Adversarial Robustness Toolbox v1.16 releases: crafting and analysis of attacks and defense methods for machine learning models

Adversarial Robustness Toolbox

Adversarial Robustness 360 Toolbox (ART) is a Python library supporting developers and researchers in defending Machine Learning models (Deep Neural Networks, Gradient Boosted Decision Trees, Support Vector Machines, Random Forests, Logistic Regression, Gaussian Processes, Decision Trees, Scikit-learn Pipelines, etc.) against adversarial threats and helps to make AI systems more secure and trustworthy. Machine Learning models are vulnerable to adversarial examples, which are inputs (images, texts, tabular data, etc.) deliberately modified to produce a desired response by the Machine Learning model. ART provides the tools to build and deploy defenses and test them with adversarial attacks.

Defending Machine Learning models involves certifying and verifying model robustness and model hardening with approaches such as pre-processing inputs, augmenting training data with adversarial samples, and leveraging runtime detection methods to flag any inputs that might have been modified by an adversary. The attacks implemented in ART allow creating adversarial attacks against Machine Learning models which are required to test defenses with state-of-the-art threat models.

Supported attack and defense methods

The Adversarial Robustness Toolbox contains implementations of the following attacks:

• Deep Fool (Moosavi-Dezfooli et al., 2015)
• Fast Gradient Method (Goodfellow et al., 2014)
• Jacobian Saliency Map (Papernot et al., 2016)
• Universal Perturbation (Moosavi-Dezfooli et al., 2016)
• Virtual Adversarial Method (Moosavi-Dezfooli et al., 2015)
• C&W Attack (Carlini and Wagner, 2016)
• NewtonFool (Jang et al., 2017)

The following defense methods are also supported:

• Feature squeezing (Xu et al., 2017)
• Spatial smoothing (Xu et al., 2017)
• Label smoothing (Warde-Farley and Goodfellow, 2016)
• Adversarial training (Szegedy et al., 2013)
• Virtual adversarial training (Miyato et al., 2017)

The details of the work from IBM research can be found in the research paper. The ART toolbox is developed with the goal of helping developers better understand

• Measuring model robustness
• Model hardening
• Runtime detection

Changelog v1.16

This release of ART 1.16.0 introduces multiple estimators for certified robustness and Hugging Face models, adversarial training with Adversarial Weight Perturbation, improvements for inference attacks, and more.

Added

• Added estimator for smoothed vision transformers as defence against evasion with adversarial patches (#2171)
• Added estimators for variations of randomised smoothing including MACER, SmoothAdv, and SmoothMix for PyTorch and TensorFlow (#2218)
• Added adversarial training with Adversarial Weight Perturbation protocol in PyTorch (#2224)
• Added estimator for Hugging Face models with PyTorch backend (#2245)
• Added ObjectSeeker certifiably robust defence for object detectors against poisoning and adversarial patches (#2246)
• Added representation string __repr__ to all attacks (#2274)

Changed

• Changed inference attacks to support additional attack model types (e.g., KNN, LR, etc.) and replaced scikit-learn’s MLPClassifier with a PyTorch neural network model (#2253)
• Changes attacks’s method set_params to raise ValueError if a not previously defined attributed is set (#2257)
• Changed AutoAttack to support multiprocessing and support running attacks in parallel (#2258)

Fixed

• Fixed docstring of TargetedUniversalPerturbation (#2212)
• Fixed bug of unsupported operands because of dependency updates in AdversarialPatchTensorFlowV2 (#2276)
• Fixed bug in AutoAttack to avoid that attacks which do not support targeted mode are skipped (#2257)

Download && Tutorial

Copyright (C) IBM Corporation 2018