Merge remote-tracking branch 'origin/dev_1.3.1'

Author: Beat Buesser

art/attacks/evasion/__init__.py

@@ -1,11 +1,9 @@
 """
 Module providing evasion attacks under a common interface.
 """
-from art.attacks.evasion.adversarial_patch.adversarial_patch import (
-    AdversarialPatch,
-    AdversarialPatchNumpy,
-    AdversarialPatchTensorFlowV2,
-)
+from art.attacks.evasion.adversarial_patch.adversarial_patch import AdversarialPatch
+from art.attacks.evasion.adversarial_patch.adversarial_patch_numpy import AdversarialPatchNumpy
+from art.attacks.evasion.adversarial_patch.adversarial_patch_tensorflow import AdversarialPatchTensorFlowV2
 from art.attacks.evasion.boundary import BoundaryAttack
 from art.attacks.evasion.carlini import CarliniL2Method, CarliniLInfMethod
 from art.attacks.evasion.decision_tree_attack import DecisionTreeAttack
@@ -16,10 +14,14 @@
 from art.attacks.evasion.hop_skip_jump import HopSkipJump
 from art.attacks.evasion.iterative_method import BasicIterativeMethod
 from art.attacks.evasion.newtonfool import NewtonFool
-from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent import (
-    ProjectedGradientDescent,
+from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent import ProjectedGradientDescent
+from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent_numpy import (
     ProjectedGradientDescentNumpy,
+)
+from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent_pytorch import (
     ProjectedGradientDescentPyTorch,
+)
+from art.attacks.evasion.projected_gradient_descent.projected_gradient_descent_tensorflow_v2 import (
     ProjectedGradientDescentTensorFlowV2,
 )
 from art.attacks.evasion.saliency_map import SaliencyMapMethod

art/attacks/evasion/adversarial_patch/adversarial_patch.py

@@ -148,6 +148,9 @@ def apply_patch(self, x: np.ndarray, scale: float, patch_external: Optional[np.n
         """
         return self._attack.apply_patch(x, scale, patch_external=patch_external)
 
+    def set_params(self, **kwargs) -> None:
+        self._attack.set_params(**kwargs)
+
     def _check_params(self) -> None:
         if not isinstance(self._attack.rotation_max, (float, int)):
             raise ValueError("The maximum rotation of the random patches must be of type float.")

art/attacks/evasion/deepfool.py

@@ -34,7 +34,7 @@
     ClassifierGradients,
 )
 from art.attacks.attack import EvasionAttack
-from art.utils import compute_success
+from art.utils import compute_success, is_probability
 
 logger = logging.getLogger(__name__)
 
@@ -78,6 +78,12 @@ def __init__(
         self.nb_grads = nb_grads
         self.batch_size = batch_size
         self._check_params()
+        if self.estimator.clip_values is None:
+            logger.warning(
+                "The `clip_values` attribute of the estimator is `None`, therefore this instance of DeepFool will by "
+                "default generate adversarial perturbations scaled for input values in the range [0, 1] but not clip "
+                "the adversarial example."
+            )
 
     def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.ndarray:
         """
@@ -90,6 +96,12 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
         x_adv = x.astype(ART_NUMPY_DTYPE)
         preds = self.estimator.predict(x, batch_size=self.batch_size)
 
+        if is_probability(preds[0]):
+            logger.warning(
+                "It seems that the attacked model is predicting probabilities. DeepFool expects logits as model output "
+                "to achieve its full attack strength."
+            )
+
         # Determine the class labels for which to compute the gradients
         use_grads_subset = self.nb_grads < self.estimator.nb_classes
         if use_grads_subset:
@@ -106,7 +118,7 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
         # Compute perturbation with implicit batching
         for batch_id in trange(int(np.ceil(x_adv.shape[0] / float(self.batch_size))), desc="DeepFool"):
             batch_index_1, batch_index_2 = batch_id * self.batch_size, (batch_id + 1) * self.batch_size
-            batch = x_adv[batch_index_1:batch_index_2]
+            batch = x_adv[batch_index_1:batch_index_2].copy()
 
             # Get predictions and gradients for batch
             f_batch = preds[batch_index_1:batch_index_2]
@@ -143,7 +155,8 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
                 # Add perturbation and clip result
                 if self.estimator.clip_values is not None:
                     batch[active_indices] = np.clip(
-                        batch[active_indices] + r_var[active_indices],
+                        batch[active_indices]
+                        + r_var[active_indices] * (self.estimator.clip_values[1] - self.estimator.clip_values[0]),
                         self.estimator.clip_values[0],
                         self.estimator.clip_values[1],
                     )

art/attacks/evasion/projected_gradient_descent/projected_gradient_descent.py

@@ -112,7 +112,7 @@ def __init__(
         ProjectedGradientDescent._check_params(self)
 
         no_preprocessing = self.estimator.preprocessing is None or (
-            np.all(self.estimator.preprocessing[0] == 0) and np.all(self.estimator.preprocessing[1] == 0)
+            np.all(self.estimator.preprocessing[0] == 0) and np.all(self.estimator.preprocessing[1] == 1)
         )
         no_defences = not self.estimator.preprocessing_defences and not self.estimator.postprocessing_defences
 
@@ -172,6 +172,9 @@ def generate(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> n
         logger.info("Creating adversarial samples.")
         return self._attack.generate(x=x, y=y, **kwargs)
 
+    def set_params(self, **kwargs) -> None:
+        self._attack.set_params(**kwargs)
+
     def _check_params(self) -> None:
         # Check if order of the norm is acceptable given current implementation
         if self.norm not in [np.inf, int(1), int(2)]:

art/defences/preprocessor/mp3_compression.py

@@ -113,6 +113,15 @@ def wav_to_mp3(x, sample_rate):
             from pydub import AudioSegment
             from scipy.io.wavfile import write
 
+            normalized = bool(x.min() >= -1.0 and x.max() <= 1.0)
+            if x.dtype != np.int16 and not normalized:
+                # input is not of type np.int16 and seems to be unnormalized. Therefore casting to np.int16.
+                x = x.astype(np.int16)
+            elif x.dtype != np.int16 and normalized:
+                # x is not of type np.int16 and seems to be normalized. Therefore undoing normalization and
+                # casting to np.int16.
+                x = (x * 2**15).astype(np.int16)
+
             tmp_wav, tmp_mp3 = BytesIO(), BytesIO()
             write(tmp_wav, sample_rate, x)
             AudioSegment.from_wav(tmp_wav).export(tmp_mp3)
@@ -122,6 +131,10 @@ def wav_to_mp3(x, sample_rate):
             x_mp3 = np.array(audio_segment.get_array_of_samples()).reshape((-1, audio_segment.channels))
             # WARNING: Due to above problem, we need to manually resize x_mp3 to original length.
             x_mp3 = x_mp3[: x.shape[0]]
+
+            if normalized:
+                # x was normalized. Therefore normalizing x_mp3.
+                x_mp3 = x_mp3 * 2**-15
             return x_mp3
 
         if x.ndim != 3:

art/estimators/classification/keras.py

@@ -44,7 +44,7 @@
     ClassifierMixin,
     ClassGradientsMixin,
 )
-from art.utils import Deprecated, deprecated_keyword_arg
+from art.utils import Deprecated, deprecated_keyword_arg, check_and_transform_label_format
 
 if TYPE_CHECKING:
     import keras
@@ -412,13 +412,16 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         Fit the classifier on the training set `(x, y)`.
 
         :param x: Training data.
-        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).
+        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of
+                  shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
         :param kwargs: Dictionary of framework-specific arguments. These should be parameters supported by the
                `fit_generator` function in Keras and will be passed to this function as such. Including the number of
                epochs or the number of steps per epoch as part of this argument will result in as error.
         """
+        y = check_and_transform_label_format(y, self.nb_classes)
+
         # Apply preprocessing
         x_preprocessed, y_preprocessed = self._apply_preprocessing(x, y, fit=True)
 

art/estimators/classification/mxnet.py

@@ -38,7 +38,7 @@
     ClassGradientsMixin,
     ClassifierMixin,
 )
-from art.utils import Deprecated, deprecated_keyword_arg
+from art.utils import Deprecated, deprecated_keyword_arg, check_and_transform_label_format
 
 if TYPE_CHECKING:
     import mxnet as mx
@@ -134,7 +134,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         Fit the classifier on the training set `(inputs, outputs)`.
 
         :param x: Training data.
-        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).
+        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of
+                  shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
         :param kwargs: Dictionary of framework-specific arguments. This parameter is not currently supported for MXNet
@@ -146,6 +147,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
             raise ValueError("An MXNet optimizer is required for fitting the model.")
         train_mode = self._learning_phase if hasattr(self, "_learning_phase") else True
 
+        y = check_and_transform_label_format(y, self.nb_classes)
+
         # Apply preprocessing
         x_preprocessed, y_preprocessed = self._apply_preprocessing(x, y, fit=True)
         y_preprocessed = np.argmax(y_preprocessed, axis=1)

art/estimators/classification/pytorch.py

@@ -36,7 +36,7 @@
     ClassifierMixin,
 )
 from art.estimators.pytorch import PyTorchEstimator
-from art.utils import Deprecated, deprecated_keyword_arg
+from art.utils import Deprecated, deprecated_keyword_arg, check_and_transform_label_format
 
 if TYPE_CHECKING:
     import torch
@@ -193,7 +193,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         Fit the classifier on the training set `(x, y)`.
 
         :param x: Training data.
-        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).
+        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of
+                  shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
         :param kwargs: Dictionary of framework-specific arguments. This parameter is not currently supported for PyTorch
@@ -204,6 +205,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         if self._optimizer is None:
             raise ValueError("An optimizer is needed to train the model, but none for provided.")
 
+        y = check_and_transform_label_format(y, self.nb_classes)
+
         # Apply preprocessing
         x_preprocessed, y_preprocessed = self._apply_preprocessing(x, y, fit=True)
 

art/estimators/classification/tensorflow.py

@@ -36,7 +36,7 @@
     ClassifierMixin,
 )
 from art.estimators.tensorflow import TensorFlowEstimator, TensorFlowV2Estimator
-from art.utils import Deprecated, deprecated_keyword_arg
+from art.utils import Deprecated, deprecated_keyword_arg, check_and_transform_label_format
 
 if TYPE_CHECKING:
     import tensorflow as tf
@@ -186,7 +186,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         Fit the classifier on the training set `(x, y)`.
 
         :param x: Training data.
-        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).
+        :param y: Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of
+                  shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
         :param kwargs: Dictionary of framework-specific arguments. This parameter is not currently supported for
@@ -196,6 +197,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         if self._train is None or self._labels_ph is None:
             raise ValueError("Need the training objective and the output placeholder to train the model.")
 
+        y = check_and_transform_label_format(y, self.nb_classes)
+
         # Apply preprocessing
         x_preprocessed, y_preprocessed = self._apply_preprocessing(x, y, fit=True)
 
@@ -768,7 +771,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
         Fit the classifier on the training set `(x, y)`.
 
         :param x: Training data.
-        :param y: Labels, one-hot-encoded of shape (nb_samples, nb_classes).
+        :param y: Labels, one-hot-encoded of shape (nb_samples, nb_classes) or index labels of
+                  shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
         :param kwargs: Dictionary of framework-specific arguments. This parameter is not currently supported for
@@ -781,6 +785,8 @@ def fit(self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: in
                 "The training function `train_step` is required for fitting a model but it has not been " "defined."
             )
 
+        y = check_and_transform_label_format(y, self.nb_classes)
+
         # Apply preprocessing
         x_preprocessed, y_preprocessed = self._apply_preprocessing(x, y, fit=True)