This release of ART 1.16.0 introduces multiple estimators for certified robustness and Hugging Face models, adversarial training with Adversarial Weight Perturbation, improvements for inference attacks, and more.

Added

• Added estimator for smoothed vision transformers as defence against evasion with adversarial patches (#2171)
• Added estimators for variations of randomised smoothing including MACER, SmoothAdv, and SmoothMix for PyTorch and TensorFlow (#2218)
• Added adversarial training with Adversarial Weight Perturbation protocol in PyTorch (#2224)
• Added estimator for Hugging Face models with PyTorch backend (#2245)
• Added ObjectSeeker certifiably robust defence for object detectors against poisoning and adversarial patches (#2246)
• Added representation string __repr__ to all attacks (#2274)

Changed

• Changed inference attacks to support additional attack model types (e.g., KNN, LR, etc.) and replaced scikit-learn's MLPClassifier with a PyTorch neural network model (#2253)
• Changes attacks's method set_params to raise ValueError if a not previously defined attributed is set (#2257)
• Changed AutoAttack to support multiprocessing and support running attacks in parallel (#2258)

Removed

[None]

Fixed

• Fixed docstring of TargetedUniversalPerturbation (#2212)
• Fixed bug of unsupported operands because of dependency updates in AdversarialPatchTensorFlowV2 (#2276)
• Fixed bug in AutoAttack to avoid that attacks which do not support targeted mode are skipped (#2257)