Adversarial Robustness Toolbox v0.7 releases: crafting and analysis of attacks and defense methods for machine learning models

Adversarial Robustness Toolbox

The Adversarial Robustness Toolbox (ART), an open source software library, supports both researchers and developers in defending deep neural networks against adversarial attacks, making AI systems more secure. Its purpose is to allow rapid crafting and analysis of attack and defense methods for machine learning models.

The Adversarial Robustness Toolbox provides an implementation for many state-of-the-art methods for attacking and defending classifiers. It is designed to support researchers and AI developers in creating novel defense techniques and in deploying practical defenses of real-world AI systems. For AI developers, the library provides interfaces that support the composition of comprehensive defense systems using individual methods as building blocks.

Supported attack and defense methods

The Adversarial Robustness Toolbox contains implementations of the following attacks:

The following defense methods are also supported:

The details of the work from IBM research can be found in the research paper. The ART toolbox is developed with the goal of helping developers better understand

  • Measuring model robustness
  • Model hardening
  • Runtime detection

Changelog v0.7

This release contains a new poison removal method, as well as some restructuring of features recently added to the library.


  • Poisoning fixing method performing retraining as part of the ActivationDefence class
  • Example script of how to use the poison removal method
  • New module wrappers containing features that alter the behaviour of a Classifier. These are to be used as wrappers for classifiers and to be passed directly to evasion attack instances.


  • ExpectationOverTransformations has been moved to the wrappers module
  • QueryEfficientBBGradientEstimation has been moved to the wrappers module


  • Attacks no longer take an expectation parameter (breaking). This has been replaced by a direct call to the attack with an ExpectationOverTransformation instance.


  • Bug in spatial transformations attack: when attack does not succeed, original samples are returned now (issue #40, fixed in #42#43)
  • Bug in Keras with loss functions that do not take labels in one-hot encoding (issue #41)
  • Bug fix in activation defence against poisoning: incorrect test condition
  • Bug fix in DeepFool: inverted stop condition when working with batches
  • Import problem in top level imports were forcing users to install all supported ML frameworks

Download && Tutorial

Copyright (C) IBM Corporation 2018