This release contains contains new black-box attacks, detectors, updated attacks and several bug fixes.
Added
- Added HopSkipJump attack, a powerful new black-box attack (#80)
- Added new example script demonstrating the perturbation of a neural network layer between input and output (#92)
- Added a notebook demonstrating
BoundaryAttack - Added a detector based on Fast Generalized Subset Scanning (#100)
Changed
- Changed Basic Iterative Method (BIM) attack to be a special case of Projected Gradient Descent attack with
norm=np.infand without random initialisation (#90) - Reduced calls to method predict in attacks
FastGradientMethodandBasicIterativeMethodto improve performance (#70) - Updated pretrained models in notebooks with on-demand downloads of the pretrained models (#63, #88)
- Added batch processing to
AdversarialPatchattack (#96) - Increased Tensorflow versions in unit testing on Travis CI to 1.12.3, 1.13.1, and 1.14.0 (#94)
- Attacks are now accepting the argument
batch_sizewhich is used in calls toclassifier.predictwithin the attack replacing the default batch_size=128 ofclassifier.predict(#105) - Change order of preprocessing defences and standardisation in classifiers, now defences are applied on the provided input data and standardisation (preprocessing argument of classifier) is applied after the defences (#84
- Update all defences to account for clip_values (#84)
Removed
- Removed pretrained models in directory
modelsused in notebooks and replaced with ondemand downloads (#63, #88) - Removed argument
patch_shapefrom attackAdversarialPatch(#77) - Stopped unit testing for Python 2 on Travis CI (#83)
Fixed
- Fixed all Pylint and LGTM alerts and warnings (#110)
- Fixed broken links in notebooks (#63, #88)
- Fixed broken links to imagenet data in notebook
attack_defense_imagenet(#109) - Fixed calculation of attack budget
epsby accounting for initial benign sample in projection to eps-ball for random initialisation inFastGradientMethodandBasicIterativeMethod(#85)