This release of ART 1.9.0 introduces the first evasion attack specifically designed against object tracking applications and able to distinguish foreground and background objects, the first evasion attack against image classifiers simulating attacks with laser beams on target objects, the new Summary Writer API to collect attack internal custom metrics, a defense against general poisoning attacks and tools for shadow model training to support membership inference attacks.

Added

• Added tools for training shadow models and generating shadow-datasets in support of membership inference attacks in art.attacks.inference.membership_inference.shadow_models. (#1345, #1395)
• Added hill-climbing synthetic data generation algorithm (Shokri et al., 2017) to train shadow models without access to actual data. (#1345, #1395)
• Added experimental estimator for classification models in JAX in art.experimental.estimators.classification.JaxClassifier (#1360)
• Added Deep Partition Aggregation as classification estimator in art.estimators.classification.DeepPartitionEnsemble to defend against general poisoning attacks (#1397)
• Added Adversarial Laser Beam attack in art.attacks.evasion.LaserAttack as a easy to realize physical evasion attack (#1398)
• Added customizable Summary Writer API in art.summary_writer.SummaryWriter to collect attack internal metrics in supported attacks providing collected metrics in TensorBoard format for analysis (#1416 )
• Added Indicators of Attack Failure (Pintor et al., 2021) as metrics in default summary writer art.summary_writer.SummaryWriterDefault (#1416)
• Added Adversarial Texture Attack against object tracking models in art.attacks.evasion.AdversarialTexturePyTorch. The attack distinguishes foreground and background objects to create textures/patches that work even if partially covered. (#1430)

Changed

• Changed implementation of Carlini & WAgner L_inf attack in art.attacks.evasion.CarliniLInfMethod to exactly reproduce performance of reference implementation (#1380)
• Changed art.defences.preprocessor.preprocessor.PreprocessorPyTorch to accept device_type in __init__ to set attribute _device for all PyTorch preprocessors in a single location (#1444)

Removed

• Removed deprecated Numpy scalar type names (#1296)
• Removed outdated comments in tests.attacks.test_simba that SimBA would not support PyTorch (#1423)

Fixed

• Fixed missing support for input with more than one input image in art.attacks.evasion.SimBA.generate, so far only the first sample had been attacked if more than one image was provided. (#1422)
• Fixed art.attacks.poisoning.perturbations.insert_image to preserve dtype of input images in the returned output images (#1441)
• Fixed missing transformation of binary index to one-hot encoded labels in art.utils.check_and_transform_label_format for argument return_one_hot=True (#1443)