This release contains contains new black-box attacks, detectors, updated attacks and several bug fixes.

Added

Added HopSkipJump attack, a powerful new black-box attack (#80)
Added new example script demonstrating the perturbation of a neural network layer between input and output (#92)
Added a notebook demonstrating BoundaryAttack
Added a detector based on Fast Generalized Subset Scanning (#100)

Changed

Changed Basic Iterative Method (BIM) attack to be a special case of Projected Gradient Descent attack with norm=np.inf and without random initialisation (#90)
Reduced calls to method predict in attacks FastGradientMethod and BasicIterativeMethod to improve performance (#70)
Updated pretrained models in notebooks with on-demand downloads of the pretrained models (#63, #88)
Added batch processing to AdversarialPatch attack (#96)
Increased Tensorflow versions in unit testing on Travis CI to 1.12.3, 1.13.1, and 1.14.0 (#94)
Attacks are now accepting the argument batch_size which is used in calls to classifier.predict within the attack replacing the default batch_size=128 of classifier.predict (#105)
Change order of preprocessing defences and standardisation in classifiers, now defences are applied on the provided input data and standardisation (preprocessing argument of classifier) is applied after the defences (#84
Update all defences to account for clip_values (#84)

Removed pretrained models in directory models used in notebooks and replaced with ondemand downloads (#63, #88)
Removed argument patch_shape from attack AdversarialPatch (#77)
Stopped unit testing for Python 2 on Travis CI (#83)

Fixed all Pylint and LGTM alerts and warnings (#110)
Fixed broken links in notebooks (#63, #88)
Fixed broken links to imagenet data in notebook attack_defense_imagenet (#109)
Fixed calculation of attack budget eps by accounting for initial benign sample in projection to eps-ball for random initialisation in FastGradientMethod and BasicIterativeMethod (#85)