This release of ART 1.12.0 introduces the first black-box adversarial patch attack, overlapping shadow datasets for membership inference, certified adversarial training, and more.

Added

• Added Sleeper Agent poisoning attack in TensorFlow in art.attacks.poisoning.SleeperAgentAttack (#1769)
• Added support for overlapping shadow models and black-box model predictions as input in membership inference attacks (#1778)
• Added adversarial accuracy as a metric (#1779)
• Added function art.utils.uniform_sample_from_sphere_or_ball to sample uniformly from either the ball or the sphere with a given norm and radii (#1804)
• Added GRAPHITE, black- and white-box evasion attacks generating adversarial patches (#1828)
• Added certified adversarial training (#1841)

Changed

• Changed art.attacks.evasion.DPatch to accept true labels (#1780)
• Changed art.utils.random_sphere to use a different, faster algorithm for norm=1 based on exponential distribution (#1805)

Removed

[None]

Fixed

[None]