This release of ART v1.4.0 introduces framework-specific preprocessing defences, Membership Inference attacks, and support for attacks on Automatic Speech Recognition (ASR) tasks to ART. This release also adds and improves multiple evasion and poisoning attacks and defenses.

Added

• Added framework-specific preprocessing defences for PyTorch and TensorFlow v2 in all estimators. This extends the preprocessing defences of ART beyond the framework-independent implementations in Numpy of earlier ART versions and enables to use the automatic differentiation of a framework to pass accurate loss gradients backwards through the preprocessing defences. Furthermore this also adds first framework-specific implementations of preprocessing Spatial Smoothing defences in PyTorch and TensorFlow v2, art.defences.preprocessor.SpatialSmoothingPyTorch and art.defences.preprocessor.SpatialSmoothingTensorFlowV2. (#510, #574)
• Added Membership Inference attacks to evaluate leaks of information about individual training data recordsart.attacks.inference.membership_inference (#573)
• Added Neural Cleanse defense against poisoned models. This is the first transformation defense against poisoning which accept a potentially poisoned model and returns a transformed version of the model defended against the effects of the poisoning art.defences.transformer.poison.NeuralCleanse (#604)
• Added Imperceptible ASR evasion attack against Automatic Speech Recognition in Pytorch art.attacks.evasion.ImperceptibleASRPytorch (#605)
• Added Adversarial Embedding poisoning attack art.attacks.poisoning.PoisoningAttackAdversarialEmbedding (#561)
• Added new framework- and model-specific estimator for DeepSpeech in PyTorch art.estimators.speech_recognition.PyTorchDeepSpeech (#581)
• Added support for string type for infinity norm in evasion attacks to facilitate serialisation of arguments (#575)
• Added support for targeted attack in art.attacks.evasion.AutoAttack (#494)
• Added targeted version of DPatch evasion attack against object detectors art.attacks.evasion.DPatch (#599)
• Added property targeted to evasion attacks representing if attack is targeted art.attacks.EvasionAttack (#500)
• Added new framework- and model-specific estimator for Faster-RCNN in TensorFlow art.estimators.object_detection.TensorFlowFasterRCNN (#487)
• Added ShapeShifter evasion attack against object detectors art.attacks.evasion.ShapeShifter (#487)
• Added Simple Black-box Adversarial (SimBA) evasion attack art.attacks.evasion.SimBA (#469)

Changed

• Changed progress bars to adversarial trainer and Projected Gradient Descent implementations (#603)
• Changed import paths of Attribute Inference and Model Inversion attacks (#592)

Removed

[None]

Fixed

• Fixed bug in Thermometer Encoding preprocessor defense and extended it to support channels first data and video data formats (#591)
• Fixed denormalizing in create_generator_layers in utils/resources/create_inverse_gan_models.py (#491)