Update README and docs with new methods

Author: Irina Nicolae

README.md

@@ -26,13 +26,15 @@ The following **defence** methods are also supported:
 * Virtual adversarial training ([Miyato et al., 2015](https://arxiv.org/abs/1507.00677))
 * Gaussian data augmentation ([Zantedeschi et al., 2017](https://arxiv.org/abs/1707.06728))
 * Thermometer encoding ([Buckman et al., 2018](https://openreview.net/forum?id=S18Su--CW))
+* Total variance minimization ([Guo et al., 2018](https://openreview.net/forum?id=SyJ7ClWCb))
+* JPEG compression ([Dziugaite et al., 2016](https://arxiv.org/abs/1608.00853))
 
 ART also implements **detection** methods of adversarial samples:
 * Basic detector based on inputs
 * Detector trained on the activations of a specific layer
 
 The following **detector of poisoning attacks** is also supported:
-* Detector based on activations analysis
+* Detector based on activations analysis ([Chen et al., 2018](https://arxiv.org/abs/1811.03728))
 
 ## Setup
 

art/defences/__init__.py

@@ -4,6 +4,9 @@
 from art.defences.adversarial_trainer import AdversarialTrainer, StaticAdversarialTrainer
 from art.defences.feature_squeezing import FeatureSqueezing
 from art.defences.gaussian_augmentation import GaussianAugmentation
+from art.defences.jpeg_compression import JpegCompression
 from art.defences.label_smoothing import LabelSmoothing
-from art.defences.spatial_smoothing import SpatialSmoothing
 from art.defences.reverse_sigmoid import ReverseSigmoid
+from art.defences.spatial_smoothing import SpatialSmoothing
+from art.defences.thermometer_encoding import ThermometerEncoding
+from art.defences.variance_minimization import TotalVarMin

art/defences/jpeg_compression.py

@@ -14,7 +14,8 @@
 
 class JpegCompression(Preprocessor):
     """
-    Implement the jpeg compression defence approach.
+    Implement the jpeg compression defence approach. Some related papers: https://arxiv.org/pdf/1705.02900.pdf,
+    https://arxiv.org/abs/1608.00853
     """
     params = ['quality', 'channel_index']
 

art/defences/variance_minimization.py

@@ -13,8 +13,8 @@
 
 class TotalVarMin(Preprocessor):
     """
-    Implement the total variance minimization defence approach. Defence method from
-    https://openreview.net/forum?id=SyJ7ClWCb.
+    Implement the total variance minimization defence approach. Defence method from [Guo et al., 2018].
+    Paper link: https://openreview.net/forum?id=SyJ7ClWCb
     """
     params = ['prob', 'norm', 'lam', 'solver', 'maxiter']
 

art/poison_detection/activation_defence.py

@@ -16,7 +16,8 @@
 
 class ActivationDefence(PoisonFilteringDefence):
     """
-    Class performing Activation Analysis Defence
+    Method from [Chen et al., 2018] performing poisoning detection based on activations clustering.
+    Paper link: https://arxiv.org/abs/1811.03728
     """
     defence_params = ['nb_clusters', 'clustering_method', 'nb_dims', 'reduce', 'cluster_analysis']
     valid_clustering = ['KMeans']
@@ -141,7 +142,7 @@ def analyze_clusters(self, **kwargs):
         :param kwargs: a dictionary of cluster-analysis-specific parameters
         :type kwargs: `dict`
         :return: assigned_clean_by_class, an array of arrays that contains what data points where classified as clean.
-        :rtype: `ndarray`
+        :rtype: `np.ndarray`
         """
         self.set_params(**kwargs)
 
@@ -170,10 +171,9 @@ def visualize_clusters(self, x_raw, save=True, folder='.', **kwargs):
         :type folder: `str`
         :param kwargs: a dictionary of cluster-analysis-specific parameters
         :type kwargs: `dict`
-
-        :return: sprites_by_class: Array with sprite images sprites_by_class, where sprites_by_class[i][j] contains the sprite of
-        class i cluster j.
-        :rtype: sprites_by_class: `ndarray`
+        :return: sprites_by_class: Array with sprite images sprites_by_class, where sprites_by_class[i][j] contains the
+                 sprite of class i cluster j.
+        :rtype: sprites_by_class: `np.ndarray`
         """
         self.set_params(**kwargs)
 
@@ -210,7 +210,7 @@ def set_params(self, **kwargs):
         :param nb_clusters: Number of clusters to be produced. Should be greater than 2.
         :type nb_clusters: `int`
         :param clustering_method: Clustering method to use
-        :type clustering_method: `string`
+        :type clustering_method: `str`
         :param nb_dims: Number of dimensions to project on
         :type nb_dims: `int`
         :param reduce: Reduction technique
@@ -237,7 +237,7 @@ def set_params(self, **kwargs):
 
     def _get_activations(self):
         """
-        Find activations from :class:Classifier
+        Find activations from :class:`Classifier`
         """
         logger.info('Getting activations')
 

docs/index.rst

@@ -16,11 +16,12 @@ The library is still under development. Feedback, bug reports and extensions are
 Supported Attack and Defense Methods
 ------------------------------------
 
-The Adversarial Robustness Toolbox contains implementations of the following attacks:
+The Adversarial Robustness Toolbox contains implementations of the following evasion attacks:
 
 * DeepFool (`Moosavi-Dezfooli et al., 2015`_)
 * Fast gradient method (`Goodfellow et al., 2014`_)
-* Basic Iterative Method (`Kurakin et al., 2016`_)
+* Basic iterative method (`Kurakin et al., 2016`_)
+* Projected gradient descent (`Madry et al., 2017`_)
 * Jacobian saliency map (`Papernot et al., 2016`_)
 * Universal perturbation (`Moosavi-Dezfooli et al., 2016`_)
 * Virtual adversarial method (`Miyato et al., 2015`_)
@@ -35,6 +36,17 @@ The following defense methods are also supported:
 * Adversarial training (`Szegedy et al., 2013`_)
 * Virtual adversarial training (`Miyato et al., 2015`_)
 * Gaussian data augmentation (`Zantedeschi et al., 2017`_)
+* Thermometer encoding (`Buckman et al., 2018`_)
+* Total variance minimization (`Guo et al., 2018`_)
+* JPEG compression (`Dziugaite et al., 2016`_)
+
+ART also implements detection methods of adversarial samples:
+
+* Basic detector based on inputs
+* Detector trained on the activations of a specific layer
+
+The following detector of poisoning attacks is also supported:
+* Detector based on activations analysis (`Chen et al., 2018`_)
 
 
 .. toctree::
@@ -68,6 +80,7 @@ Indices and tables
 .. _Moosavi-Dezfooli et al., 2015: https://arxiv.org/abs/1511.04599
 .. _Goodfellow et al., 2014: https://arxiv.org/abs/1412.6572
 .. _Kurakin et al., 2016: https://arxiv.org/abs/1607.02533
+.. _Madry et al., 2017: https://arxiv.org/abs/1706.06083
 .. _Papernot et al., 2016: https://arxiv.org/abs/1511.07528
 .. _Moosavi-Dezfooli et al., 2016: https://arxiv.org/abs/1610.08401
 .. _Carlini and Wagner, 2016: https://arxiv.org/abs/1608.04644
@@ -77,3 +90,7 @@ Indices and tables
 .. _Szegedy et al., 2013: http://arxiv.org/abs/1312.6199
 .. _Miyato et al., 2015: https://arxiv.org/abs/1507.00677
 .. _Zantedeschi et al., 2017: https://arxiv.org/abs/1707.06728
+.. _Buckman et al., 2018: https://openreview.net/forum?id=S18Su--CW
+.. _Guo et al., 2018: https://openreview.net/forum?id=SyJ7ClWCb
+.. _Dziugaite et al., 2016: https://arxiv.org/abs/1608.00853
+.. _Chen et al., 2018: https://arxiv.org/abs/1811.03728

docs/modules/attacks.rst

@@ -22,6 +22,11 @@ Basic Iterative Method
 .. autoclass:: BasicIterativeMethod
    :members:
 
+Projected Gradient Descent
+--------------------------
+.. autoclass:: ProjectedGradientDescent
+   :members:
+
 Jacobian Saliency Map Attack
 ----------------------------
 .. autoclass:: SaliencyMapMethod
@@ -32,8 +37,8 @@ NewtonFool
 .. autoclass:: NewtonFool
    :members:
 
-Universarsal Perturbation Attack
---------------------------------
+Universal Perturbation Attack
+-----------------------------
 .. autoclass:: UniversalPerturbation
    :members:
 

docs/modules/defences.rst

@@ -35,3 +35,21 @@ Gaussian Data Augmentation
 .. autoclass:: GaussianAugmentation
    :members:
    :special-members:
+
+JPEG Compression
+----------------
+.. autoclass:: JpegCompression
+   :members:
+   :special-members:
+
+Thermometer Encoding
+--------------------
+.. autoclass:: ThermometerEncoding
+   :members:
+   :special-members:
+
+Total Variance Minimization
+---------------------------
+.. autoclass:: TotalVarMin
+   :members:
+   :special-members: