 Adversarial Robustness Toolbox

 » art.attacks.evasion  Edit on GitHub

art.attacks.evasion

Module providing evasion a acks under a common interface.

Adversarial Patch

class art.attacks.evasion.AdversarialPatch(classifier:
Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,
art.es mators.classifica on.classifier.ClassifierGradients], rota on_max: float = 22.5, scale_min: float = 0.1, scale_max: float =
1.0, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16, patch_shape: Op onal[Tuple[int, int, int]] = None)

Implementa on of the adversarial patch a ack.

Paper link: h ps://arxiv.org/abs/1712.09665

__init__(classifier: Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,

art.es mators.classifica on.classifier.ClassifierGradients], rota on_max: float = 22.5, scale_min: float = 0.1, scale_max:
float = 1.0, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16, patch_shape: Op onal[Tuple[int, int, int]]
= None)

Create an instance of the AdversarialPatch .

Parameters: classifier – A trained classifier.

rota on_max ( float ) – The maximum rota on applied to random patches.
The value is expected to be in the range [0, 180].
scale_min ( float ) – The minimum scaling applied to random patches. The
value should be in the range [0, 1], but less than scale_max.
scale_max ( float ) – The maximum scaling applied to random patches. The
value should be in the range [0, 1], but larger than scale_min.
learning_rate ( float ) – The learning rate of the op miza on.
max_iter ( int ) – The number of op miza on steps.
batch_size ( int ) – The size of the training batch.
patch_shape – The shape of the adversarial patch as a tuple of shape (width,
height, nb_channels). Currently only supported for TensorFlowV2Classifier. For
classifiers of other frameworks the patch_shape is set to the shape of the
image samples.

apply_patch(x: numpy.ndarray, scale: float, patch_external: Op onal[numpy.ndarray] = None) → numpy.ndarray

 A func on to apply the learned adversarial patch to images.

Return type: ndarray

Parameters: x( ndarray ) – Instances to apply randomly transformed patch.

scale ( float ) – Scale of the applied patch in rela on to the classifier input
shape.
patch_external – External patch to apply to images x.

Returns: The patched instances.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs. x is expected to have spa al dimensions.
y – An array with the original labels to be predicted.

Returns: An array holding the adversarial patch.

set_params(**kwargs) → None

Take in a dic onary of parameters and apply a ack-specific checks before saving them as a ributes.

Parameters: kwargs – A dic onary of a ack-specific parameters.

Adversarial Patch - Numpy

class art.attacks.evasion.AdversarialPatchNumpy(classifier:
Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,
art.es mators.classifica on.classifier.ClassifierGradients], target: int = 0, rota on_max: float = 22.5, scale_min: float = 0.1,
scale_max: float = 1.0, learning_rate: float = 5.0, max_iter: int = 500, clip_patch: Op onal[Union[list, tuple]] = None,
batch_size: int = 16)

Implementa on of the adversarial patch a ack.

Paper link: h ps://arxiv.org/abs/1712.09665

__init__(classifier: Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,

art.es mators.classifica on.classifier.ClassifierGradients], target: int = 0, rota on_max: float = 22.5, scale_min: float =
0.1, scale_max: float = 1.0, learning_rate: float = 5.0, max_iter: int = 500, clip_patch: Op onal[Union[list, tuple]] = None,
batch_size: int = 16) → None

Create an instance of the AdversarialPatchNumpy .

Parameters: classifier – A trained classifier.

target ( int ) – The target label for the created patch.
 rota on_max ( float ) – The maximum rota on applied to random patches.
The value is expected to be in the range [0, 180].
scale_min ( float ) – The minimum scaling applied to random patches. The
value should be in the range [0, 1], but less than scale_max.
scale_max ( float ) – The maximum scaling applied to random patches. The
value should be in the range [0, 1], but larger than scale_min.
learning_rate ( float ) – The learning rate of the op miza on.
max_iter ( int ) – The number of op miza on steps.
clip_patch – The minimum and maximum values for each channel in the form
[(float, float), (float, float), (float, float)].
batch_size ( int ) – The size of the training batch.

apply_patch(x: numpy.ndarray, scale: float, patch_external: numpy.ndarray = None) → numpy.ndarray

A func on to apply the learned adversarial patch to images.

Return type: ndarray

Parameters: x( ndarray ) – Instances to apply randomly transformed patch.

scale ( float ) – Scale of the applied patch in rela on to the classifier input
shape.
patch_external ( ndarray ) – External patch to apply to images x.

Returns: The patched instances.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs. x is expected to have spa al dimensions.
y – An array with the original labels to be predicted.

Returns: An array holding the adversarial patch.

Adversarial Patch - TensorFlowV2

class art.attacks.evasion.AdversarialPatchTensorFlowV2(classifier:
Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,
art.es mators.classifica on.classifier.ClassifierGradients], rota on_max: float = 22.5, scale_min: float = 0.1, scale_max: float =
1.0, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16, patch_shape: Op onal[Tuple[int, int, int]] = None)

Implementa on of the adversarial patch a ack.

Paper link: h ps://arxiv.org/abs/1712.09665

 __init__(classifier: Union[art.es mators.classifica on.classifier.ClassifierNeuralNetwork,
art.es mators.classifica on.classifier.ClassifierGradients], rota on_max: float = 22.5, scale_min: float = 0.1, scale_max:
float = 1.0, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16, patch_shape: Op onal[Tuple[int, int, int]]
= None)

Create an instance of the AdversarialPatchTensorFlowV2 .

Parameters: classifier – A trained classifier.

rota on_max ( float ) – The maximum rota on applied to random patches.
The value is expected to be in the range [0, 180].
scale_min ( float ) – The minimum scaling applied to random patches. The
value should be in the range [0, 1], but less than scale_max.
scale_max ( float ) – The maximum scaling applied to random patches. The
value should be in the range [0, 1], but larger than scale_min.
learning_rate ( float ) – The learning rate of the op miza on.
max_iter ( int ) – The number of op miza on steps.
batch_size ( int ) – The size of the training batch.
patch_shape – The shape of the adversarial patch as a tuple of shape (width,
height, nb_channels). Currently only supported for TensorFlowV2Classifier. For
classifiers of other frameworks the patch_shape is set to the shape of the
image samples.

apply_patch(x: numpy.ndarray, scale: float, patch_external: Op onal[numpy.ndarray] = None) → numpy.ndarray

A func on to apply the learned adversarial patch to images.

Return type: ndarray

Parameters: x( ndarray ) – Instances to apply randomly transformed patch.

scale ( float ) – Scale of the applied patch in rela on to the classifier input
shape.
patch_external – External patch to apply to images x.

Returns: The patched samples.

reset_patch(ini al_patch_value: numpy.ndarray) → None

Reset the adversarial patch.

Parameters: ini al_patch_value ( ndarray ) – Patch value to use for rese ng the patch.

Auto Attack

class art.attacks.evasion.AutoAttack(es mator: art.es mators.classifica on.classifier.ClassifierGradients, norm:

Union[int, float] = inf, eps: float = 0.3, eps_step: float = 0.1, a acks: Op onal[List[art.a acks.a ack.EvasionA ack]] = None,
batch_size: int = 32, es mator_orig: Op onal[art.es mators.es mator.BaseEs mator] = None)

__init__(es mator: art.es mators.classifica on.classifier.ClassifierGradients, norm: Union[int, float] = inf, eps: float =
0.3, eps_step: float = 0.1, a acks: Op onal[List[art.a acks.a ack.EvasionA ack]] = None, batch_size: int = 32,
es mator_orig: Op onal[art.es mators.es mator.BaseEs mator] = None)

Create a ProjectedGradientDescent instance.

Parameters: es mator ( ClassifierGradients ) – An trained es mator.

norm – The norm of the adversarial perturba on. Possible values: np.inf, 1 or
2.
eps ( float ) – Maximum perturba on that the a acker can introduce.
eps_step ( float ) – A ack step size (input varia on) at each itera on.
a acks – The list of art.a acks.EvasionA ack a acks to be used for
AutoA ack. If it is None the original AutoA ack (PGD, APGD-ce, APGD-dlr,
FAB, Square) will be used.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.
es mator_orig – Original es mator to be a acked by adversarial examples.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). Only provide this parameter if
you’d like to use true labels when cra ing adversarial samples. Otherwise,
model predic ons are used as labels to avoid the “label leaking” effect
(explained in this paper: h ps://arxiv.org/abs/1611.01236). Default is None.

Returns: An array holding the adversarial examples.

Auto Projected Gradient Descent (Auto-PGD)

class art.attacks.evasion.AutoProjectedGradientDescent(es mator:

art.es mators.es mator.BaseEs mator, norm: Union[float, int] = inf, eps: float = 0.3, eps_step: float = 0.1, max_iter: int =
100, targeted: bool = False, nb_random_init: int = 5, batch_size: int = 32, loss_type: Op onal[str] = None)

__init__(es mator: art.es mators.es mator.BaseEs mator, norm: Union[float, int] = inf, eps: float = 0.3, eps_step:
float = 0.1, max_iter: int = 100, targeted: bool = False, nb_random_init: int = 5, batch_size: int = 32, loss_type:
Op onal[str] = None)

Create a AutoProjectedGradientDescent instance.

Parameters: es mator ( BaseEstimator ) – An trained es mator.

 norm – The norm of the adversarial perturba on. Possible values: np.inf, 1 or
2.
eps ( float ) – Maximum perturba on that the a acker can introduce.
eps_step ( float ) – A ack step size (input varia on) at each itera on.
max_iter ( int ) – The maximum number of itera ons.
targeted ( bool ) – Indicates whether the a ack is targeted (True) or
untargeted (False).
nb_random_init ( int ) – Number of random ini alisa ons within the epsilon
ball. For num_random_init=0 star ng at the original input.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). Only provide this parameter if
you’d like to use true labels when cra ing adversarial samples. Otherwise,
model predic ons are used as labels to avoid the “label leaking” effect
(explained in this paper: h ps://arxiv.org/abs/1611.01236). Default is None.
mask (np.ndarray) – An array with a mask to be applied to the adversarial
perturba ons. Shape needs to be broadcastable to the shape of x. Any
features for which the mask is zero will not be adversarially perturbed.

Returns: An array holding the adversarial examples.

Decision-Based Attack / Boundary Attack

class art.attacks.evasion.BoundaryAttack(es mator: art.es mators.classifica on.classifier.Classifier, targeted:

bool = True, delta: float = 0.01, epsilon: float = 0.01, step_adapt: float = 0.667, max_iter: int = 5000, num_trial: int = 25,
sample_size: int = 20, init_size: int = 100)

Implementa on of the boundary a ack from Brendel et al. (2018). This is a powerful black-box a ack
that only requires final class predic on.

Paper link: h ps://arxiv.org/abs/1712.04248

__init__(es mator: art.es mators.classifica on.classifier.Classifier, targeted: bool = True, delta: float = 0.01, epsilon:
float = 0.01, step_adapt: float = 0.667, max_iter: int = 5000, num_trial: int = 25, sample_size: int = 20, init_size: int =
100) → None

Create a boundary a ack instance.

 Parameters: es mator ( Classifier ) – A trained classifier.
targeted ( bool ) – Should the a ack target one specific class.
delta ( float ) – Ini al step size for the orthogonal step.
epsilon ( float ) – Ini al step size for the step towards the target.
step_adapt ( float ) – Factor by which the step sizes are mul plied or divided,
must be in the range (0, 1).
max_iter ( int ) – Maximum number of itera ons.
num_trial ( int ) – Maximum number of trials per itera on.
sample_size ( int ) – Number of samples per trial.
init_size ( int ) – Maximum number of trials for ini al genera on of
adversarial examples.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). If self.targeted is true, then y
represents the target labels.
x_adv_init (np.ndarray) – Ini al array to act as ini al adversarial examples. Same
shape as x.

Returns: An array holding the adversarial examples.

Carlini and Wagner L_2 Attack

class art.attacks.evasion.CarliniL2Method(classifier: art.es mators.classifica on.classifier.ClassifierGradients,

confidence: float = 0.0, targeted: bool = False, learning_rate: float = 0.01, binary_search_steps: int = 10, max_iter: int = 10,
ini al_const: float = 0.01, max_halving: int = 5, max_doubling: int = 5, batch_size: int = 1)

The L_2 op mized a ack of Carlini and Wagner (2016). This a ack is among the most effec ve and
should be used among the primary a acks to evaluate poten al defences. A major difference wrt to the
original implementa on (h ps://github.com/carlini/nn_robust_a acks) is that we use line search in the
op miza on of the a ack objec ve.

Paper link: h ps://arxiv.org/abs/1608.04644

__init__(classifier: art.es mators.classifica on.classifier.ClassifierGradients, confidence: float = 0.0, targeted: bool =

False, learning_rate: float = 0.01, binary_search_steps: int = 10, max_iter: int = 10, ini al_const: float = 0.01,
max_halving: int = 5, max_doubling: int = 5, batch_size: int = 1) → None

Create a Carlini L_2 a ack instance.

Parameters: classifier ( ClassifierGradients ) – A trained classifier.

 confidence ( float ) – Confidence of adversarial examples: a higher value
produces examples that are farther away, from the original input, but
classified with higher confidence as the target class.
targeted ( bool ) – Should the a ack target one specific class.
learning_rate ( float ) – The ini al learning rate for the a ack algorithm.
Smaller values produce be er results but are slower to converge.
binary_search_steps ( int ) – Number of mes to adjust constant with binary
search (posi ve value). If binary_search_steps is large, then the algorithm is not
very sensi ve to the value of ini al_const. Note that the values
gamma=0.999999 and c_upper=10e10 are hardcoded with the same values
used by the authors of the method.
max_iter ( int ) – The maximum number of itera ons.
ini al_const ( float ) – The ini al trade-off constant c to use to tune the
rela ve importance of distance and confidence. If binary_search_steps is large,
the ini al constant is not important, as discussed in Carlini and Wagner
(2016).
max_halving ( int ) – Maximum number of halving steps in the line search
op miza on.
max_doubling ( int ) – Maximum number of doubling steps in the line search
op miza on.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). If self.targeted is true, then y
represents the target labels. If self.targeted is true, then y_val represents the
target labels. Otherwise, the targets are the original class labels.

Returns: An array holding the adversarial examples.

Carlini and Wagner L_inf Attack

class art.attacks.evasion.CarliniLInfMethod(classifier:
art.es mators.classifica on.classifier.ClassifierGradients, confidence: float = 0.0, targeted: bool = False, learning_rate: float =
0.01, max_iter: int = 10, max_halving: int = 5, max_doubling: int = 5, eps: float = 0.3, batch_size: int = 128)

This is a modified version of the L_2 op mized a ack of Carlini and Wagner (2016). It controls the L_Inf
norm, i.e. the maximum perturba on applied to each pixel.
 __init__(classifier: art.es mators.classifica on.classifier.ClassifierGradients, confidence: float = 0.0, targeted: bool =
False, learning_rate: float = 0.01, max_iter: int = 10, max_halving: int = 5, max_doubling: int = 5, eps: float = 0.3,
batch_size: int = 128) → None

Create a Carlini L_Inf a ack instance.

Parameters: classifier ( ClassifierGradients ) – A trained classifier.

confidence ( float ) – Confidence of adversarial examples: a higher value
produces examples that are farther away, from the original input, but
classified with higher confidence as the target class.
targeted ( bool ) – Should the a ack target one specific class.
learning_rate ( float ) – The ini al learning rate for the a ack algorithm.
Smaller values produce be er results but are slower to converge.
max_iter ( int ) – The maximum number of itera ons.
max_halving ( int ) – Maximum number of halving steps in the line search
op miza on.
max_doubling ( int ) – Maximum number of doubling steps in the line search
op miza on.
eps ( float ) – An upper bound for the L_0 norm of the adversarial
perturba on.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). If self.targeted is true, then y_val
represents the target labels. Otherwise, the targets are the original class
labels.

Returns: An array holding the adversarial examples.

Decision Tree Attack

class art.attacks.evasion.DecisionTreeAttack(classifier:
art.es mators.classifica on.scikitlearn.ScikitlearnDecisionTreeClassifier, offset: float = 0.001)

Close implementa on of Papernot’s a ack on decision trees following Algorithm 2 and communica on
with the authors.

Paper link: h ps://arxiv.org/abs/1605.07277

 __init__(classifier: art.es mators.classifica on.scikitlearn.ScikitlearnDecisionTreeClassifier, offset: float = 0.001) →
None

Parameters: classifier ( ScikitlearnDecisionTreeClassifier ) – A trained model of type scikit

decision tree.
offset ( float ) – How much the value is pushed away from tree’s threshold.

generate(*args, **kwargs)

Generate adversarial examples and return them as an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,).

Returns: An array holding the adversarial examples.

DeepFool

class art.attacks.evasion.DeepFool(classifier: art.es mators.classifica on.classifier.ClassifierGradients, max_iter:

int = 100, epsilon: float = 1e-06, nb_grads: int = 10, batch_size: int = 1)

Implementa on of the a ack from Moosavi-Dezfooli et al. (2015).

Paper link: h ps://arxiv.org/abs/1511.04599

__init__(classifier: art.es mators.classifica on.classifier.ClassifierGradients, max_iter: int = 100, epsilon: float = 1e-
06, nb_grads: int = 10, batch_size: int = 1) → None

Create a DeepFool a ack instance.

Parameters: classifier ( ClassifierGradients ) – A trained classifier.

max_iter ( int ) – The maximum number of itera ons.
epsilon ( float ) – Overshoot parameter.
nb_grads ( int ) – The number of class gradients (top nb_grads w.r.t.
predic on) to compute. This way only the most likely classes are considered,
speeding up the computa on.
batch_size ( int ) – Batch size

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – An array with the original labels to be predicted.

R A h ldi h d i l l
 Returns: An array holding the adversarial examples.

DPatch

class art.attacks.evasion.DPatch(es mator: art.es mators.object_detec on.object_detector.ObjectDetectorMixin,

patch_shape: Tuple[int, int, int] = 40, 40, 3, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16)

Implementa on of the DPatch a ack.

Paper link: h ps://arxiv.org/abs/1806.02299v4

__init__(es mator: art.es mators.object_detec on.object_detector.ObjectDetectorMixin, patch_shape: Tuple[int, int,

int] = 40, 40, 3, learning_rate: float = 5.0, max_iter: int = 500, batch_size: int = 16)

Create an instance of the DPatch .

Parameters: es mator ( ObjectDetectorMixin ) – A trained object detector.

patch_shape ( Tuple ) – The shape of the adversarial path as a tuple of shape
(height, width, nb_channels).
learning_rate ( float ) – The learning rate of the op miza on.
max_iter ( int ) – The number of op miza on steps.
batch_size ( int ) – The size of the training batch.

apply_patch(x: numpy.ndarray, patch_external: Op onal[numpy.ndarray] = None, random_loca on: bool = False) →

numpy.ndarray

Apply the adversarial patch to images.

Return type: ndarray

Parameters: x( ndarray ) – Images to be patched.

patch_external – External patch to apply to images x. If None the a acks
patch will be applied.
random_loca on ( bool ) – True if patch loca on should be random.

Returns: The patched images.

generate(*args, **kwargs)

Generate DPatch.

Parameters: x – Sample images.

y – Target labels for object detector.

Returns: Adversarial patch.

Elastic Net Attack

class art.attacks.evasion.ElasticNet(classifier: art.es mators.classifica on.classifier.ClassifierGradients,

confidence: float = 0.0, targeted: bool = False, learning_rate: float = 0.01, binary_search_steps: int = 9, max_iter: int = 100,
beta: float = 0.001, ini al_const: float = 0.001, batch_size: int = 1, decision_rule: str = 'EN')

The elas c net a ack of Pin-Yu Chen et al. (2018).

Paper link: h ps://arxiv.org/abs/1709.04114

__init__(classifier: art.es mators.classifica on.classifier.ClassifierGradients, confidence: float = 0.0, targeted: bool =

False, learning_rate: float = 0.01, binary_search_steps: int = 9, max_iter: int = 100, beta: float = 0.001, ini al_const: float
= 0.001, batch_size: int = 1, decision_rule: str = 'EN') → None

Create an Elas cNet a ack instance.

Parameters: classifier ( ClassifierGradients ) – A trained classifier.

confidence ( float ) – Confidence of adversarial examples: a higher value
produces examples that are farther away, from the original input, but
classified with higher confidence as the target class.
targeted ( bool ) – Should the a ack target one specific class.
learning_rate ( float ) – The ini al learning rate for the a ack algorithm.
Smaller values produce be er results but are slower to converge.
binary_search_steps ( int ) – Number of mes to adjust constant with binary
search (posi ve value).
max_iter ( int ) – The maximum number of itera ons.
beta ( float ) – Hyperparameter trading off L2 minimiza on for L1
minimiza on.
ini al_const ( float ) – The ini al trade-off constant c to use to tune the
rela ve importance of distance and confidence. If binary_search_steps is large,
the ini al constant is not important, as discussed in Carlini and Wagner
(2016).
batch_size ( int ) – Internal size of batches on which adversarial samples are
generated.
decision_rule ( str ) – Decision rule. ‘EN’ means Elas c Net rule, ‘L1’ means L1
rule, ‘L2’ means L2 rule.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). If self.targeted is true, then y
represents the target labels. Otherwise, the targets are the original class
labels.
 Returns: An array holding the adversarial examples.

Fast Gradient Method (FGM)

class art.attacks.evasion.FastGradientMethod(es mator:

art.es mators.classifica on.classifier.ClassifierGradients, norm: int = inf, eps: float = 0.3, eps_step: float = 0.1, targeted: bool
= False, num_random_init: int = 0, batch_size: int = 32, minimal: bool = False)

This a ack was originally implemented by Goodfellow et al. (2015) with the infinity norm (and is known
as the “Fast Gradient Sign Method”). This implementa on extends the a ack to other norms, and is
therefore called the Fast Gradient Method.

Paper link: h ps://arxiv.org/abs/1412.6572

__init__(es mator: art.es mators.classifica on.classifier.ClassifierGradients, norm: int = inf, eps: float = 0.3,
eps_step: float = 0.1, targeted: bool = False, num_random_init: int = 0, batch_size: int = 32, minimal: bool = False) →
None

Create a FastGradientMethod instance.

Parameters: es mator ( ClassifierGradients ) – A trained classifier.

norm ( int ) – The norm of the adversarial perturba on. Possible values:
np.inf, 1 or 2.
eps ( float ) – A ack step size (input varia on).
eps_step ( float ) – Step size of input varia on for minimal perturba on
computa on.
targeted ( bool ) – Indicates whether the a ack is targeted (True) or
untargeted (False)
num_random_init ( int ) – Number of random ini alisa ons within the epsilon
ball. For random_init=0 star ng at the original input.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.
minimal ( bool ) – Indicates if compu ng the minimal perturba on (True). If
True, also define eps_step for the step size and eps for the maximum
perturba on.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). Only provide this parameter if
you’d like to use true labels when cra ing adversarial samples. Otherwise,
 model predic ons are used as labels to avoid the “label leaking” effect
(explained in this paper: h ps://arxiv.org/abs/1611.01236). Default is None.
mask (np.ndarray) – An array with a mask to be applied to the adversarial
perturba ons. Shape needs to be broadcastable to the shape of x. Any
features for which the mask is zero will not be adversarially perturbed.

Returns: An array holding the adversarial examples.

Feature Adversaries

class art.attacks.evasion.FeatureAdversaries(classifier:
art.es mators.classifica on.classifier.ClassifierNeuralNetwork, delta: Op onal[float] = None, layer: Op onal[int] = None,
batch_size: int = 32)

This class represent a Feature Adversaries evasion a ack.

Paper link: h ps://arxiv.org/abs/1511.05122

__init__(classifier: art.es mators.classifica on.classifier.ClassifierNeuralNetwork, delta: Op onal[float] = None, layer:

Op onal[int] = None, batch_size: int = 32)

Create a FeatureAdversaries instance.

Parameters: classifier ( Classifier ) – A trained classifier.

delta – The maximum devia on between source and guide images.
layer – Index of the representa on layer.
batch_size ( int ) – Batch size.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – Source samples.

y – Guide samples.
kwargs –
The kwargs are used as op ons for the minimisa on with
scipy.op mize.minimize using method=”L-BFGS-B”. Valid op ons are based on
the output of scipy.op mize.show_op ons(solver=’minimize’, method=’L-BFGS-B’):
Minimize a scalar func on of one or more variables using the L-BFGS-B
algorithm.
disp : None or int
If disp is None (the default), then the supplied version of iprint is used. If disp
is not None, then it overrides the supplied version of iprint with the
behaviour you outlined.

maxcor : int
 The maximum number of variable metric correc ons used to define the
limited memory matrix. (The limited memory BFGS method does not store
the full hessian but uses this many terms in an approxima on to it.)

ol : float
The itera on stops when
(f^k - f^{k+1})/max{|f^k|,|f^{k+1}|,1} <= ftol .

gtol : float
The itera on will stop when max{|proj g_i | i = 1, ..., n} <= gtol

where pg_i is the i-th component of the projected gradient.

eps : float
Step size used for numerical approxima on of the jacobian.

maxfun : int
Maximum number of func on evalua ons.

maxiter : int
Maximum number of itera ons.

iprint : int, op onal

Controls the frequency of output. iprint < 0 means no output;
iprint = 0 print only one line at the last itera on; 0 < iprint < 99 print
also f and |proj g| every iprint itera ons; iprint = 99 print details of
every itera on except n-vectors; iprint = 100 print also the changes of
ac ve set and final x; iprint > 100 print details of every itera on
including x and g.

callback : callable, op onal

Called a er each itera on, as callback(xk) , where xk is the current
parameter vector.

maxls : int, op onal

Maximum number of line search steps (per itera on). Default is 20.

The op on ol is exposed via the scipy.op mize.minimize interface, but calling

scipy.op mize.fmin_l_bfgs_b directly exposes factr. The rela onship between
the two is ftol = factr * numpy.finfo(float).eps . I.e., factr mul plies the
default machine floa ng-point precision to arrive at ol.

Returns: Adversarial examples.

Raises: KeyError – The argument {} in kwargs is not allowed as op on for

scipy.op mize.minimize using method=”L-BFGS-B”.
Frame Saliency Attack

class art.attacks.evasion.FrameSaliencyAttack(classifier: art.es mators.classifica on.classifier.Classifier,

a acker: art.a acks.a ack.EvasionA ack, method: str = 'itera ve_saliency', frame_index: int = 1, batch_size: int = 1)

Implementa on of the a ack framework proposed by Inkawhich et al. (2018). Priori zes the frame of a
sequen al input to be adversarially perturbed based on the saliency score of each frame.

Paper link: h ps://arxiv.org/abs/1811.11875

__init__(classifier: art.es mators.classifica on.classifier.Classifier, a acker: art.a acks.a ack.EvasionA ack, method:
str = 'itera ve_saliency', frame_index: int = 1, batch_size: int = 1)

Parameters: classifier ( Classifier ) – A trained classifier.

a acker ( EvasionAttack ) – An adversarial evasion a acker which supports
masking. Currently supported: ProjectedGradientDescent,
BasicItera veMethod, FastGradientMethod.
method ( str ) – Specifies which method to use: “itera ve_saliency” (adds
perturba on itera vely to frame with highest saliency score un l a ack is
successful), “itera ve_saliency_refresh” (updates perturba on a er each
itera on), “one_shot” (adds all perturba ons at once, i.e. defaults to original
a ack).
frame_index ( int ) – Index of the axis in input (feature) array x represen ng
the frame dimension.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – An array with the original labels to be predicted.

Returns: An array holding the adversarial examples.

HopSkipJump Attack

class art.attacks.evasion.HopSkipJump(classifier: Classifier, targeted: bool = False, norm: int = 2, max_iter: int =
50, max_eval: int = 10000, init_eval: int = 100, init_size: int = 100)

Implementa on of the HopSkipJump a ack from Jianbo et al. (2019). This is a powerful black-box
a ack that only requires final class predic on, and is an advanced version of the boundary a ack.

Paper link: h ps://arxiv.org/abs/1904.02144

 __init__(classifier: Classifier, targeted: bool = False, norm: int = 2, max_iter: int = 50, max_eval: int = 10000, init_eval:
int = 100, init_size: int = 100) → None

Create a HopSkipJump a ack instance.

Parameters: classifier – A trained classifier.

targeted ( bool ) – Should the a ack target one specific class.
norm ( int ) – Order of the norm. Possible values: np.inf or 2.
max_iter ( int ) – Maximum number of itera ons.
max_eval ( int ) – Maximum number of evalua ons for es ma ng gradient.
init_eval ( int ) – Ini al number of evalua ons for es ma ng gradient.
init_size ( int ) – Maximum number of trials for ini al genera on of
adversarial examples.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,).
x_adv_init (np.ndarray) – Ini al array to act as ini al adversarial examples. Same
shape as x.
resume (bool) – Allow users to con nue their previous a ack.

Returns: An array holding the adversarial examples.

High Confidence Low Uncertainty Attack

class art.attacks.evasion.HighConfidenceLowUncertainty(classifier:
art.es mators.classifica on.GPy.GPyGaussianProcessClassifier, conf: float = 0.95, unc_increase: float = 100.0, min_val: float =
0.0, max_val: float = 1.0)

Implementa on of the High-Confidence-Low-Uncertainty (HCLU) adversarial example formula on by

Grosse et al. (2018)

Paper link: h ps://arxiv.org/abs/1812.02606

__init__(classifier: art.es mators.classifica on.GPy.GPyGaussianProcessClassifier, conf: float = 0.95, unc_increase:

float = 100.0, min_val: float = 0.0, max_val: float = 1.0) → None

Parameters: classifier ( GPyGaussianProcessClassifier ) – A trained model of type

GPYGaussianProcessClassifier.
conf ( float ) – Confidence that examples should have, if there were to be
classified as 1.0 maximally.
 unc_increase ( float ) – Value uncertainty is allowed to deviate, where 1.0 is
original value.
min_val ( float ) – minimal value any feature can take.
max_val ( float ) – maximal value any feature can take.

generate(*args, **kwargs)

Generate adversarial examples and return them as an array.

Parameters: x – An array with the original inputs to be a acked.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,).

Returns: An array holding the adversarial examples.

Basic Iterative Method (BIM)

class art.attacks.evasion.BasicIterativeMethod(es mator: ClassifierGradients, eps: float = 0.3, eps_step:

float = 0.1, max_iter: int = 100, targeted: bool = False, batch_size: int = 32)

The Basic Itera ve Method is the itera ve version of FGM and FGSM.

Paper link: h ps://arxiv.org/abs/1607.02533

__init__(es mator: ClassifierGradients, eps: float = 0.3, eps_step: float = 0.1, max_iter: int = 100, targeted: bool =
False, batch_size: int = 32) → None

Create a ProjectedGradientDescent instance.

Parameters: es mator – A trained classifier.

eps ( float ) – Maximum perturba on that the a acker can introduce.
eps_step ( float ) – A ack step size (input varia on) at each itera on.
max_iter ( int ) – The maximum number of itera ons.
targeted ( bool ) – Indicates whether the a ack is targeted (True) or
untargeted (False).
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

Projected Gradient Descent (PGD)

class art.attacks.evasion.ProjectedGradientDescent(es mator, norm: int = inf, eps: float = 0.3, eps_step:
float = 0.1, max_iter: int = 100, targeted: bool = False, num_random_init: int = 0, batch_size: int = 32, random_eps: bool =
False)
The Projected Gradient Descent a ack is an itera ve method in which, a er each itera on, the
perturba on is projected on an lp-ball of specified radius (in addi on to clipping the values of the
adversarial sample so that it lies in the permi ed data range). This is the a ack proposed by Madry et
al. for adversarial training.

Paper link: h ps://arxiv.org/abs/1706.06083

__init__(es mator, norm: int = inf, eps: float = 0.3, eps_step: float = 0.1, max_iter: int = 100, targeted: bool = False,
num_random_init: int = 0, batch_size: int = 32, random_eps: bool = False)

Create a ProjectedGradientDescent instance.

Parameters: es mator – An trained es mator.

norm ( int ) – The norm of the adversarial perturba on suppor ng np.inf, 1 or
2.
eps ( float ) – Maximum perturba on that the a acker can introduce.
eps_step ( float ) – A ack step size (input varia on) at each itera on.
random_eps ( bool ) – When True, epsilon is drawn randomly from truncated
normal distribu on. The literature suggests this for FGSM based training to
generalize across different epsilons. eps_step is modified to preserve the ra o
of eps / eps_step. The effec veness of this method with PGD is untested
(h ps://arxiv.org/pdf/1611.01236.pdf).
max_iter ( int ) – The maximum number of itera ons.
targeted ( bool ) – Indicates whether the a ack is targeted (True) or
untargeted (False).
num_random_init ( int ) – Number of random ini alisa ons within the epsilon
ball. For num_random_init=0 star ng at the original input.
batch_size ( int ) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). Only provide this parameter if
you’d like to use true labels when cra ing adversarial samples. Otherwise,
model predic ons are used as labels to avoid the “label leaking” effect
(explained in this paper: h ps://arxiv.org/abs/1611.01236). Default is None.

Returns: An array holding the adversarial examples.

set_params(**kwargs) → None
 Take in a dic onary of parameters and apply a ack-specific checks before saving them as a ributes.

Parameters: kwargs – A dic onary of a ack-specific parameters.

Projected Gradient Descent (PGD) - Numpy

class art.attacks.evasion.ProjectedGradientDescentNumpy(es mator, norm=inf, eps=0.3, eps_step=0.1,

max_iter=100, targeted=False, num_random_init=0, batch_size=32, random_eps=False)

The Projected Gradient Descent a ack is an itera ve method in which, a er each itera on, the
perturba on is projected on an lp-ball of specified radius (in addi on to clipping the values of the
adversarial sample so that it lies in the permi ed data range). This is the a ack proposed by Madry et
al. for adversarial training.

Paper link: h ps://arxiv.org/abs/1706.06083

__init__(es mator, norm=inf, eps=0.3, eps_step=0.1, max_iter=100, targeted=False, num_random_init=0,

batch_size=32, random_eps=False)

Create a ProjectedGradientDescentNumpy instance.

Parameters: es mator ( BaseEstimator ) – An trained es mator.

norm (int) – The norm of the adversarial perturba on suppor ng np.inf, 1 or 2.
eps (float) – Maximum perturba on that the a acker can introduce.
eps_step (float) – A ack step size (input varia on) at each itera on.
random_eps (bool) – When True, epsilon is drawn randomly from truncated
normal distribu on. The literature suggests this for FGSM based training to
generalize across different epsilons. eps_step is modified to preserve the ra o
of eps / eps_step. The effec veness of this method with PGD is untested
(h ps://arxiv.org/pdf/1611.01236.pdf).
max_iter (int) – The maximum number of itera ons.
targeted (bool) – Indicates whether the a ack is targeted (True) or untargeted
(False)
num_random_init (int) – Number of random ini alisa ons within the epsilon
ball. For num_random_init=0 star ng at the original input.
batch_size (int) – Size of the batch on which adversarial samples are
generated.

generate(*args, **kwargs)

Generate adversarial samples and return them in an array.

Parameters: x – An array with the original inputs.

y – Target values (class labels) one-hot-encoded of shape (nb_samples,
nb_classes) or indices of shape (nb_samples,). Only provide this parameter if
you’d like to use true labels when cra ing adversarial samples. Otherwise,