This is a library dedicated to adversarial machine learning. Its purpose is to allow rapid crafting and analysis of attacks and defense methods for machine learning models. The Adversarial Robustness Toolbox provides an implementation for many state-of-the-art methods for attacking and defending classifiers.
The library is still under development. Feedback, bug reports and extensions are highly appreciated. Get in touch with us on Slack (invite here)!
Documentation of ART: https://adversarial-robustness-toolbox.readthedocs.io
The library is under continuous development. Feedback, bug reports and contributions are very welcome. Get in touch with us on Slack (invite here)!
- TensorFlow (v1 and v2) (www.tensorflow.org)
- Keras (www.keras.io)
- PyTorch (www.pytorch.org)
- MXNet (https://mxnet.apache.org)
- Scikit-learn (www.scikit-learn.org)
- XGBoost (www.xgboost.ai)
- LightGBM (https://lightgbm.readthedocs.io)
- CatBoost (www.catboost.ai)
- GPy (https://sheffieldml.github.io/GPy/)
- Tesseract (https://github.com/tesseract-ocr/tesseract)
Evasion Attacks:
- HopSkipJump attack (Chen et al., 2019)
- High Confidence Low Uncertainty adversarial examples (Grosse et al., 2018)
- Projected gradient descent (Madry et al., 2017)
- NewtonFool (Jang et al., 2017)
- Elastic net attack (Chen et al., 2017)
- Spatial transformations attack (Engstrom et al., 2017)
- Query-efficient black-box attack (Ilyas et al., 2017)
- Zeroth-order optimization attack (Chen et al., 2017)
- Decision-based attack (Brendel et al., 2018)
- Adversarial patch (Brown et al., 2017)
- Decision tree attack (Papernot et al., 2016)
- Carlini & Wagner (C&W)
L_2andL_infattacks (Carlini and Wagner, 2016) - Basic iterative method (Kurakin et al., 2016)
- Jacobian saliency map (Papernot et al., 2016)
- Universal perturbation (Moosavi-Dezfooli et al., 2016)
- DeepFool (Moosavi-Dezfooli et al., 2015)
- Virtual adversarial method (Miyato et al., 2015)
- Fast gradient method (Goodfellow et al., 2014)
Poisoning Attacks:
- Poisoning Attack on SVM (Biggio et al., 2013)
Defences:
- Thermometer encoding (Buckman et al., 2018)
- Total variance minimization (Guo et al., 2018)
- PixelDefend (Song et al., 2017)
- Gaussian data augmentation (Zantedeschi et al., 2017)
- Feature squeezing (Xu et al., 2017)
- Spatial smoothing (Xu et al., 2017)
- JPEG compression (Dziugaite et al., 2016)
- Label smoothing (Warde-Farley and Goodfellow, 2016)
- Virtual adversarial training (Miyato et al., 2015)
- Adversarial training (Szegedy et al., 2013)
Robustness metrics, certifications and verifications:
- Clique Method Robustness Verification (Hongge et al., 2019)
- Randomized Smoothing (Cohen et al., 2019)
- CLEVER (Weng et al., 2018)
- Loss sensitivity (Arpit et al., 2017)
- Empirical robustness (Moosavi-Dezfooli et al., 2015)
Detection of adversarial samples:
- Basic detector based on inputs
- Detector trained on the activations of a specific layer
- Detector based on Fast Generalized Subset Scan (Speakman et al., 2018)
Detectoion of poisoning attacks:
- Detector based on activations analysis (Chen et al., 2018)
The toolbox is designed and tested to run with Python 3.
ART can be installed from the PyPi repository using pip:
pip install adversarial-robustness-toolboxThe most recent version of ART can be downloaded or cloned from this repository:
git clone https://github.com/IBM/adversarial-robustness-toolboxInstall ART with the following command from the project folder art:
pip install .ART provides unit tests that can be run with the following command:
bash run_tests.shExamples of using ART can be found in examples and examples/README.md provides an overview and
additional information. It contains a minimal example for each machine learning framework. All examples can be run with
the following command:
python examples/<example_name>.pyMore detailed examples and tutorials are located in notebooks and notebooks/README.md provides
and overview and more information.
Adding new features, improving documentation, fixing bugs, or writing tutorials are all examples of helpful contributions. Furthermore, if you are publishing a new attack or defense, we strongly encourage you to add it to the Adversarial Robustness 360 Toolbox so that others may evaluate it fairly in their own work.
Bug fixes can be initiated through GitHub pull requests. When making code contributions to the Adversarial Robustness
360 Toolbox, we ask that you follow the PEP 8 coding standard and that you provide unit tests for the new features.
This project uses DCO. Be sure to sign off your commits using the -s flag or
adding Signed-off-By: Name<Email> in the commit message.
git commit -s -m 'Add new feature'The file Examples with CLEVER contains files with examples of models and implementations of CLEVER metric evaluation.
Note that as CLEVER uses a "white-box" setting, the ball of radius of minimum perturbations R and norm of gradient X needs to be known and specified when using ART library for CLEVER. However, I have not figured out the derivation of these values. Hence, I will put a random number for these parameters.
The examples will iterate through 10 batches of which each batch will sample 50 repetitions to estimate CLEVER. We will also use the first 10 test input to evaluate CLEVER score.
If you use ART for research, please consider citing the following reference paper:
@article{art2018,
title = {Adversarial Robustness Toolbox v1.0.1},
author = {Nicolae, Maria-Irina and Sinn, Mathieu and Tran, Minh~Ngoc and Buesser, Beat and Rawat, Ambrish and Wistuba, Martin and Zantedeschi, Valentina and Baracaldo, Nathalie and Chen, Bryant and Ludwig, Heiko and Molloy, Ian and Edwards, Ben},
journal = {CoRR},
volume = {1807.01069},
year = {2018},
url = {https://arxiv.org/pdf/1807.01069}
}