ART 1.5.0

Added

• Added a new module art.evaluations for evaluation tools that go beyond creating adversarial examples and create insights into the robustness of machine learning models beyond adversarial accuracy and build on art.estimators and art.attacks as much as possible. The first implemented evaluation tool is art.evaluations.SecurityCurve which calculates the security curve, a popular tool to evaluate robustness against evasion, using art.attacks.evasion.ProjectedGradientDescent and provides evaluation of potential gradient masking in the evaluated model. (#654)

• Added support for perturbation masks in art.attacks.evasion.AutoProjectedGradientDescent similar as in art.attacks.evasion.ProjectedGradientDescent and added Boolean masks for patch location sampling in Dpatch and all AdversarialPatch attacks to enable pixel masks defining regions where patch locations are sampled from during patch training or where trained patches can be applied.

• Added preprocessing for Infinite (IIR) and Finite Impulse Response (FIR) filtering for Room Acoustics Modelling in framework-agnostic (art.preprocessing.audio.LFilter) and PyTorch-specific (art.preprocessing.audio.LFilterPyTorch) implementations as the first tool for physical environment simulation for audio data in art.preprocessing.audio. Additional tools will be added in future releases. (#744)

• Added Expectation over Transformation (EoT) to art.preprocessing.expectation_over_transformation with a first implementation of sampling image rotation for classification tasks framework-specific for TensorFlow v2 (art.preprocessing.expectation_over_transformation.EOTImageRotationTensorFlowV2) providing full support for gradient backpropagation through EoT. Additional EoTs will be added in future releases. (#744)

• Added support for multi-modal inputs in ProjectedGradientDescent attacks and FastGradientMethod attack with broadcastable arguments eps and eps_step as np.ndarray to enable attacks against, for example, images with multi-modal color channels. (#691)

• Added Database Reconstruction attack in the new module art.attacks.inference.reconstruction.DatabaseReconstruction enabling evaluation of the privacy of machine learning models by reconstructing one removed sample of the training dataset. The attack is demonstrated in a new notebook on models trained non-privately and with differential privacy using the Differential Privacy Library (DiffPrivLib) as defense. (#759)

• Added support for one-hot encoded feature definition in black-box attribute inference attacks. (#768)

• Added a new model-specific speech recognition estimator for Lingvo ASR in art.estimators.speech_recognition.TensorFlowLingvoASR. (#584)

• Added a framework-independent implementation of the Imperceptible ASR attack with loss support for TensorFlow and PyTorch in art.attacks.evasion.ImperceptibleASR. (#719, #760)

• Added Clean Label Backdoor poisoning attack in art.attacks.poisoning.PoisoningAttackCleanLabelBackdoor. (#725)

• Added Strong Intentional Perturbation (STRIP) defense against poisoning attacks in art.defences..transformer.poisoning.STRIP. (#656)

• Added Label-only Boundary Distance Attack art.attacks.inference.membership_inference.LabelOnlyDecisionBoundary and Label-only Gap Attack art.attacks.inference.membership_inference.LabelOnlyGapAttack for membership inference attacks on classification estimators. (#720)

• Added support for preprocessing and preprocessing defences in the PyTorch-specific implementation of the Imperceptible ASR attack in art.attacks.evasion.ImperceptibleASRPyTorch. (#763)

• Added a robust version of evasion attack DPatch in art.attacks.evasion.RobustDPatch against object detectors by adding improvements like expectation over transformation steps, fixed patch location, etc. (#751)

• Added optional support for Automatic Mixed Precision (AMP) in art.estimators.classification.PyTochClassifier to facilitate mix-precision computations and increase performance. (#619)

• Added the Brendel & Bethge evasion attack in art.attacks.evasion.BrendelBethgeAttack based on the original reference implementation. (#626)

• Added framework-agnostic support for Randomized Smoothing estimators in addition to framework-specific implementations in TensorFlow v2 and PyTorch. (#738)

• Added an optional progress bar to art.utils.get_file to facilitate downloading large files. (#698)

• Added support for perturbation masks in HopSkipJump evasion attack in art.attacks.evasion.HopSkipJump. (#653)

Changed

• Changed preprocessing defenses and input standardisation with mean and standard deviation by combining all preprocessing into a single preprocessing API defined in the new module art.preprocessing. Existing preprocessing defenses remain in art.defences.preprocessor, but are treated as equal and run with the same API and code as general preprocessing tools in art.preprocessing. The standardisation is now a preprocessing tool that is implemented framework-specific for PyTorch and TensorFlow v2 in forward and backward direction. Estimators for art.estimators.classification and art.estimators.object_detection in TensorFlow v2 and PyTorch set up with all framework-specific preprocessing steps will prepend the preprocessing directly to the model to evaluate output and backpropagate gradients in a single step through the model and (chained) preprocessing instead of previously two separate steps for improved performance. Framework independent preprocessing tools will continue to be evaluated in a step separate from the model. This change also enable full support for any model-specific standardisation/normalisation functions for the model inputs and their gradients. (#629)

• Changed Preprocessor and Postprocessor APIs to simplify them by defining reused methods and the most common property values as defaults in the API. The default for art.defences.preprocessor.preprocessor.Preprocessor.estimate_gradient in framework-agnostic preprocessing is Backward Pass Differentiable Approximation (BPDA) with identity function, which can be customized with accurate or better approximations by implementing estimate_gradient. (#752)

• Changed random restarts in all ProjectedGradientDescent implementations to collect the successful adversarial examples of each random restart instead of previously only keeping the adversarial examples of the most successful random restart. Adversarial examples of previous random restart iterations are overwritten by adversarial examples of later random restart iterations. This leads to equal or better adversarial accuracies compared to previous releases and changes the order of processing the input samples to first complete all random restarts of a batch before processing the next batch instead of looping over all batches in each random restart. (#765)

• Changed order of mask application and normalization of the perturbation in all ProjectedGradientDescent and FastGradientMethod attacks to now first apply the mask to the loss_gradients and subsequently normalize only the remaining, un-masked perturbation. That way the resulting perturbation can directly be compared to the attack budget eps. (#711)

• Changed location of implementation and default values of properties channels_first, clip_values, and input_shape in art.estimators to facilitate the creation of customs estimators not present in art.estimators.

• Changed Spectral Signature Defense by removing argument num_classes and replacing it with the estimator’s nb_classes property and renaming parameter ub_pct_poison to expected_pp_poison. (#678)

• Changed the ART directory path for datasets and model data stored in ART_DATA_PATH to be configurable after importing ART. (#701)

• Changed preprocessing defence art.defences.preprocessor.JpegCompression to support any number of channels in addition to the already supported inputs with 1 and 3 channels. (#700)

• Changed calculation of perturbation and direction in art.attacks.evasion.BoundaryAttack to follow the reference implementation. These changes result in faster convergence and smaller perturbations. (#761)

Removed

[None]

Fixed

• Fixed bug in definition and application of norm p in cost matrix in Wasserstein evasion attack art.attacks.evasion.Wasserstein present in the reference implementation. (#712)

• Fixed handling of fractional batches in Zeroth Order Optimization (ZOO) attack in art.attacks.evasion.ZOOAttack to prevent errors caused by shape mismatches for batches smaller than batch_size. (#755)

ART 1.4.3

This release of ART v1.4.3 provides updates to ART 1.4.

Added

[None]

Changed

• Changed argument y of method infer of art.attacks.inference.attribute_inference.AttributeInferenceBlackBox from optional to required. (#750)

Removed

[None]

Fixed

• Fixed bug in art.data_generators.PyTorchDataGenerator and art.data_generators.MXDataGenerator where method get_batch always returned the same first batch of the dataset to return different batches for each method call by iterating over the entire dataset. (#731)
• Fixed format of return value of method infer of art.attacks.inference.membership_inference.MembershipInferenceBlackBox for attack_model_type="nn". (#741)

ART 1.4.2

This release of ART v1.4.2 provides updates to ART 1.4.

Added

• Added implementation of method loss for art.estimators.classification.TensorFlowClassifer. (#685)
• Added support for variable length input to art.defences.preprocessor.MP3Compression to make it compatible with estimator art.estimators.speech_recognition.PyTorchDeepSpeech. (#684)
• Added support for mask in non-classification tasks with art.attacks.evasion.ProjectedGradientDescent. (#682)
• Added support for torch.Tensor as input for loss_gradient of art.estimators.object_detection.PyTorchFasterRCNN. (#679)
• Added support for art.attacks.evasion.ProjectedGradientDescent and art.attacks.evasion.FasGradientMethod attacks on art.estimators.speech_recognition.PyTorchDeepSpeech. (#669)
• Added exception and explanation if target labels are not provided in generate of art.attacks.evasion.ImperceptibleASRPytorch. (#677)
• Added support for preprocessing defences in art.estimators.speech_recognition.PyTorchDeepSpeech. (#663)
• Added support for type List in argument patch_shape of art.attacks.evasion.DPatch. (#662)
• Added support for option verbose to all art.attacks and art.defences to adjust output of progress bars. (#647)

Changed

• Changed art.attacks.evasion.AutoProjectedGradientDescent to to support estimators for classification of all frameworks using the estimator's loss function, to use the new method loss of the Estimator API replacing internal custom loss functions and to disable for now the loss type difference_logits_ratio for art.estimators.classification.TensorFlowClassifer (TensorFlow v1.x) because of inaccurate loss calculation. (#685)
• Changed default format of returned values of method predict in art.estimators.speech_recognition.PyTorchDeepSpeech from a tuple of probabilities and sequence lengths to an array of transcriptions (array of predicted strings) which is the same format as labels y and the returned values of other estimators in art.estimators.speech_recognition. The former output can still be obtained with option transcription_output=False. This change also enables using PyTorchDeepSpeech with ProjectedGradientDescent and FastGradientMethod in cases where no labels are provided to their method generate and these attacks use the labels predicted by PyTorchDeepSpeech's method predict. (#689)
• Changed art.attacks.evasion.DPatch to improve initialisation of the patch for input ranges other than [0, 255] and updated the iteration over batches. (#681)
• Changed art.attacks.evasion.DPatch to accept the updated return format of method predict of estimators in art.estimators.object_detection. (#667)
• Changed return format of method predict of estimators in art.estimators.object_detection to follow the format of art.estimators.object_detection.PyTorchFasterRCNN and type np.ndarray. (#660)

Removed

• Removed unsupported argument loss_scale in art.estimators.speech_recognition.PyTorchDeepSpeech. (#642)

Fixed

• Fixed missing setting of property targeted in art.attacks.evasion.ImperceptibleASRPytorch. (#676)
• Fixed bug in method loss of art.estimators.classification.KerasClassifier. (#651)
• Fixed missing attribute batch_size in art.attacks.evasion.SquareAttack. (#646)
• Fixed missing imports in art.estimators.object_detection.TensorFlowFasterRCNN. (#648)
• Fixed bug in art.attacks.evasion.ImperceptibleASRPytorch to correctly apply learning_rate_2nd_stage instead of learning_rate_1st_stage in the second stage. (#642)

ART 1.4.1

This release of ART v1.4.1 provides updates to ART 1.4.

Added

• Added a notebook demonstrating the Imperceptible ASR evasion attack on the DeepSpeech model for speech recognition tasks. (#639)

Changed

• Changed the detection of Keras type (keras vs. tensorflow.keras) in art.estimators.classification.KerasClassifier to enable customised models inheriting from the Keras base models (#631)

Removed

[None]

Fixed

• Fixed bug in model-specific estimator for DeepSpeech art.estimators.speech_recognition.PyTorchDeepSpeech to correctly handle the case of batches of samples with identical length including the special case of a batch of a single sample. (#635)
• Fixed bug in model-specific estimator for DeepSpeech art.estimators.speech_recognition.PyTorchDeepSpeech by adding missing imports (#621)
• Fixed bug to make all tools of ART accessible using import art (#612)
• Fixed bug by removing top-level imports of tool-specific dependencies and adapting default values (#613)
• Fixed wrong progress bar description in art.attacks.evasion.projected_gradient_descent.* from iterations to batches (#611)

ART 1.4.0

This release of ART v1.4.0 introduces framework-specific preprocessing defences, Membership Inference attacks, and support for attacks on Automatic Speech Recognition (ASR) tasks to ART. This release also adds and improves multiple evasion and poisoning attacks and defenses.

Added

• Added framework-specific preprocessing defences for PyTorch and TensorFlow v2 in all estimators. This extends the preprocessing defences of ART beyond the framework-independent implementations in Numpy of earlier ART versions and enables to use the automatic differentiation of a framework to pass accurate loss gradients backwards through the preprocessing defences. Furthermore this also adds first framework-specific implementations of preprocessing Spatial Smoothing defences in PyTorch and TensorFlow v2, art.defences.preprocessor.SpatialSmoothingPyTorch and art.defences.preprocessor.SpatialSmoothingTensorFlowV2. (#510, #574)
• Added Membership Inference attacks to evaluate leaks of information about individual training data recordsart.attacks.inference.membership_inference (#573)
• Added Neural Cleanse defense against poisoned models. This is the first transformation defense against poisoning which accept a potentially poisoned model and returns a transformed version of the model defended against the effects of the poisoning art.defences.transformer.poison.NeuralCleanse (#604)
• Added Imperceptible ASR evasion attack against Automatic Speech Recognition in Pytorch art.attacks.evasion.ImperceptibleASRPytorch (#605)
• Added Adversarial Embedding poisoning attack art.attacks.poisoning.PoisoningAttackAdversarialEmbedding (#561)
• Added new framework- and model-specific estimator for DeepSpeech in PyTorch art.estimators.speech_recognition.PyTorchDeepSpeech (#581)
• Added support for string type for infinity norm in evasion attacks to facilitate serialisation of arguments (#575)
• Added support for targeted attack in art.attacks.evasion.AutoAttack (#494)
• Added targeted version of DPatch evasion attack against object detectors art.attacks.evasion.DPatch (#599)
• Added property targeted to evasion attacks representing if attack is targeted art.attacks.EvasionAttack (#500)
• Added new framework- and model-specific estimator for Faster-RCNN in TensorFlow art.estimators.object_detection.TensorFlowFasterRCNN (#487)
• Added ShapeShifter evasion attack against object detectors art.attacks.evasion.ShapeShifter (#487)
• Added Simple Black-box Adversarial (SimBA) evasion attack art.attacks.evasion.SimBA (#469)

Changed

• Changed progress bars to adversarial trainer and Projected Gradient Descent implementations (#603)
• Changed import paths of Attribute Inference and Model Inversion attacks (#592)

Removed

[None]

Fixed

• Fixed bug in Thermometer Encoding preprocessor defense and extended it to support channels first data and video data formats (#591)
• Fixed denormalizing in create_generator_layers in utils/resources/create_inverse_gan_models.py (#491)

ART 1.3.3

This release of ART 1.3.3 provides updates to ART 1.3.

Added

• Added support for rectangular images and videos (with square and rectangular frames) to the attacks in art.attacks.evasion.adversarial_patch.AdversarialPatch. The framework-independent implementation AdversarialPatchNumpy supports videos of shape NFCHW or NFHWC and the framework-specific implementation for TensorFlow v2 AdversarialPatchTensorFlowV2 supports videos of shape NFHWC. For video data the same patch will be located at the same position on all frames. (#567)
• Added a warning to ShadowAttack to inform users that this implementation currently only works on a single sample in a batch size of one. (#556)

Changed

• The Dockerfile will now automatically check if requirements.txt contains newer versions of the dependencies.
• Changed the CLEVER metric art.metric.clever_t to only calculate required class gradients which results in a speed up of a factor of ~4. (#539)
• Changed the metric art.metrics.wasserstein_distance to automatically flatten the weights of the two inputs. (#545)
• Changed art.attacks.evasion.SquareAttack to use model predictions if true labels are not provided to method generate to follow the convention of the other attacks in ART. (#537)

Removed

[None]

Fixed

• Fixed method set_params in art.attacks.evasion.projected_gradient_descent.ProjectedGradientDescent to correctly update the attributes of the parent class. The attributes of the actual attack implementation have been set correctly before this fix. (#560)

ART 1.3.2

This release of ART 1.3.2 provides updates to ART 1.3.1.

Added

• Added verbose parameter for CarliniL2Method, CarliniLInfMethod, and DeepFool attacks to disable progress bars.

Changed

• Changed the Wasserstein attack to support rectangular images as input (#527)
• Changed UniversalPerturbation attack to use true labels if provided in internal attacks (#526)
• Allow None as input for parameter `preprocessing of estimators (#493)
• Allow eps to be larger than eps_step in ProjectedGradientDescent attacks if norm is not np.inf (#495)

Removed

[None]

Fixed

• Fixed import path for ProjectedGradientDescend option in UniversalPerturbation attack (#525)
• Fixed support for arrays as clip_values in ProjectedGradientDescentPyTorch attack for PyTorch (#521)
• Fixed success criteria for targeted attacks with AutoProjectedGradientDescend (#513)
• Fixed success criteria for attacks used in AutoAttack (#508)
• Fixed example for Fast-is-better-than-Free adversarial training (#506)
• Fixed dtype in AutoProjectedGradientDescent and SquareAttack for testing output type of estimator (#499)
• Fixed parameters in _augment_images_with_patch calls of attack DPatch (#493)

ART 1.3.1

This release of ART 1.3.1 provides updates to ART 1.3.0.

Added

[None]

Changed

• Changed the method fit of the deep-learning classifiers KerasClassifier, TensorFlowClassifier, TensorFlowV2Classifier, PyTorchClassifier, and MXClassifier in art.estimators.classification to support index labels in addition to one-hot-encoded labels. (#479)
• Changed the preprocessing defence art.defences.preprocessing.Mp3Compression to support input in format np.float32 in addition to np.int16 and updated related notebooks. (#482)

Removed

[None]

Fixed

• Fixed art.attacks.evasion.DeepFool to correctly apply the over-shoot step, previously the over-shoot vector was alwasy zero independent of epsilon. (#476)
• Fixed method set_params for attacks with multiple framework-specific implementations (art.attacks.evasion.AdversarialPatch, and art.attacks.evasion.ProjectedGradientDescent) to set attributes correctly and updated related notebooks, previously these set attributes would have been ignored by the attack. (#481)

ART 1.3.0

This release of ART v1.3.0 is extending ART to a library for machine learning security covering Evasion, Poisoning, Extraction and Inference. The Inference module is a new addition and includes implementations of attribute inference and model inversion attacks. A new Estimator API has been implemented and extends ART 1.3.0 from a library for classification tasks towards a library supporting all possible machine learning tasks including object detection. Multiple state-of-the-art attacks and defenses have been implemented. The READMEs have been redesigned and new Wiki pages have been created.

Added

• Added a new Estimator API art.estimators to abstract machine learning models in ART. It is replacing the previous Classifier API art.classifiers. The new Estimators API is flexible and extensible to support all possible machine learning tasks. The estimator API currently contains implementations for classification, object detection, certification, encoding, generation models. (#350)
• Added a framework-specific and model-specific estimator implementation for PyTorch FasterRCNN (torchvision.model.detection.fasterrcnn_resnet50_fpn` as first object detector estimator. All object detector estimators currently support DPatch, ProjectedGradientDescent, BasicIterativeMethod, and FastGradientMethod evasion attacks. (#350)
• Add a new type of attacks with Inference in art.attacks.inference and first implementations of Attribute Inference and Model Inversion attacks (#439, #428)
• Added progress bars using tqdm to all attacks and defenses to provide information about progress to the user. (#447)
• Added install options to setup.py for frameworks and complete installs. So far ART only installed general non-framework dependencies. This update provides complete install for options all, tensorflow, pytorch, keras, mxnet, xgboost, lightgm, catboost, gpy, and docs. (#446)
• Added dependabot.yml to use GitHub’s Dependabot to propose updates to ART’s dependencies. (#449)
• Added AutoAttack as a new evasion attack. AutoAttack applies a group of white- and back-box attacks (default: AutoPGD with cross-entropy and with difference-logits-ratio loss, SquareAttack, DeepFool) and is an attack approach that achieves state-of-the-art performance in defense evaluations. (#400)
• Added Auto Projected Gradient Descent (AutoPGD) as a new evasion attack. AutoPGD adapts its step size to guarantee increasing loss in each step. (#400)
• Added SquareAttack as a new evasion attack. SquareAttack is a black-box attack based on random search and achieves white-box performance. (#400)
• Added ShadowAttack as new evasion attack. ShadowAttack creates large, but naturally looking perturbations that can to spoof certificates of classifiers certified for example by Randomised Smoothing. (#409)
• Added Wasserstein Attack as a new evasion attack. Wasserstein Attack generates adversarial examples with minimized Wasserstein distances which allow large Lp perturbations in still naturally looking examples. (#422)
• Added DefenceGAN and InverseGAN as new preprocessor defenses. These defenses are based on Generative Adversarial Networks to remove adversarial perturbations. (#411)
• Added the adversarial training protocol Fast Is Better Than Free as a trainer defense for PyTorch models. The Fast Is Better Than Free protocol allows very fast training of adversarially robust models. (#435)
• Added H.264/MPEG-4 AVC video compression as preprocessor defense. This defense attempts to remove adversarial perturbations with compression of video data. (#438)
• Added Feature Collision Clean Label attack as a new poisoning attack for KerasClassifier. This attack allows poisoning the training of a model without modifying the training labels just by adding a modified training example. (#389)
• Added support for custom loss gradients at any layer of neural network in KerasClassifier. This method allows very sophisticated loss functions to create adversarial examples that imitate the feature representation of benign samples at any layer of the neural networks. Support of this method will be extended to other frameworks in future releases. (#389)
• Added framework-specific implementations of ProjectedGradientDescent (PGD) evasion attack for TensorFlow v2 and PyTorch. It follows a new concept in ART where an attack implementation based on Numpy, if available, is compatible with all frameworks and framework-specific implementations can be added that take full advantage of a certain framework and only must support ART estimators for this framework. This enables ART to provide attack implementations that run as fast and accurate as possible and it will facilitate integration of original implementations by the attacks’ creators without the need to translate them into implementations based on Numpy. (#390)
• Added utilities for deprecation of methods and arguments. (#421)
• Added new metric for Wasserstein distance. (#410)
• Added the Spectral Signature Defense as a new detector defense against poisoning. This defense uses spectral signatures to detect and defeat backdoor attacks. (#398)
• Added Mp3 compression as a new preprocessor defense. This defense attempts to remove adversarial perturbations in audio data using MP3 compression. (#391)
• Added resampling as a new preprocessor defense. This defense attempts to remove adversarial perturbations in audio data by resampling the data. (#397)
• Added Feature Adversaries attack as a new evasion attack. This attack generates adversarial examples that minimize the difference in feature representation to a benign sample at a certain layer of a neural networks. (#364)
• Added DPatch as new evasion attack against object detectors. This attack creates digital patches that draw the attention of object detectors to the patch area to prevent the detection of object outside of the patched area. (#362)
• Added a new Docker image providing installations of all machine learning frameworks supported by ART and the dependencies of ART. (#386)
• Added a new method to check a model for obfuscated/vanishing/masked gradients. (#376)
• Added a framework-specific implementation of the AdversarialPatch physical evasion attack for TensorFlow v2. This implementation provides more accurate loss gradients than the Numpy implementation. (#357)
• Added Frame Saliency Attack as a new evasion attack. This attack creates adversarial examples with sparse and imperceptible perturbations, primarily intended for video data. (#358)
• Added Python typing to all source files of ART and a mypy check to all Travis CI runs. (#425)

Changed

• Extended notebooks demonstrating attacks and defenses with audio and video data. (#463)
• Changed KerasClassifier to accept wildcards in the models input shape. (#458)
• Deactivated the gradients computation during model evaluation in PyTorchClassifier.predict which accelerates the prediction by a factor of ~2 or more. (#452)
• Changed art.defence.detector.poison.ActivationDefence to also support data provided with art.data_generators to support datasets larger than the available memory. (#442)
• Changed default value of apply_predict for art.defences.preprocessor.JpegCompression to True to apply it during prediction by default. (#440)
• Removed smoothing factor in tanh to original transformation in CarliniL2Method and CarliniLInfMethod attacks to prevent input values that are extremely close to either of the clip values to be transformed to values outside of the clip values. (#428)
• Changed art.defences.preprocessor.SpatialSmoothing preprocessor defense to support video data. (#415)
• Changed art.defences.preprocessor.JpegCompression preprocessor defense to support video data. (#412)
• Changed copyright notice to “The Adversarial Robustness Toolbox (ART) Authors” and listed original copyright holders in new file AUTHORS. (#406)
• Changed internal format of clip_values from tuple of int or float to numpy.nadarray with dtpye=np.float32. (#392)
• Moved poison detection defences to new module art.defences.detector.poison. (#399)
• Moved Randomized Smoothing from wrapper art.wrappers to new estimators in module art.estimators.certification for TensorFlow and PyTorch and removed art.wrappers.RandomizedSmoothing. (#409)

Removed

• Deprecated argument channel_index of art.classifiers and replaced it with argument channels_first in art.estimators. The new argument channels_first follows usage in the frameworks to describe as a Boolean if the channels dimension is the first or last dimension of a sample. The argument channel_index will be removed after ART 1.4. (#429)

Fixed

• Fixed several bugs in ThermometerEncoding preprocessor defense, implementing the correct forward pass and implemented estimate_gradients to provide gradients in the original space instead of the discretized/encoded space. (#467, #468)
• Fixed bug in Boundary Attack to ensure that the adversarial example is projected back to the sphere in each iteration. (#426)
• Fixed memory leak in KerasClassifier.get_activations by reusing the Keras function calculating the activations. (#417)
• Fixed RGB-BGR conversion bug in Boundary attack notebook. (#402)
• Fixed bug in ActivationDefence for RGB images. (#388)
• Fixed bug in PixelAttack and ThresholdAttack to now return the benign image if no adversarial example has been found. (#384)

ART 1.2.0

This release of ART v1.2.0 introduces new APIs and implementations of model transforming, model training and output post-processing defences, along with new APIs and implementations of poisoning attacks and new implementations of evasion and extraction attacks. Furthermore, ART now also supports Pandas Dataframe as input to its classifier and attack methods.

Added

• Added support for Pandas Dataframe as input to Classifiers and Attacks in addition to numpy.ndarray enabling defences and attacks on models expecting dataframes as input (#244)
• Started a collection of notebooks of adversarial robustness evaluations by adding the evaluation of the EMPIR defence (#319)
• Added an example notebook for adversarial attacks on video data classification (#321)
• Added an example notebook for adversarial attacks on audio data classification (#271)
• Added Backdoor Poisoning Attack (#292)
• Added new API for Transformer defences (#293)
• Added Defensive Distillation as a transformation defence (#293)
• Added new API for Trainer defences (#)
• Added Madry's Protocol for adversarial training as training defence (#294)
• Added new API for Postprocessor defences (#267)
• Added KnockoffNets as extraction attack (#230)
• Added Few Pixel Attack as evasion attack (#280)
• Added Threshold Attack as evasion attack (#281)
• Added option for random epsilon as parameter to the projected gradient descent attack which selects the epsilon from a truncated normal distribution ranging [0, eps] with sigma of eps/2 (#257)

Changed

• Started to refactor the unittests. The tests of KerasClassifier, TensorFlowClassifier, TensorFlowV2Classifier, Boundary attack and Fast Gradient Method have been moved to the new testing system based on pytest with the other tests planned to follow in future releases. (#270)
• Boundary and HopSkipJump attack work now with non-square images (#288)
• Applied Black style formatting
• PyTorchClassifier now allows the user to select a specific GPU (#290)
• The classifiers now accept soft-labels (probabilities) as input in their fit methods in addition to hard-labels (one-hot encoded or index labels) (#251)
• Integrated the post-processing defences into the classifiers following the pre-processing defences (#267)
• Run unittests with TensorFlow everywhere in v2 mode instead of compatibility mode (#264)
• Updated Poisoning attack API (#305)
• Increased definitions of test requirements (#302)

Removed

• Removed implementations of post-processing defences as classifier wrappers (#267)

Fixed

• Improved the logging of unitttests (#227)
• Updated method fit_generator in all neural network classifiers (#323)