Trusted-AI
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 8 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎CODE_OF_CONDUCT.md‎
Lines changed: 2 additions & 2 deletions b/‎CODE_OF_CONDUCT.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎art/attacks/attack.py‎
Lines changed: 1 addition & 5 deletions b/‎art/attacks/attack.py‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎art/attacks/evasion/__init__.py‎
Lines changed: 15 additions & 14 deletions b/‎art/attacks/evasion/__init__.py‎
Lines changed: 15 additions & 14 deletions
diff --git a/‎art/attacks/evasion/boundary.py‎
Lines changed: 23 additions & 16 deletions b/‎art/attacks/evasion/boundary.py‎
Lines changed: 23 additions & 16 deletions
diff --git a/‎art/attacks/evasion/brendel_bethge.py‎
Lines changed: 4 additions & 11 deletions b/‎art/attacks/evasion/brendel_bethge.py‎
Lines changed: 4 additions & 11 deletions
diff --git a/‎art/attacks/evasion/dpatch.py‎
Lines changed: 2 additions & 2 deletions b/‎art/attacks/evasion/dpatch.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎art/attacks/evasion/dpatch_robust.py‎
Lines changed: 6 additions & 14 deletions b/‎art/attacks/evasion/dpatch_robust.py‎
Lines changed: 6 additions & 14 deletions
diff --git a/‎art/attacks/evasion/feature_adversaries.py‎
Lines changed: 0 additions & 4 deletions b/‎art/attacks/evasion/feature_adversaries.py‎
Lines changed: 0 additions & 4 deletions
@@ -37,16 +37,22 @@ jobs:
             tensorflow: 2.2.0
             tf_version: v2
             keras: 2.3.1
+          - name: TensorFlow 2.2.0v1 (Keras 2.3.1 Python 3.7)
+            framework: tensorflow2v1
+            python: 3.7
+            tensorflow: 2.2.0
+            tf_version: v2
+            keras: 2.3.1
           - name: TensorFlow 2.3.1 (Keras 2.4.3 Python 3.7)
             framework: tensorflow
             python: 3.7
             tensorflow: 2.3.1
             tf_version: v2
             keras: 2.4.3
-          - name: TensorFlow 2.4.0rc2 (Keras 2.4.3 Python 3.8)
+          - name: TensorFlow 2.4.0rc3 (Keras 2.4.3 Python 3.8)
             framework: tensorflow
             python: 3.8
-            tensorflow: 2.4.0rc1
+            tensorflow: 2.4.0rc3
             tf_version: v2
             keras: 2.4.3
           - name: Keras 2.3.1 (TensorFlow 2.2.1 Python 3.7)
@@ -94,27 +100,30 @@ jobs:
         uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.python }}
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y -q install ffmpeg libavcodec-extra
+          python -m pip install --upgrade pip setuptools wheel
+          pip3 install -q -r requirements.txt
+          pip list
       - name: Pre-install legacy
         if: ${{ matrix.framework == 'legacy' }}
         run: |
           pip install tensorflow==${{ matrix.tensorflow }}
           pip install keras==${{ matrix.keras }}
           pip install scikit-learn==${{ matrix.scikit-learn }}
+          pip list
       - name: Pre-install tensorflow
         if: ${{ matrix.framework == 'tensorflow' || matrix.framework == 'keras' || matrix.framework == 'kerastf' }}
         run: |
           pip install tensorflow==${{ matrix.tensorflow }}
           pip install keras==${{ matrix.keras }}
+          pip list
       - name: Pre-install scikit-learn
         if: ${{ matrix.framework == 'scikitlearn' }}
         run: |
           pip install scikit-learn==${{ matrix.scikit-learn }}
-      - name: Install Dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get -y -q install ffmpeg libavcodec-extra
-          python -m pip install --upgrade pip setuptools wheel
-          pip3 install -q -r requirements.txt
           pip list
       - name: Run ${{ matrix.name }} Tests
         run: ./run_tests.sh ${{ matrix.framework }}
 
@@ -1,5 +1,5 @@
-The Adversarial Robustness Toolbox is dedicated to providing a harassment-free experience for everyone, regardless of gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, age, race, or religion. We do not tolerate harassment of participants in any form.
+The Adversarial Robustness Toolbox (ART) is dedicated to providing a harassment-free experience for everyone, regardless of gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, age, race, or religion. We do not tolerate harassment of participants in any form.
 
-This code of conduct applies to all Adversarial Robustness Toolbox spaces, both online and off. Anyone who violates this code of conduct may be sanctioned or expelled from these spaces at the discretion of the IBM Research AI team.
+This code of conduct applies to all Adversarial Robustness Toolbox spaces, both online and off. Anyone who violates this code of conduct may be sanctioned or expelled from these spaces at the discretion of the Trusted-AI team.
 
 We may add additional rules over time, which will be made clearly available to participants. Participants are responsible for knowing and abiding by these rules.
@@ -1,13 +1,13 @@
 PROJECT_HOME_DIR := ${CURDIR}
 
 build:
-    # Builds a Tensorflow 2 ART docker container
+    # Builds a TensorFlow 2 ART docker container
     # IMPORTANT ! If you have an existing python env folder make sure to first add it to the `.dockerIgnore` \
     to reduce the size of your the art docker image
 	docker build -t project-art-tf2 .
 
 build1:
-	# Builds a Tensorflow 1 ART docker container
+	# Builds a TensorFlow 1 ART docker container
     # IMPORTANT ! If you have an existing python env folder make sure to first add it to the `.dockerIgnore` \
     to reduce the size of your the art docker image
 	docker build -t project-art-tf1 .
 
@@ -317,7 +317,7 @@ class AttributeInferenceAttack(InferenceAttack):
 
     attack_params = InferenceAttack.attack_params + ["attack_feature"]
 
-    def __init__(self, estimator, attack_feature: int = 0):
+    def __init__(self, estimator, attack_feature: Union[int, slice] = 0):
         """
         :param estimator: A trained estimator targeted for inference attack.
         :type estimator: :class:`.art.estimators.estimator.BaseEstimator`
@@ -346,10 +346,6 @@ def set_params(self, **kwargs) -> None:
         super().set_params(**kwargs)
         self._check_params()
 
-    def _check_params(self) -> None:
-        if self.attack_feature < 0:
-            raise ValueError("Attack feature must be positive.")
-
 
 class ReconstructionAttack(Attack):
     """
 
@@ -4,16 +4,26 @@
 from art.attacks.evasion.adversarial_patch.adversarial_patch import AdversarialPatch
 from art.attacks.evasion.adversarial_patch.adversarial_patch_numpy import AdversarialPatchNumpy
 from art.attacks.evasion.adversarial_patch.adversarial_patch_tensorflow import AdversarialPatchTensorFlowV2
+from art.attacks.evasion.auto_attack import AutoAttack
+from art.attacks.evasion.auto_projected_gradient_descent import AutoProjectedGradientDescent
+from art.attacks.evasion.brendel_bethge import BrendelBethgeAttack
 from art.attacks.evasion.boundary import BoundaryAttack
 from art.attacks.evasion.carlini import CarliniL2Method, CarliniLInfMethod
 from art.attacks.evasion.decision_tree_attack import DecisionTreeAttack
 from art.attacks.evasion.deepfool import DeepFool
+from art.attacks.evasion.dpatch import DPatch
+from art.attacks.evasion.dpatch_robust import RobustDPatch
 from art.attacks.evasion.elastic_net import ElasticNet
 from art.attacks.evasion.fast_gradient import FastGradientMethod
+from art.attacks.evasion.frame_saliency import FrameSaliencyAttack
+from art.attacks.evasion.feature_adversaries import FeatureAdversaries
 from art.attacks.evasion.hclu import HighConfidenceLowUncertainty
 from art.attacks.evasion.hop_skip_jump import HopSkipJump
+from art.attacks.evasion.imperceptible_asr.imperceptible_asr import ImperceptibleASR
+from art.attacks.evasion.imperceptible_asr.imperceptible_asr_pytorch import ImperceptibleASRPyTorch
 from art.attacks.evasion.iterative_method import BasicIterativeMethod
 from art.attacks.evasion.newtonfool import NewtonFool
+from art.attacks.evasion.pixel_threshold import PixelAttack
 from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent import ProjectedGradientDescent
 from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent_numpy import (
     ProjectedGradientDescentNumpy,
@@ -25,23 +35,14 @@
     ProjectedGradientDescentTensorFlowV2,
 )
 from art.attacks.evasion.saliency_map import SaliencyMapMethod
+from art.attacks.evasion.shadow_attack import ShadowAttack
+from art.attacks.evasion.shapeshifter import ShapeShifter
+from art.attacks.evasion.simba import SimBA
 from art.attacks.evasion.spatial_transformation import SpatialTransformation
+from art.attacks.evasion.square_attack import SquareAttack
+from art.attacks.evasion.pixel_threshold import ThresholdAttack
 from art.attacks.evasion.universal_perturbation import UniversalPerturbation
 from art.attacks.evasion.targeted_universal_perturbation import TargetedUniversalPerturbation
 from art.attacks.evasion.virtual_adversarial import VirtualAdversarialMethod
 from art.attacks.evasion.wasserstein import Wasserstein
 from art.attacks.evasion.zoo import ZooAttack
-from art.attacks.evasion.pixel_threshold import PixelAttack
-from art.attacks.evasion.pixel_threshold import ThresholdAttack
-from art.attacks.evasion.frame_saliency import FrameSaliencyAttack
-from art.attacks.evasion.feature_adversaries import FeatureAdversaries
-from art.attacks.evasion.dpatch import DPatch
-from art.attacks.evasion.shadow_attack import ShadowAttack
-from art.attacks.evasion.auto_attack import AutoAttack
-from art.attacks.evasion.auto_projected_gradient_descent import AutoProjectedGradientDescent
-from art.attacks.evasion.square_attack import SquareAttack
-from art.attacks.evasion.simba import SimBA
-from art.attacks.evasion.shapeshifter import ShapeShifter
-from art.attacks.evasion.imperceptible_asr.imperceptible_asr_pytorch import ImperceptibleASRPytorch
-from art.attacks.evasion.brendel_bethge import BrendelBethgeAttack
-from art.attacks.evasion.dpatch_robust import RobustDPatch
 
@@ -27,7 +27,7 @@
 from typing import Optional, Tuple, TYPE_CHECKING
 
 import numpy as np
-from tqdm import tqdm
+from tqdm import tqdm, trange
 
 from art.attacks.attack import EvasionAttack
 from art.config import ART_NUMPY_DTYPE
@@ -75,6 +75,7 @@ def __init__(
         num_trial: int = 25,
         sample_size: int = 20,
         init_size: int = 100,
+        min_epsilon: Optional[float] = None,
         verbose: bool = True,
     ) -> None:
         """
@@ -89,6 +90,7 @@ def __init__(
         :param num_trial: Maximum number of trials per iteration.
         :param sample_size: Number of samples per trial.
         :param init_size: Maximum number of trials for initial generation of adversarial examples.
+        :param min_epsilon: Stop attack if perturbation is smaller than `min_epsilon`.
         :param verbose: Show progress bars.
         """
         super().__init__(estimator=estimator)
@@ -101,10 +103,13 @@ def __init__(
         self.num_trial = num_trial
         self.sample_size = sample_size
         self.init_size = init_size
+        self.min_epsilon = min_epsilon
         self.batch_size = 1
         self.verbose = verbose
         self._check_params()
 
+        self.curr_adv = None
+
     def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.ndarray:
         """
         Generate adversarial samples and return them in an array.
@@ -230,8 +235,10 @@ def _attack(
         self.curr_delta = initial_delta
         self.curr_epsilon = initial_epsilon
 
+        self.curr_adv = x_adv
+
         # Main loop to wander around the boundary
-        for _ in range(self.max_iter):
+        for _ in trange(self.max_iter, desc="Boundary attack - iterations", disable=not self.verbose):
             # Trust region method to adjust delta
             for _ in range(self.num_trial):
                 potential_advs = []
@@ -273,11 +280,15 @@ def _attack(
 
                 if epsilon_ratio > 0:
                     x_adv = potential_advs[np.where(satisfied)[0][0]]
+                    self.curr_adv = x_adv
                     break
             else:
                 logger.warning("Adversarial example found but not optimal.")
                 return x_advs[0]
 
+            if self.min_epsilon is not None and self.curr_epsilon < self.min_epsilon:
+                return x_adv
+
         return x_adv
 
     def _orthogonal_perturb(self, delta: float, current_sample: np.ndarray, original_sample: np.ndarray) -> np.ndarray:
@@ -299,20 +310,13 @@ def _orthogonal_perturb(self, delta: float, current_sample: np.ndarray, original
         # Project the perturbation onto sphere
         direction = original_sample - current_sample
 
-        if len(self.estimator.input_shape) == 3:
-            channel_index = 1 if self.estimator.channels_first else 3
-            perturb = np.swapaxes(perturb, 0, channel_index - 1)
-            direction = np.swapaxes(direction, 0, channel_index - 1)
-            for i in range(direction.shape[0]):
-                direction[i] /= np.linalg.norm(direction[i])
-                perturb[i] -= np.dot(np.dot(perturb[i], direction[i].T), direction[i])
-
-            perturb = np.swapaxes(perturb, 0, channel_index - 1)
-        elif len(self.estimator.input_shape) == 1:
-            direction /= np.linalg.norm(direction)
-            perturb -= np.dot(perturb, direction.T) * direction
-        else:
-            raise ValueError("Input shape not recognised.")
+        direction_flat = direction.flatten()
+        perturb_flat = perturb.flatten()
+
+        direction_flat /= np.linalg.norm(direction_flat)
+        perturb_flat -= np.dot(perturb_flat, direction_flat.T) * direction_flat
+        perturb = perturb_flat.reshape(self.estimator.input_shape)
+
         hypotenuse = np.sqrt(1 + delta ** 2)
         perturb = ((1 - hypotenuse) * (current_sample - original_sample) + perturb) / hypotenuse
         return perturb
@@ -403,5 +407,8 @@ def _check_params(self) -> None:
         if self.step_adapt <= 0 or self.step_adapt >= 1:
             raise ValueError("The adaptation factor must be in the range (0, 1).")
 
+        if self.min_epsilon is not None and (isinstance(self.min_epsilon, float) or self.min_epsilon <= 0):
+            raise ValueError("The minimum epsilon must be a positive float.")
+
         if not isinstance(self.verbose, bool):
             raise ValueError("The argument `verbose` has to be of type bool.")
@@ -2104,17 +2104,10 @@ def generate(
         """
         Applies the Brendel & Bethge attack.
 
-        Parameters
-        ----------
-        inputs : Tensor that matches model type
-            The original clean inputs.
-        criterion : Callable
-            A callable that returns true if the given logits of perturbed
-            inputs should be considered adversarial w.r.t. to the given labels
-            and unperturbed inputs.
-        starting_point : Tensor of same type and shape as inputs
-            Adversarial inputs to use as a starting points, in particular
-            for targeted attacks.
+        :param x: The original clean inputs.
+        :param y: The labels for inputs `x`.
+        :param starting_points: Adversarial inputs to use as a starting points, in particular for targeted attacks.
+        :param early_stop: Early-stopping criteria.
         """
         originals = x.copy()
 
 
@@ -225,7 +225,7 @@ def generate(
         return self._patch
 
     @staticmethod
-    @deprecated_keyword_arg("channel_index", end_version="1.5.0", replaced_by="channels_first")
+    @deprecated_keyword_arg("channel_index", end_version="1.6.0", replaced_by="channels_first")
     def _augment_images_with_patch(
         x: np.ndarray,
         patch: np.ndarray,
@@ -249,7 +249,7 @@ def _augment_images_with_patch(
                      center location of the patch during sampling.
         :type mask: `np.ndarray`
         """
-        # Remove in 1.5.0
+        # Remove in 1.6.0
         if channel_index == 3:
             channels_first = False
         elif channel_index == 1:
 
@@ -170,10 +170,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                         x[i_batch_start:i_batch_end], self._patch, channels_first=self.estimator.channels_first
                     )
 
-                    gradients = self.estimator.loss_gradient(
-                        x=patched_images,
-                        y=patch_target,
-                    )
+                    gradients = self.estimator.loss_gradient(x=patched_images, y=patch_target,)
 
                     gradients = self._untransform_gradients(
                         gradients, transforms, channels_first=self.estimator.channels_first
@@ -191,9 +188,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
 
             if self.estimator.clip_values is not None:
                 self._patch = np.clip(
-                    self._patch,
-                    a_min=self.estimator.clip_values[0],
-                    a_max=self.estimator.clip_values[1],
+                    self._patch, a_min=self.estimator.clip_values[0], a_max=self.estimator.clip_values[1],
                 )
 
         return self._patch
@@ -209,7 +204,7 @@ def _augment_images_with_patch(
         :param channels_first: Set channels first or last.
         """
 
-        transformations = dict()
+        transformations: Dict[str, Union[float, int]] = dict()
         x_copy = x.copy()
         patch_copy = patch.copy()
         x_patch = x.copy()
@@ -267,10 +262,7 @@ def _augment_images_with_patch(
         return x_patch, patch_target, transformations
 
     def _untransform_gradients(
-        self,
-        gradients: np.ndarray,
-        transforms: Dict[str, Union[int, float]],
-        channels_first: bool,
+        self, gradients: np.ndarray, transforms: Dict[str, Union[int, float]], channels_first: bool,
     ) -> np.ndarray:
         """
         Revert transformation on gradients.
@@ -291,8 +283,8 @@ def _untransform_gradients(
         gradients = np.rot90(gradients, rot90, (1, 2))
 
         # Account for cropping when considering the upper left point of the patch:
-        x_1 = self.patch_location[0] - transforms["crop_x"]
-        y_1 = self.patch_location[1] - transforms["crop_y"]
+        x_1 = self.patch_location[0] - int(transforms["crop_x"])
+        y_1 = self.patch_location[1] - int(transforms["crop_y"])
         x_2 = x_1 + self.patch_shape[0]
         y_2 = y_1 + self.patch_shape[1]
         gradients = gradients[:, x_1:x_2, y_1:y_2, :]
 
@@ -83,8 +83,6 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                        `scipy.optimize.show_options(solver='minimize', method='L-BFGS-B')`:
                        Minimize a scalar function of one or more variables using the L-BFGS-B algorithm.
 
-                       Options
-                       -------
                        disp : None or int
                            If `disp is None` (the default), then the supplied version of `iprint`
                            is used. If `disp is not None`, then it overrides the supplied version
@@ -120,8 +118,6 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                        maxls : int, optional
                            Maximum number of line search steps (per iteration). Default is 20.
 
-                       Notes
-                       -----
                        The option `ftol` is exposed via the `scipy.optimize.minimize` interface,
                        but calling `scipy.optimize.fmin_l_bfgs_b` directly exposes `factr`. The
                        relationship between the two is ``ftol = factr * numpy.finfo(float).eps``.