This release includes new evasion attacks, like ZOO, boundary attack and the adversarial patch, as well as the capacity to break non-differentiable defences.
Added
- ZOO black-box attack (class
ZooAttack) - Decision boundary black-box attack (class
BoundaryAttack) - Adversarial patch (class
AdversarialPatch) - Function to estimate gradients in
PreprocessorAPI, along with its implementation for all concrete instances.
This allows to break non-differentiable defences. - Attributes
apply_fitandapply_predictinPreprocessorAPI that indicate if a defence should be used at training and/or test time - Classifiers are now capable of running a full backward pass through defences
savefunction for TensorFlow models- New notebook with usage example for the adversarial patch
- New notebook showing how to synthesize an adversarially robust architecture (see ICLR SafeML Workshop 2019: Evolutionary Search for Adversarially Robust Neural Network by M. Sinn, M. Wistuba, B. Buesser, M.-I. Nicolae, M.N. Tran)
Changed
- [Breaking change] Defences in classifiers are now to be specified as
Preprocessorinstances instead of strings - [Breaking change] Parameter
random_initinFastGradientMethod,ProjectedGradientDescentandBasicIterativeMethodhas been renamed tonum_random_initand allows now to specify the number of random initialization to run before choosing the best attack - Possibility to specify batch size when calling
get_activationsfromClassifierAPI