This release of ART v1.6.0 introduces with the clean-label poisoning attack Bullseye Polytope, a baseline attribute inference attack, and a PyTorch-specific implementation of Adversarial Patch attack with perspective transformation sampling, new evaluation tools in the three different threats types of poisoning, inference and evasion. Furthermore, this release contains the first set of Expectation over Transformation (EoT) preprocessing tools for image processing and natural corruptions.

Added

• Added the Bullseye Polytope clean-label poisoning attack in art.attacks.poisoning.BullseyePolytopeAttackPyTorch (#962)
• Added the Pointwise Differential Training Privacy (PDTP) metric measuring training data membership leakage of trained model in art.metrics.PDTP (#958)
• Added a attribute inference base line attack art.attacks.inference.attribute_inference.AttributeInferenceBaseline defining a minimal attribute inference performance that can be achieved without access to the evaluated model (#956)
• Added a first set of Expectation over Transformation (EoT) preprocessing in art.preprocessing.expectation_over_transformation for image processing and natural image corruptions including brightness, contrast, Gaussian noise, shot noise, and zoom blur. These EoTs enable sampling multiple transformed samples in each forward pass and are fully differentiable for accurate loss gradient calculation in PyTorch and TensorFlow v2. They can be chained together in sequence and are implemented fully framework-specific (#919)
• Added a function for image trigger perturbations blending images (#913)
• Added a method insert_transformed_patch to all adversarial patch attacks art.attacks.evasion.AdversarialPatch* applying adversarial patches onto a perspective transformed square defined by the coordinates of its four corners (#891)
• Added the Adversarial Patch attack framework-specific in PyTorch in art.attacks.evasion.AdversarialPatchPyTorch with additional functionality to support sampling over perspective transformations (#876)

Changed

• Changed handling of NaN values in loss gradients in art.attacks.evasion.FastGradientMethod and art.attacks.evasion.ProjectedGradientDescent* by replacing NaN values with 0.0 and log a warning message. This should prevent losing expensive attack runs in late iterations and still return an adversarial example, but log a warning to alert the user. (#883)
• Changed permitted ranges for eps_step and eps in art.attacks.evasion.ProjectedGradientDescent* to allow eps_step to be larger than eps for all norms, allow eps_step=np.inf to immediately project towards the norm ball or clip_values, and support eps=0.0 to run the attack without any attack budget. The latter two changes are intended to facilitate the verification of attack setups. (#882)
• Changed in the unit tests the marker skipMlFramework to skip_framework and the pytest argument mlFramework to framework (#961)
• Changed art.preprocessing.standardisation_mean_std for standardisation with mean and std to provide extended support for broadcasting by automatically adapting 1-dimensional arrays for mean and std to be broadcastable on NCHW inputs (#839)
• Changed art.estimators.object_detection.PyTorchFasterRCNN.loss_gradient to not overwrite the input label array with tensors (#954)
• Changed and automated the setting of model states by removing method set_learning_phase from all estimators and automating setting the model into the most likely appropriate state for each operation in methods predict (eval mode, training_mode=False) , fit (train mode, training_mode=True) , loss_gradient (eval mode) , class_gradient(eval mode) , etc. The default is defined by a new method argument training_mode which can be changed for example for debugging purposes. An exception are RNN-type models in PyTorch where loss_gradient and class_gradient will run the model in train mode but freeze the model's batch-norm and dropout layers if training_mode=False. (#781)
• Changed art.attacks.evasion.BoundaryAttack in normal (L282) and a suboptimal (L287) termination to return the adversarial example candidate with the smallest norm of the perturbation instead of returning the first adversarial example candidate in its list, this will facilitate the finding the minimum L2 perturbation adversarial examples (#948)
• Changed art.attacks.inference.attribute_inference.AttributeInferenceBlackBox to support one-hot encoded features that have been scaled and lie in-between 0 and 1 instead of just 0 and 1 (#927)
• Changed imports of tensorflow in TensorFlow v1 specific tools to enable backward compatibility and application with TensorFlow v2 (#880)
• Changed optimizer of art.attacks.evasion.AdversarialPatchTensorFlowV2 from SGD to Adam for better performance (#878)
• Changed art.attacks.evasion.BrendelBethgeAttack to include support for numba, following the reference implementation, which leads to great acceleration of the attack (#868)
• Changed art.estimators.classification.ScikitlearnClassifier and all model specific scikit-learn estimators to provide the new argument use_logits to define returning probability or logit predictions in their methods predict (#872)
• Changed metrics clever_t and depending on it clever and clever_u to reduce long runtimes by computing the class gradients of all samples in rand_pool before looping through the batches. To reduce the risk of ResourceExhasutedError, batching is now also applied on rand_pool to compute class gradients on smaller batches of size pool_factor (#762)

Removed

• Removed deprecated argument and property channel_index from all estimators. channel_index has been replaced by channels_first. (#869)

Fixed

• Fixed the criterion of targeted art.attacks.evasion.BoundaryAttack to now correctly check that adversarial predictions are different from the original image prediction during sampling instead of the same (#948)