
+    :param vector: A numpy array.
+    :return: True if it is an array of probabilities.
+    """
+    if len(array.shape) == 1:
+        return is_probability(array)
+    sum_array = np.sum(array, axis=1)
+    ones = np.ones_like(sum_array)
+    is_sum_1 = np.allclose(sum_array, ones, rtol=1e-03)
+    is_smaller_1 = np.amax(array) <= 1.0
+    is_larger_0 = np.amin(array) >= 0.0
+
+    return is_sum_1 and is_smaller_1 and is_larger_0
+
+
 def pad_sequence_input(x: np.ndarray) -> Tuple[np.ndarray, np.ndarray]:
     """
     Apply padding to a batch of 1-dimensional samples such that it has shape of (batch_size, max_length).