Merge branch 'dev_1.17.0' into hf_notebook_dev

Author: beat-buesser

art/attacks/evasion/__init__.py

@@ -18,6 +18,7 @@
     from art.attacks.evasion.brendel_bethge import BrendelBethgeAttack
 
 from art.attacks.evasion.boundary import BoundaryAttack
+from art.attacks.evasion.composite_adversarial_attack import CompositeAdversarialAttackPyTorch
 from art.attacks.evasion.carlini import CarliniL2Method, CarliniLInfMethod, CarliniL0Method
 from art.attacks.evasion.decision_tree_attack import DecisionTreeAttack
 from art.attacks.evasion.deepfool import DeepFool

art/attacks/evasion/composite_adversarial_attack.py

@@ -155,7 +155,7 @@ def _random_extraction(self, x: np.ndarray, thieved_classifier: "CLASSIFIER_TYPE
             y=fake_labels,
             batch_size=self.batch_size_fit,
             nb_epochs=self.nb_epochs,
-            verbose=0,
+            verbose=False,
         )
 
         return thieved_classifier
@@ -243,7 +243,7 @@ def _adaptive_extraction(
                 y=fake_label,
                 batch_size=self.batch_size_fit,
                 nb_epochs=1,
-                verbose=0,
+                verbose=False,
             )
 
             # Test new labels

art/attacks/extraction/knockoff_nets.py

@@ -360,7 +360,7 @@ def _create_model(
             for layer in model_pt.model.children():
                 if hasattr(layer, "reset_parameters"):
                     layer.reset_parameters()  # type: ignore
-            model_pt.fit(x_train, y_train, batch_size=batch_size, nb_epochs=epochs, verbose=1)
+            model_pt.fit(x_train, y_train, batch_size=batch_size, nb_epochs=epochs, verbose=True)
             predictions = model_pt.predict(x_test)
             accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test)
             logger.info("Accuracy of retrained model : %s", accuracy * 100.0)
@@ -370,7 +370,7 @@ def _create_model(
 
             self.substitute_classifier.model.trainable = True
             model_tf = self.substitute_classifier.clone_for_refitting()
-            model_tf.fit(x_train, y_train, batch_size=batch_size, nb_epochs=epochs, verbose=0)
+            model_tf.fit(x_train, y_train, batch_size=batch_size, nb_epochs=epochs, verbose=False)
             predictions = model_tf.predict(x_test)
             accuracy = np.sum(np.argmax(predictions, axis=1) == np.argmax(y_test, axis=1)) / len(y_test)
             logger.info("Accuracy of retrained model : %s", accuracy * 100.0)

art/attacks/inference/membership_inference/black_box.py

@@ -695,7 +695,9 @@ def _get_activations(self, x_train: Optional[np.ndarray] = None) -> np.ndarray:
 
         # wrong way to get activations activations = self.classifier.predict(self.x_train)
         if isinstance(activations, np.ndarray):
-            nodes_last_layer = np.shape(activations)[1]
+            # flatten activations across batch
+            activations = np.reshape(activations, (activations.shape[0], -1))
+            nodes_last_layer = activations.shape[1]
         else:
             raise ValueError("activations is None or tensor.")
 

art/attacks/poisoning/sleeper_agent_attack.py

@@ -121,6 +121,8 @@ def detect_poison(self, **kwargs) -> Tuple[dict, List[int]]:
             raise ValueError("Wrong type detected.")
 
         if features_x_poisoned is not None:
+            # flatten activations across batch
+            features_x_poisoned = np.reshape(features_x_poisoned, (features_x_poisoned.shape[0], -1))
             features_split = segment_by_class(features_x_poisoned, self.y_train, self.classifier.nb_classes)
         else:
             raise ValueError("Activation are `None`.")

art/defences/detector/poison/activation_defence.py

@@ -188,7 +188,9 @@ def fit_generator(self, generator: "DataGenerator", nb_epochs: int = 20, **kwarg
                     x_batch[adv_ids] = x_adv
 
                 # Fit batch
-                self._classifier.fit(x_batch, y_batch, nb_epochs=1, batch_size=x_batch.shape[0], verbose=0, **kwargs)
+                self._classifier.fit(
+                    x_batch, y_batch, nb_epochs=1, batch_size=x_batch.shape[0], verbose=False, **kwargs
+                )
                 attack_id = (attack_id + 1) % len(self.attacks)
 
     def fit(  # pylint: disable=W0221
@@ -260,7 +262,9 @@ def fit(  # pylint: disable=W0221
                     x_batch[adv_ids] = x_adv
 
                 # Fit batch
-                self._classifier.fit(x_batch, y_batch, nb_epochs=1, batch_size=x_batch.shape[0], verbose=0, **kwargs)
+                self._classifier.fit(
+                    x_batch, y_batch, nb_epochs=1, batch_size=x_batch.shape[0], verbose=False, **kwargs
+                )
                 attack_id = (attack_id + 1) % len(self.attacks)
 
     def predict(self, x: np.ndarray, **kwargs) -> np.ndarray:

art/defences/detector/poison/spectral_signature_defense.py

@@ -155,7 +155,7 @@ def fit(  # pylint: disable=W0221
                 x_aug = self._generate_noise(x_aug)
 
                 # fit batch
-                self._classifier.fit(x_aug, y_aug, nb_epochs=1, batch_size=x_aug.shape[0], verbose=0, **kwargs)
+                self._classifier.fit(x_aug, y_aug, nb_epochs=1, batch_size=x_aug.shape[0], verbose=False, **kwargs)
 
                 # get metrics
                 loss = self._classifier.compute_loss(x_aug, y_aug, reduction="mean")
@@ -234,7 +234,7 @@ def fit_generator(self, generator: "DataGenerator", nb_epochs: int = 20, **kwarg
                 x_aug = self._generate_noise(x_aug)
 
                 # fit batch
-                self._classifier.fit(x_aug, y_aug, nb_epochs=1, batch_size=x_aug.shape[0], verbose=0, **kwargs)
+                self._classifier.fit(x_aug, y_aug, nb_epochs=1, batch_size=x_aug.shape[0], verbose=False, **kwargs)
 
                 # get metrics
                 loss = self._classifier.compute_loss(x_aug, y_aug, reduction="mean")

art/defences/trainer/adversarial_trainer.py

@@ -438,7 +438,7 @@ def fit(  # pylint: disable=W0221
         training_mode: bool = True,
         drop_last: bool = False,
         scheduler: Optional[Any] = None,
-        verbose: Optional[Union[bool, int]] = None,
+        verbose: bool = False,
         update_batchnorm: bool = True,
         batchnorm_update_epochs: int = 1,
         transform: Optional["torchvision.transforms.transforms.Compose"] = None,
@@ -457,7 +457,7 @@ def fit(  # pylint: disable=W0221
                           the batch size. If ``False`` and the size of dataset is not divisible by the batch size, then
                           the last batch will be smaller. (default: ``False``)
         :param scheduler: Learning rate scheduler to run at the start of every epoch.
-        :param verbose: if to display training progress bars
+        :param verbose: Display training progress bar.
         :param update_batchnorm: ViT specific argument.
                                  If to run the training data through the model to update any batch norm statistics prior
                                  to training. Useful on small datasets when using pre-trained ViTs.
@@ -469,8 +469,6 @@ def fit(  # pylint: disable=W0221
         """
         import torch
 
-        display_pb = self.process_verbose(verbose)
-
         # Set model mode
         self._model.train(mode=training_mode)
 
@@ -501,7 +499,7 @@ def fit(  # pylint: disable=W0221
             epoch_loss = []
             epoch_batch_sizes = []
 
-            pbar = tqdm(range(num_batch), disable=not display_pb)
+            pbar = tqdm(range(num_batch), disable=not verbose)
 
             # Train for one epoch
             for m in pbar:
@@ -547,7 +545,7 @@ def fit(  # pylint: disable=W0221
                 epoch_loss.append(loss.cpu().detach().numpy())
                 epoch_batch_sizes.append(len(i_batch))
 
-                if display_pb:
+                if verbose:
                     pbar.set_description(
                         f"Loss {np.average(epoch_loss, weights=epoch_batch_sizes):.3f} "
                         f"Acc {np.average(epoch_acc, weights=epoch_batch_sizes):.3f} "