Merge pull request #606 from Trusted-AI/dev_1.4.0

Update to ART 1.4.0

Author: beat-buesser

.dockerIgnore

@@ -1,2 +1,3 @@
-./venv/
-
+./venv*
+.git
+./TMP/

.travis.yml

@@ -17,7 +17,7 @@ jobs:
     - python: 3.7
       env: TENSORFLOW_V=2.2.0 KERAS_V=2.3.1
       script:
-        - (pycodestyle --max-line-length=120 art || exit 0)
+        - (pycodestyle --ignore=C0330,C0415,E203,E231,W503 --max-line-length=120 art || exit 0)
         - (pylint --disable=C0330,C0415,E203,E1136 -rn art || exit 0)
         - (mypy art || exit 0)
         - py.test --pep8 -m pep8
@@ -32,6 +32,3 @@ install:
   - pip install -q pylint pycodestyle
   - pip install -q -r requirements.txt
   - pip list
-
-script:
-  - ./run_tests.sh

AUTHORS

@@ -7,3 +7,4 @@
 - International Business Machines Corporation (IBM)
 - Two Six Labs, LLC
 - Kyushu University
+- Intel Corporation

Dockerfile

@@ -1,11 +1,12 @@
-FROM  tensorflow/tensorflow:2.2.0-py3
+FROM  tensorflow/tensorflow:2.2.0
 RUN pip3 install keras==2.3.1
 #### NOTE: comment these two lines if you wish to use the tensorflow 1 version of ART instead ####
-#FROM tensorflow/tensorflow:1.15.3-py3
+#FROM tensorflow/tensorflow:1.15.2
 #RUN pip3 install keras==2.2.5
 
-RUN pip3 install numpy==1.19.1 scipy==1.4.1 matplotlib==3.3.1 scikit-learn==0.23.2 six==1.15.0 Pillow==7.2.0
+RUN pip3 install numpy==1.19.1 scipy==1.4.1 matplotlib==3.3.1 scikit-learn==0.22.2 six==1.15.0 Pillow==7.2.0
 RUN pip3 install tqdm==4.48.2 statsmodels==0.11.1 pydub==0.24.1 resampy==0.2.2 ffmpeg-python==0.2.0 cma==3.0.3 mypy==0.770
+RUN pip3 install pandas==1.1.1
 
 #TODO check if jupyter notebook works
 RUN pip3 install jupyter==1.0.0 && pip3 install jupyterlab==2.1.0

Makefile

@@ -1,18 +1,25 @@
 PROJECT_HOME_DIR := ${CURDIR}
 
 build:
-    # If you have an existing python env folder make sure to first add it to the `.dockerIgnore` \
+    # Builds a Tensorflow 2 ART docker container
+    # IMPORTANT ! If you have an existing python env folder make sure to first add it to the `.dockerIgnore` \
     to reduce the size of your the art docker image
-	docker build -t project-art-tensorflow .
+	docker build -t project-art-tf2 .
+
+build1:
+	# Builds a Tensorflow 1 ART docker container
+    # IMPORTANT ! If you have an existing python env folder make sure to first add it to the `.dockerIgnore` \
+    to reduce the size of your the art docker image
+	docker build -t project-art-tf1 .
 
 run-bash:
-	docker  run --rm -it --name project-art-run-bash -v ${PWD}:/project/ -v ~/.art/:/root/.art/ project-art-tensorflow  /bin/bash
+	docker  run --rm -it --name project-art-run-bash -v ${PWD}:/project/ -v ~/.art/:/root/.art/ project-art-tf2  /bin/bash
 
 run-test:
-	docker  run --rm --name project-art-run-test -v ${PWD}:/project/ -v ~/.art/:/root/.art/  project-art-tensorflow
+	docker  run --rm --name project-art-run-test -v ${PWD}:/project/ -v ~/.art/:/root/.art/  project-art-tf2
 
 run-pep:
-	docker  run --rm --name project-art-run-pep -v ${PWD}:/project/ -v ~/.art/:/root/.art/ project-art-tensorflow py.test --pep8 -m pep8
+	docker  run --rm --name project-art-run-pep -v ${PWD}:/project/ -v ~/.art/:/root/.art/ project-art-tf2 py.test --pep8 -m pep8
 
 run-jupyter:
-	docker  run --rm  --name project-art-run-jupyter -v ${PWD}:/project/ -v ~/.art/:/root/.art/ -p 8888:8888 project-art-tensorflow jupyter notebook --ip 0.0.0.0 --no-browser --allow-root
+	docker  run --rm  --name project-art-run-jupyter -v ${PWD}:/project/ -v ~/.art/:/root/.art/ -p 8888:8888 project-art-tf2 jupyter notebook --ip 0.0.0.0 --no-browser --allow-root

art/attacks/__init__.py

@@ -2,4 +2,4 @@
 Module providing adversarial attacks under a common interface.
 """
 from art.attacks.attack import Attack, EvasionAttack, PoisoningAttack, PoisoningAttackBlackBox, PoisoningAttackWhiteBox
-from art.attacks.attack import ExtractionAttack, InferenceAttack, AttributeInferenceAttack
+from art.attacks.attack import PoisoningAttackTransformer, ExtractionAttack, InferenceAttack, AttributeInferenceAttack

art/attacks/attack.py

@@ -22,14 +22,14 @@
 
 import abc
 import logging
-from typing import List, Optional, Tuple, TYPE_CHECKING
+from typing import Any, List, Optional, Tuple, Union, TYPE_CHECKING
 
 import numpy as np
 
 from art.exceptions import EstimatorError
 
 if TYPE_CHECKING:
-    from art.estimators.classification.classifier import Classifier
+    from art.utils import CLASSIFIER_TYPE
 
 logger = logging.getLogger(__name__)
 
@@ -90,11 +90,15 @@ class Attack(abc.ABC, metaclass=input_filter):
     """
 
     attack_params: List[str] = list()
+    _estimator_requirements: Optional[Union[Tuple[Any, ...], Tuple[()]]] = None
 
     def __init__(self, estimator):
         """
         :param estimator: An estimator.
         """
+        if self.estimator_requirements is None:
+            raise ValueError("Estimator requirements have not been defined in `_estimator_requirements`.")
+
         if not all(t in type(estimator).__mro__ for t in self.estimator_requirements):
             raise EstimatorError(self.__class__, self.estimator_requirements, estimator)
 
@@ -128,6 +132,10 @@ class EvasionAttack(Attack):
     Abstract base class for evasion attack classes.
     """
 
+    def __init__(self, **kwargs) -> None:
+        self._targeted = False
+        super().__init__(**kwargs)
+
     @abc.abstractmethod
     def generate(  # lgtm [py/inheritance/incorrect-overridden-signature]
         self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs
@@ -143,34 +151,77 @@ def generate(  # lgtm [py/inheritance/incorrect-overridden-signature]
         """
         raise NotImplementedError
 
+    @property
+    def targeted(self) -> bool:
+        """
+        Return Boolean if attack is targeted. Return None if not applicable.
+        """
+        return self._targeted
+
+    @targeted.setter
+    def targeted(self, targeted) -> None:
+        self._targeted = targeted
+
 
 class PoisoningAttack(Attack):
     """
     Abstract base class for poisoning attack classes
     """
 
-    def __init__(self, classifier) -> None:
+    def __init__(self, classifier: Optional["CLASSIFIER_TYPE"]) -> None:
+        """
+        :param classifier: A trained classifier (or none if no classifier is needed)
+        """
+        super().__init__(classifier)
+
+    @abc.abstractmethod
+    def poison(self, x: np.ndarray, y=Optional[np.ndarray], **kwargs) -> Tuple[np.ndarray, np.ndarray]:
+        """
+        Generate poisoning examples and return them as an array. This method should be overridden by all concrete
+        poisoning attack implementations.
+
+        :param x: An array with the original inputs to be attacked.
+        :param y:  Target labels for `x`. Untargeted attacks set this value to None.
+        :return: An tuple holding the (poisoning examples, poisoning labels).
+        """
+        raise NotImplementedError
+
+
+class PoisoningAttackTransformer(PoisoningAttack):
+    """
+    Abstract base class for poisoning attack classes that return a transformed classifier.
+    These attacks have an additional method, `poison_estimator`, that returns the poisoned classifier.
+    """
+
+    def __init__(self, classifier: Optional["CLASSIFIER_TYPE"], **kwargs) -> None:
         """
         :param classifier: A trained classifier (or none if no classifier is needed)
-        :type classifier: `art.estimators.classification.Classifier` or `None`
         """
         super().__init__(classifier)
 
     @abc.abstractmethod
-    def poison(self, x, y=None, **kwargs):
+    def poison(self, x: np.ndarray, y=Optional[np.ndarray], **kwargs) -> Tuple[np.ndarray, np.ndarray]:
         """
         Generate poisoning examples and return them as an array. This method should be overridden by all concrete
         poisoning attack implementations.
 
         :param x: An array with the original inputs to be attacked.
-        :type x: `np.ndarray`
         :param y:  Target labels for `x`. Untargeted attacks set this value to None.
-        :type y: `np.ndarray`
         :return: An tuple holding the (poisoning examples, poisoning labels).
         :rtype: `(np.ndarray, np.ndarray)`
         """
         raise NotImplementedError
 
+    @abc.abstractmethod
+    def poison_estimator(self, x: np.ndarray, y: np.ndarray, **kwargs) -> "CLASSIFIER_TYPE":
+        """
+        Returns a poisoned version of the classifier used to initialize the attack
+        :param x: Training data
+        :param y: Training labels
+        :return: A poisoned classifier
+        """
+        raise NotImplementedError
+
 
 class PoisoningAttackBlackBox(PoisoningAttack):
     """
@@ -221,7 +272,7 @@ class ExtractionAttack(Attack):
     """
 
     @abc.abstractmethod
-    def extract(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> "Classifier":
+    def extract(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> "CLASSIFIER_TYPE":
         """
         Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction
         attack implementations.
@@ -292,7 +343,7 @@ def set_params(self, **kwargs) -> None:
         Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.
         """
         # Save attack-specific parameters
-        super(AttributeInferenceAttack, self).set_params(**kwargs)
+        super().set_params(**kwargs)
         self._check_params()
 
     def _check_params(self) -> None:

art/attacks/evasion/__init__.py

@@ -27,6 +27,7 @@
 from art.attacks.evasion.saliency_map import SaliencyMapMethod
 from art.attacks.evasion.spatial_transformation import SpatialTransformation
 from art.attacks.evasion.universal_perturbation import UniversalPerturbation
+from art.attacks.evasion.targeted_universal_perturbation import TargetedUniversalPerturbation
 from art.attacks.evasion.virtual_adversarial import VirtualAdversarialMethod
 from art.attacks.evasion.wasserstein import Wasserstein
 from art.attacks.evasion.zoo import ZooAttack
@@ -39,3 +40,6 @@
 from art.attacks.evasion.auto_attack import AutoAttack
 from art.attacks.evasion.auto_projected_gradient_descent import AutoProjectedGradientDescent
 from art.attacks.evasion.square_attack import SquareAttack
+from art.attacks.evasion.simba import SimBA
+from art.attacks.evasion.shapeshifter import ShapeShifter
+from art.attacks.evasion.imperceptible_asr.imperceptible_asr_pytorch import ImperceptibleASRPytorch

art/attacks/evasion/adversarial_patch/adversarial_patch.py

@@ -24,21 +24,21 @@
 from __future__ import absolute_import, division, print_function, unicode_literals
 
 import logging
-from typing import Optional, Tuple, Union
+from typing import Optional, Tuple, Union, TYPE_CHECKING
 
 import numpy as np
 
 from art.attacks.evasion.adversarial_patch.adversarial_patch_numpy import AdversarialPatchNumpy
 from art.attacks.evasion.adversarial_patch.adversarial_patch_tensorflow import AdversarialPatchTensorFlowV2
 from art.estimators.estimator import BaseEstimator, NeuralNetworkMixin
-from art.estimators.classification.classifier import (
-    ClassifierMixin,
-    ClassifierNeuralNetwork,
-    ClassifierGradients,
-)
+from art.estimators.classification.classifier import ClassifierMixin
+
 from art.estimators.classification import TensorFlowV2Classifier
 from art.attacks.attack import EvasionAttack
 
+if TYPE_CHECKING:
+    from art.utils import CLASSIFIER_NEURALNETWORK_TYPE
+
 logger = logging.getLogger(__name__)
 
 
@@ -62,7 +62,7 @@ class AdversarialPatch(EvasionAttack):
 
     def __init__(
         self,
-        classifier: Union[ClassifierNeuralNetwork, ClassifierGradients],
+        classifier: "CLASSIFIER_NEURALNETWORK_TYPE",
         rotation_max: float = 22.5,
         scale_min: float = 0.1,
         scale_max: float = 1.0,
@@ -88,7 +88,7 @@ def __init__(
                             Currently only supported for `TensorFlowV2Classifier`. For classifiers of other frameworks
                             the `patch_shape` is set to the shape of the input samples.
         """
-        super(AdversarialPatch, self).__init__(estimator=classifier)
+        super().__init__(estimator=classifier)
         if self.estimator.clip_values is None:
             raise ValueError("Adversarial Patch attack requires a classifier with clip_values.")
 

art/attacks/evasion/adversarial_patch/adversarial_patch_numpy.py

@@ -25,7 +25,7 @@
 
 import logging
 import math
-from typing import Optional, Union, Tuple
+from typing import Optional, Union, Tuple, TYPE_CHECKING
 
 import random
 import numpy as np
@@ -34,13 +34,12 @@
 
 from art.attacks.attack import EvasionAttack
 from art.estimators.estimator import BaseEstimator, NeuralNetworkMixin
-from art.estimators.classification.classifier import (
-    ClassifierMixin,
-    ClassifierNeuralNetwork,
-    ClassifierGradients,
-)
+from art.estimators.classification.classifier import ClassifierMixin
 from art.utils import check_and_transform_label_format
 
+if TYPE_CHECKING:
+    from art.utils import CLASSIFIER_NEURALNETWORK_TYPE
+
 logger = logging.getLogger(__name__)
 
 
@@ -64,7 +63,7 @@ class AdversarialPatchNumpy(EvasionAttack):
 
     def __init__(
         self,
-        classifier: Union[ClassifierNeuralNetwork, ClassifierGradients],
+        classifier: "CLASSIFIER_NEURALNETWORK_TYPE",
         target: int = 0,
         rotation_max: float = 22.5,
         scale_min: float = 0.1,
@@ -91,7 +90,7 @@ def __init__(
                [(float, float), (float, float), (float, float)].
         :param batch_size: The size of the training batch.
         """
-        super(AdversarialPatchNumpy, self).__init__(estimator=classifier)
+        super().__init__(estimator=classifier)
 
         self.target = target
         self.rotation_max = rotation_max
@@ -222,17 +221,17 @@ def _check_params(self) -> None:
 
         if not isinstance(self.learning_rate, float):
             raise ValueError("The learning rate must be of type float.")
-        if not self.learning_rate > 0.0:
+        if self.learning_rate <= 0.0:
             raise ValueError("The learning rate must be greater than 0.0.")
 
         if not isinstance(self.max_iter, int):
             raise ValueError("The number of optimization steps must be of type int.")
-        if not self.max_iter > 0:
+        if self.max_iter <= 0:
             raise ValueError("The number of optimization steps must be greater than 0.")
 
         if not isinstance(self.batch_size, int):
             raise ValueError("The batch size must be of type int.")
-        if not self.batch_size > 0:
+        if self.batch_size <= 0:
             raise ValueError("The batch size must be greater than 0.")
 
     def _get_circular_patch_mask(self, sharpness: int = 40) -> np.ndarray:
@@ -261,14 +260,14 @@ def _get_circular_patch_mask(self, sharpness: int = 40) -> np.ndarray:
 
         if self.estimator.channels_first:
             if self.nb_dims == 3:
-                pad_width = ((0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after))
+                pad_width = ((0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after))  # type: ignore
             elif self.nb_dims == 4:
-                pad_width = ((0, 0), (0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after))
+                pad_width = ((0, 0), (0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after))  # type: ignore
         else:
             if self.nb_dims == 3:
-                pad_width = ((pad_h_before, pad_h_after), (pad_w_before, pad_w_after), (0, 0))
+                pad_width = ((pad_h_before, pad_h_after), (pad_w_before, pad_w_after), (0, 0))  # type: ignore
             elif self.nb_dims == 4:
-                pad_width = ((0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after), (0, 0))
+                pad_width = ((0, 0), (pad_h_before, pad_h_after), (pad_w_before, pad_w_after), (0, 0))  # type: ignore
 
         mask = np.pad(mask, pad_width=pad_width, mode="constant", constant_values=(0, 0),)