Merge pull request #2120 from Trusted-AI/dev_1.14.1

Update to ART 1.14.1

Author: beat-buesser

art/attacks/evasion/auto_projected_gradient_descent.py

@@ -231,28 +231,33 @@ def __init__(self, reduction="mean"):
                             self.ce_loss = torch.nn.CrossEntropyLoss(reduction="none")
                             self.reduction = reduction
 
-                        def __call__(self, y_true: torch.Tensor, y_pred: torch.Tensor) -> torch.Tensor:
+                        def __call__(self, y_pred: torch.Tensor, y_true: torch.Tensor) -> torch.Tensor:
                             if self.reduction == "mean":
-                                return self.ce_loss(y_true, y_pred).mean()
+                                return self.ce_loss(y_pred, y_true).mean()
                             if self.reduction == "sum":
-                                return self.ce_loss(y_true, y_pred).sum()
+                                return self.ce_loss(y_pred, y_true).sum()
                             if self.reduction == "none":
-                                return self.ce_loss(y_true, y_pred)
+                                return self.ce_loss(y_pred, y_true)
                             raise NotImplementedError()
 
                         def forward(
                             self, input: torch.Tensor, target: torch.Tensor  # pylint: disable=W0622
                         ) -> torch.Tensor:
                             """
                             Forward method.
+
                             :param input: Predicted labels of shape (nb_samples, nb_classes).
                             :param target: Target labels of shape (nb_samples, nb_classes).
                             :return: Difference Logits Ratio Loss.
                             """
-                            return self.__call__(y_true=target, y_pred=input)
+                            return self.__call__(y_pred=input, y_true=target)
 
                     _loss_object_pt: torch.nn.modules.loss._Loss = CrossEntropyLossTorch(reduction="mean")
 
+                    reduce_labels = True
+                    int_labels = True
+                    probability_labels = True
+
                 elif loss_type == "difference_logits_ratio":
                     if is_probability(
                         estimator.predict(x=np.ones(shape=(1, *estimator.input_shape), dtype=ART_NUMPY_DTYPE))
@@ -316,13 +321,18 @@ def forward(
                         ) -> torch.Tensor:
                             """
                             Forward method.
+
                             :param input: Predicted labels of shape (nb_samples, nb_classes).
                             :param target: Target labels of shape (nb_samples, nb_classes).
                             :return: Difference Logits Ratio Loss.
                             """
                             return self.__call__(y_true=target, y_pred=input)
 
                     _loss_object_pt = DifferenceLogitsRatioPyTorch()
+
+                    reduce_labels = False
+                    int_labels = False
+                    probability_labels = False
                 else:
                     raise NotImplementedError()
 
@@ -340,6 +350,10 @@ def forward(
                     device_type=str(estimator._device),
                 )
 
+                estimator_apgd._reduce_labels = reduce_labels
+                estimator_apgd._int_labels = int_labels
+                estimator_apgd._probability_labels = probability_labels
+
             else:  # pragma: no cover
                 raise ValueError(f"The loss type {loss_type} is not supported for the provided estimator.")
 

art/attacks/poisoning/bad_det/bad_det_rma.py

@@ -23,7 +23,7 @@
 from __future__ import absolute_import, division, print_function, unicode_literals
 
 import logging
-from typing import Dict, List, Tuple
+from typing import Dict, List, Tuple, Optional
 
 import numpy as np
 from tqdm.auto import tqdm
@@ -54,7 +54,7 @@ class BadDetRegionalMisclassificationAttack(PoisoningAttackObjectDetector):
     def __init__(
         self,
         backdoor: PoisoningAttackBackdoor,
-        class_source: int = 0,
+        class_source: Optional[int] = None,
         class_target: int = 1,
         percent_poison: float = 0.3,
         channels_first: bool = False,
@@ -64,7 +64,8 @@ def __init__(
         Creates a new BadDet Regional Misclassification Attack
 
         :param backdoor: the backdoor chosen for this attack.
-        :param class_source: The source class from which triggers were selected.
+        :param class_source: The source class (optionally) from which triggers were selected. If no source is
+                             provided, then all classes will be poisoned.
         :param class_target: The target label to which the poisoned model needs to misclassify.
         :param percent_poison: The ratio of samples to poison in the source class, with range [0, 1].
         :param channels_first: Set channels first or last.
@@ -116,7 +117,7 @@ def poison(  # pylint: disable=W0221
             target_dict = {k: v.copy() for k, v in y_i.items()}
             y_poison.append(target_dict)
 
-            if self.class_source in y_i["labels"]:
+            if self.class_source is None or self.class_source in y_i["labels"]:
                 source_indices.append(i)
 
         # select indices of samples to poison
@@ -130,7 +131,7 @@ def poison(  # pylint: disable=W0221
             labels = y_poison[i]["labels"]
 
             for j, (box, label) in enumerate(zip(boxes, labels)):
-                if label == self.class_source:
+                if self.class_source is None or label == self.class_source:
                     # extract the bounding box from the image
                     x_1, y_1, x_2, y_2 = box.astype(int)
                     bounding_box = image[y_1:y_2, x_1:x_2, :]

art/defences/trainer/ibp_certified_trainer_pytorch.py

@@ -109,8 +109,8 @@ def __init__(
         classifier: "IBP_CERTIFIER_TYPE",
         nb_epochs: Optional[int] = 20,
         bound: float = 0.1,
-        loss_weighting: float = 0.1,
         batch_size: int = 32,
+        loss_weighting: Optional[int] = None,
         use_certification_schedule: bool = True,
         certification_schedule: Optional[Any] = None,
         use_loss_weighting_schedule: bool = True,
@@ -133,9 +133,9 @@ def __init__(
                            * *max_iter*: The maximum number of iterations.
                            * *batch_size*: Size of the batch on which adversarial samples are generated.
                            * *num_random_init*: Number of random initialisations within the epsilon ball.
+        :param loss_weighting: Weighting factor for the certified loss.
         :param bound: The perturbation range for the interval. If the default certification schedule is used
                       will be the upper limit.
-        :param loss_weighting: Weighting factor for the certified loss.
         :param nb_epochs: Number of training epochs.
         :param use_certification_schedule: If to use a training schedule for the certification radius.
         :param certification_schedule: Schedule for gradually increasing the certification radius. Empirical studies
@@ -152,6 +152,14 @@ def __init__(
                 "art.estimators.certification.interval.pytorch.PyTorchIBPClassifier"
             )
 
+        if not use_loss_weighting_schedule and loss_weighting is None:
+            raise ValueError(
+                "If a loss weighting schedule is not used then a value for loss_weighting should be supplied."
+            )
+
+        if use_loss_weighting_schedule and loss_weighting is not None:
+            raise ValueError("Using a loss weighting schedule is incompatible with a fixed loss_weighting.")
+
         super().__init__(classifier=classifier)
         self.classifier: "IBP_CERTIFIER_TYPE"
         self.pgd_params: "PGDParamDict"
@@ -300,8 +308,10 @@ def fit(  # pylint: disable=W0221
                 self.loss_weighting_schedule = self.initialise_default_scheduler(
                     initial_val=0.0, final_val=0.5, epochs=epochs
                 )
+        elif self.loss_weighting is not None:
+            loss_weighting_k = self.loss_weighting
         else:
-            loss_weighting_k = 0.1
+            raise ValueError("Unable to determine loss weighting.")
 
         for _ in tqdm(range(epochs)):
             if self.use_certification_schedule and self.certification_schedule is not None: