ART 1.12.0

This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

Added

• Added Sleeper Agent poisoning attack in TensorFlow in art.attacks.poisoning.SleeperAgentAttack (#1769)
• Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (#1778)
• Added adversarial accuracy as a metric (#1779)
• Added function art.utils.uniform_sample_from_sphere_or_ball to sample uniformly from either the ball or the sphere with a given norm and radii (#1804)
• Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (#1828)
• Added certified adversarial training (#1841)

Changed

• Changed art.attacks.evasion.DPatch to accept true labels (#1780)
• Changed art.utils.random_sphere to use a different, faster algorithm for norm=1 based on exponential distribution (#1805)

Removed

[None]

Fixed

[None]

ART 1.11.1

This release of ART 1.11.1 provides updates to ART 1.11.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed unecessary check for targeted attacks in AdversarialPatch and delegated check to framework-specific implementations (#1768)
• Fixed missing transfer to device in AdversarialPatchPyTorch.apply_patch() (#1771)
• Fix redundant call to detach().cpu().numpy() in PyTorchClassifier.predict() (#1785)
• Fixed art.utils.random_sphere() for norm=1 to sample uniformly in the L1 ball (#1802)
• Fixed PyTorch detach() call on Numpy arrays in PyTorchRegressor (#1824)
• Fixed probability check for multi-dimensional arrays + out of bounds error in binning in the pointwise differential training privacy metric PDTP (#1825)
• Fixed learning rate decay in ElasticNet evasion attack (#1833)

ART 1.11.0

This release of ART 1.11.0 introduces estimators for YOLO object detection and regression models, the first audio poisoning attack, new query-efficient black-box evasion attacks, certified defenses against adversarial patch attacks, metrics quantifying membership inference and more.

Added

• Added Momentum-Iterative FGSM evasion attack in MomentumIterativeMethod and added optional momentum to loss gradients in ProjectedGradientDescent* attacks. (#1614)
• Added metrics measuring worst-case scores of membership inference attacks. (#1709)
• Added estimator for YOLO v3 models in PyTorch in PyTorchYolo. (#1715)
• Added estimators for de-randomized smoothing certification against patch attacks in PyTorchDeRandomizedSmoothing and TensorFlowV2DeRandomizedSmoothing. (#1729)
• Added query-efficient hard-label black-box evasion attack Sign-Opt in SignOPTAttack. (#1730)
• Added Sleeper Agent poisoning attack PyTorch in SleeperAgentAttack. (#1736)
• Added exclusionary reclassification to ActivationDefence. (#1738)
• Added dirty-label backdoor poisoning attack on audio classification in art.attacks.poisoning.perturbations.audio_perturbations. (#1740)
• Added estimators for regression in PyTorchRegressor and KerasRegressor for PyTorch and Keras. (#1651)
• Added option for targeted attacks to AdversarialPatch and AdversarialPatchNumpy. (#1759)

Changed

• Changed check_and_transform_label_format for nb_classes=None to automatically determine the number of classes in the provided labels. (#1747)
• Added additional documentation to ZOOAttack and cleaned up the code of method compare. (#1648)
• Changed default value for number of epochs nb_epochs in AdversarialTrainerMadryPGD to match 80'000 training steps of Madry et al. (#1758)

Removed

[None]

Fixed

• Fixed PyTorchClassifier.clone_fore_refitting by deleting optimizer from parameters before calling set_param() to avoid creating the cloned model with the old optimizer. (#1742)
• Fixed missing propagation of nb_classes to method check_and_transform_label_format in inference attacks. (#1713)

ART 1.10.3

This release of ART 1.10.3 provides updates to ART 1.10.

Added

[None]

Changed

[None]

Removed

[None]

Fixed

• Fixed missing zeroing of gradients in PyTorch variable of the adversarial patch in art.attacks.evasion.AdversarialTexturePyTorch (#1724, #1726 )

ART 1.10.2

This release of ART 1.10.2 provides updates to ART 1.10.

Added

[None]

Changed

• Changed PyTorchClassifier to use a new optimizer when cloned with clone_for_refitting (#1580)
• Changed class names of art.estimators.gan.* and art.estimators.generator.* to follow naming convention (#1655)
• Changed Mp3CompressionPyTorch and PyTorchDeepSpeech to add support for samples in 2D non-object arrays (#1680, #1702)
• Changed file name python_object_detector.py to pytorch_object_detector.py to follow naming convention (#1687)
• Changed CarliniLInfMethod by adding argument for batch_size (#1699).

Removed

[None]

Fixed

• Fixed required dependency on TensorFlow (#1655)
• Fixed bug in ImperceptibleASRPyTorch by adding missing .detach().cpu() and .cpu() calls (#1677)
• Fixed bug in art.estimators.certification.randomized_smoothing estimators to correctly apply Gaussian noise (#1678)
• Fixed bug in GaussianNoise the post-processing defence to keep number of dimensions constant during normalisation (#1684)
• Fixed bug in RobustDPatch for channels first images to correctly un-transform loss gradients (#1693)
• Fixed bug in support for numpy arrays in logger of PoisoningAttackCleanLabelBackdoor (#1698)

ART 1.10.1

This release of ART 1.10.1 provides updates to ART 1.10.

Added

[None]

Changed

• Changed AdversarialTrainerMadryPGD.fit to support arguments nb_epochs and batch_size (#1612)
• Changed GradientMatchingAttack to add support for models with undefined input shape by abstracting the shape information from the input data (#1624)
• Changed PyTorchObjectDetector to support inputs with number of channels other than 1 and 3 (#1633)

Removed

[None]

Fixed

• Fixed incorrect handling of true regression labels in attribute inference attacks (#1598)
• Fixed AdversarialPatchPyTorch.apply_patch to correctly check if mask is None (#1607)

ART 1.10.0

This release of ART 1.10.0 introduces multiple poisoning attacks on image classification and deep generative models, the first attack with dynamic patches on object tracking in videos, classification certification based on zonotope representations, EoT support for object detection in image rotation and center cropping, new features for attribute inference attacks and more.

Added

• Added Gradient Matching (Witches' Brew) attack art.attacks.poisoning.GradientMatchingAttack in TensorFlow (#1587)
• Added functions projection_l1_1 and projection_l1_2 to art.utils for two algorithms computing orthogonal projections on L1-norm balls (#1586)
• Added perspective transformations to art.attacks.evasion.AdversarialTexturePyTorch attack to enable dynamic texture/patches (#1557)
• Added support for object detection in art.attacks.evasion.AdversarialPatchPyTorch (#1535)
• Added new features to attribute inference attacks including support for optional use of true labels in black-box attribute inference attacks, automatic calculation of values in fit() method, additional scaling method for labels/predictions and an additional attack model type (random forest) (#1534)
• Added estimator art.estimators.certification.PytorchDeepZ based on DeepZ for robustness certification using zonotope representations datapoints (#1531)
• Added Expectation over Transformation (EoT) for rotation and centre crop with support for classification and object detection (#1516)
• Added support for SummaryWriter in art.attacks.evasion.RobustDpatch (#1513)
• Added PGD L-Inf optimizer to art.attacks.evasion.AdversarialPatch* attacks (#1495)
• Added two backdoor poisoning attacks, Red in art.attacks.poisoning.BackdoorAttackDGMReD and Trail in art.attacks.poisoning.BackdoorAttackDGMTrail, targeting Deep Generative Models (#1490)
• Added Hidden Trigger Backdoor Poisoning Attack in Keras and PyTorch in art.attacks.poisoning.HiddenTriggerBackdoor (#1487)
• Added Feature Collision Poisoning Attack in PyTorch in art.attacks.poisoning.FeatureCollisionAttack (#1435 )

Changed

• Changed imports of TensorFlow v2 in TensorFlowClassifier to support TensorFlow v1 compatibility mode (#1560)
• Changed Python used for unit testing to newer versions, upgraded style checks and improved code quality (#1517)

Removed

[None]

Fixed

• Fixed import of Scipy in PixelThreshold attack to support scipy>=1.8 (#1589)
• Fixed bug of missing attribute in PixelAttack for scaled images (#1574)
• Fixed use of torchaudio.functional.magphase in PyTorchDeepSpeech to support Deep Speech 2 version 3 with torch>=1.10 (#1550)
• Fixed method fitof ScikitlearnRegressor to process labels correctly (#1537)
• Fixed scalar names of Indicators of Attack Failure 2 and 3 for aggregated losses (#1512)
• Fixed raising of DataConversionWarning in fitting black box membership inference attacks with attack_model_type 'rf' or 'gb (#1488)

ART 1.9.1

This release of ART 1.9.1 provides updates to ART 1.9.

Added

• Added support for TensorFlow 1.15 as backend in KerasClassifier.compute_loss. (#1466)
• Added support for input range [0, 1] in art.defences.preprocessor.VideoCompression*. (#1470)

Changed

[None]

Removed

[None]

Fixed

• Fixed bug in art.utils.load_nursery for loading nursery dataset with argument raw=True. (#1460)
• Fixed import of matplotlib to keep it an optional dependency. (#1467)
• Fixed bug to allow preprocessing defences to be applied in PyTorchGoturn.predict by adding back missing sample dimension. (#1470)
• Fixed bug in PyTorchClassifier.get_activations to also apply preprocessing if argument framework=True. This fix likely changes the results obtained with BullseyePolytopeAttackPyTorch, the main attack using framework=True. (#1471)

ART 1.9.0

This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.

Added

• Added tools for training shadow models and generating shadow-datasets in support of membership inference attacks in art.attacks.inference.membership_inference.shadow_models. (#1345, #1395)
• Added hill-climbing synthetic data generation algorithm (Shokri et al., 2017) to train shadow models without access to actual data. (#1345, #1395)
• Added experimental estimator for classification models in JAX in art.experimental.estimators.classification.JaxClassifier (#1360)
• Added Deep Partition Aggregation as classification estimator in art.estimators.classification.DeepPartitionEnsemble to defend against general poisoning attacks (#1397)
• Added Adversarial Laser Beam attack in art.attacks.evasion.LaserAttack as a easy to realize physical evasion attack (#1398)
• Added customizable Summary Writer API in art.summary_writer.SummaryWriter to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (#1416 )
• Added Indicators of Attack Failure (Pintor et al., 2021) as metrics in default summary writer art.summary_writer.SummaryWriterDefault (#1416)
• Added Adversarial Texture Attack against object tracking models in art.attacks.evasion.AdversarialTexturePyTorch. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (#1430)

Changed

• Changed implementation of Carlini & WAgner L_inf attack in art.attacks.evasion.CarliniLInfMethod to exactly reproduce performance of reference implementation (#1380)
• Changed art.defences.preprocessor.preprocessor.PreprocessorPyTorch to accept device_type in __init__ to set attribute _device for all PyTorch preprocessors in a single location (#1444)

Removed

• Removed deprecated Numpy scalar type names (#1296)
• Removed outdated comments in tests.attacks.test_simba that SimBA would not support PyTorch (#1423)

Fixed

• Fixed missing support for input with more than one input image in art.attacks.evasion.SimBA.generate, so far only the first sample had been attacked if more than one image was provided. (#1422)
• Fixed art.attacks.poisoning.perturbations.insert_image to preserve dtype of input images in the returned output images (#1441)
• Fixed missing transformation of binary index to one-hot encoded labels in art.utils.check_and_transform_label_format for argument return_one_hot=True (#1443)

ART 1.8.1

This release of ART 1.8.1 provides updates to ART 1.8.

Added

• Added support for torch.Tensor inputs and required argument input_shape to art.estimators.object_tracking.PyTorchGoturn. (#1348)

Changed

• Changed supported PyTorch version check to include torch==1.9 and torchvision==0.10 to exception in art.estimators.object_detection.PyTorchObjectDetector. (#1356)

Removed

[None]

Fixed

• Fixed docstring and cuda device support in art.attacks.evasion.AdversarialPatchPyTorch. (#1333)