Adversarial Robustness Toolbox v1.7 releases: crafting and analysis of attacks and defense methods for machine learning models

Adversarial Robustness Toolbox

Adversarial Robustness 360 Toolbox (ART) is a Python library supporting developers and researchers in defending Machine Learning models (Deep Neural Networks, Gradient Boosted Decision Trees, Support Vector Machines, Random Forests, Logistic Regression, Gaussian Processes, Decision Trees, Scikit-learn Pipelines, etc.) against adversarial threats and helps to make AI systems more secure and trustworthy. Machine Learning models are vulnerable to adversarial examples, which are inputs (images, texts, tabular data, etc.) deliberately modified to produce a desired response by the Machine Learning model. ART provides the tools to build and deploy defenses and test them with adversarial attacks.

Defending Machine Learning models involves certifying and verifying model robustness and model hardening with approaches such as pre-processing inputs, augmenting training data with adversarial samples, and leveraging runtime detection methods to flag any inputs that might have been modified by an adversary. The attacks implemented in ART allow creating adversarial attacks against Machine Learning models which are required to test defenses with state-of-the-art threat models.

Supported attack and defense methods

The Adversarial Robustness Toolbox contains implementations of the following attacks:

• Deep Fool (Moosavi-Dezfooli et al., 2015)
• Fast Gradient Method (Goodfellow et al., 2014)
• Jacobian Saliency Map (Papernot et al., 2016)
• Universal Perturbation (Moosavi-Dezfooli et al., 2016)
• Virtual Adversarial Method (Moosavi-Dezfooli et al., 2015)
• C&W Attack (Carlini and Wagner, 2016)
• NewtonFool (Jang et al., 2017)

The following defense methods are also supported:

• Feature squeezing (Xu et al., 2017)
• Spatial smoothing (Xu et al., 2017)
• Label smoothing (Warde-Farley and Goodfellow, 2016)
• Adversarial training (Szegedy et al., 2013)
• Virtual adversarial training (Miyato et al., 2017)

The details of the work from IBM research can be found in the research paper. The ART toolbox is developed with the goal of helping developers better understand

• Measuring model robustness
• Model hardening
• Runtime detection

Changelog v1.7

Added

• Added LowProFool evasion attack for imperceptible attacks on tabular data classification in art.attacks.evasion.LowProFool. (#1063)
• Added Over-the-Air-Flickering attack in PyTorch for evasion on video classifiers in art.attacks.evasion.OverTheAirFlickeringPyTorch. (#1077, 1102)
• Added API for speech recognition estimators compatible with Imperceptible ASR attack in PyTorch. (#1052)
• Added Carlini&Wagner evasion attack with perturbations in L0-norm in art.attacks.evasion.CarliniL0Method. (#844, #1109)
• Added support for Deep Speech v3 in PyTorchDeepSpeech estimator. (#1107)
• Added support for TensorBoard collecting evolution of norms (L1, L2, and Linf) of loss gradients per batch, adversarial patch, and total loss and its model-specific components where available (e.g. PyTochFasterRCNN) in AdversarialPatchPyTorch, AdversarialPatchTensorFlow, FastGradientMethod, and all ProjectedGradientDescent*` attacks. (#1071)
• Added MalwareGDTensorFlow attack for evasion on malware classification of portable executables supporting append based, section insertion, slack manipulation, and DOS header attacks. (#1015)
• Added Geometric Decision-based Attack (GeoDA) in art.attacks.evasion.GeoDA for query-efficient black-box attacks on decision labels using DCT noise. (#1001)
• Added Feature Adversaries framework-specific in PyTorch and TensorFlow v2 as efficient white-box attack generating adversarial examples imitating intermediate representations at multiple layers in art.attacks.evasion.FeatureAdversaries*. (#1128, #1142, #1156)
• Added attribute inference attack based on membership inference in art.attacks.inference.AttributeInferenceMembership. (#1132)
• Added support for binary classification with neural networks with a single output neuron in FastGradientMethod, and all ProjectedGradientDescent* attacks. Neural network binary classifiers with a single output require setting nb_classes=2 and labels y in shape (nb_samples, 1) or (nb_samples,) containing 0 or 1. Backward compatibility for binary classifiers with two outputs is guaranteed with nb_classes=2 and labels y one-hot-encoded in shape (nb_samples, 2). (#1118)
• Added estimator for Espresso ASR models in art.estimators.speech_recognition.PyTorchEspresso with support for attacks with FastGradientMethod, ProjectedGradientDescentandImperceptibleASRPyTorch`. (#1036)
• Added deprecation warnings for art.classifiers and art.wrappers to be replace with art.estimators. (#1154)

Changed

• Changed art.utils.load_iris to use Iris dataset from sklearn.datasets instead of archive.ics.uci.edu. (#1097 )
• Changed HopSkipJump to check for NaN in the adversarial example candidates and return original (benign) sample if at least one NaN is detected. (#1124)
• Changed SquareAttack to accept user-defined loss and adversarial criterium definitions to enable black-box attacks on all machine learning tasks on images beyond classification. (#1127)
• Changed PyTorchFasterRCNN.loss_gradients to process each sample separately to avoid issues with gradient propagation with torch>=1.7. (#1138)

Fixed

• Fixed workaround in art.defences.preprocessor.Mp3Compression related to a bug in earlier versions of pydub. (#419)
• Fixed bug in Pixel Attack and Threshold Attack for images with pixels in range [0, 1]. (#990)

Download && Tutorial

Copyright (C) IBM Corporation 2018