Adversarial Robustness Toolbox v0.9 releases: crafting and analysis of attacks and defense methods for machine learning models
Adversarial Robustness Toolbox
The Adversarial Robustness Toolbox (ART), an open source software library, supports both researchers and developers in defending deep neural networks against adversarial attacks, making AI systems more secure. Its purpose is to allow rapid crafting and analysis of attack and defense methods for machine learning models.
The Adversarial Robustness Toolbox provides an implementation for many state-of-the-art methods for attacking and defending classifiers. It is designed to support researchers and AI developers in creating novel defense techniques and in deploying practical defenses of real-world AI systems. For AI developers, the library provides interfaces that support the composition of comprehensive defense systems using individual methods as building blocks.
Supported attack and defense methods
The Adversarial Robustness Toolbox contains implementations of the following attacks:
- Deep Fool (Moosavi-Dezfooli et al., 2015)
- Fast Gradient Method (Goodfellow et al., 2014)
- Jacobian Saliency Map (Papernot et al., 2016)
- Universal Perturbation (Moosavi-Dezfooli et al., 2016)
- Virtual Adversarial Method (Moosavi-Dezfooli et al., 2015)
- C&W Attack (Carlini and Wagner, 2016)
- NewtonFool (Jang et al., 2017)
The following defense methods are also supported:
- Feature squeezing (Xu et al., 2017)
- Spatial smoothing (Xu et al., 2017)
- Label smoothing (Warde-Farley and Goodfellow, 2016)
- Adversarial training (Szegedy et al., 2013)
- Virtual adversarial training (Miyato et al., 2017)
The details of the work from IBM research can be found in the research paper. The ART toolbox is developed with the goal of helping developers better understand
- Measuring model robustness
- Model hardening
- Runtime detection
Changelog v0.9
This release contains breaking changes to attacks and defences with regards to setting attributes, removes restrictions on input shapes which enables the use of feature vectors and several bug fixes.
Added
- implement pickle for classifiers
tensorflowandpytorch(#39) - added example
data_augmentation.pydemonstrating the use of data generators
Changed
- renamed and moved tests (#58)
- change input shape restrictions, classifiers accept now any input shape, for example feature vectors; attacks requiring spatial inputs are raising exceptions (#49)
- clipping of data ranges becomes optional in classifiers which allows attacks to accept unbounded data ranges (#49)
- [Breaking changes] class attributes in attacks can no longer be changed with method
generate, changing attributes is only possible with methods__init__andset_params - [Breaking changes] class attributes in defenses can no longer be changed with method
generate, changing attributes is only possible with methods__call__andset_params - resolved inconsistency in PGD random_init with Madry’s version
Removed
- deprecated static adversarial trainer
StaticAdversarialTrainer
Fixed
- Fixed bug in attack ZOO (#60)
Copyright (C) IBM Corporation 2018
