adversarial-robustness-toolbox/art/defences/feature_squeezing.py

    if clip_values[1] != 0:
        x_ = x_ / clip_values[1]

if clip_values[0] is not 0, this will be wrong , the right is

    if clip_values[1] != 0:
        x_ = x_ / （clip_values[1]-clip_values[0]）

Investigate to which extent models from scikit-learn can fit under the Classifier interface. Some features from the ART API might not be available for this framework. The analysis should cover what those features are. Similarly, if ART can only support some models from scikit-learn, a list of these should be provided.

Depending on the result of the analysis, the list of features to be implemented will be scoped.

The src and classifiers modules are missing import statements in __init__.py to expose the modules. __init__.py import statements should be similar to the src.attacks module.

The following code yields an error when the second attack is called:

model = ResNet50(weights="imagenet")
classifier = KerasClassifier((0,255), model, use_logits=False)
wrapper_1 = QueryEfficientBBGradientEstimation(classifier, 100, 1/128., round_samples=1/255.)
attack_1 = FastGradientMethod(wrapper_1, eps=3)

adv_image_1=attack_1.generate(image)

wrapper_2 = QueryEfficientBBGradientEstimation(classifier, 20, 1/64., round_samples=1/255.)
attack_2= FastGradientMethod(wrapper_2, eps=2)

adv_image_2=attack_2.generate(image)

Infinite loop error:

RecursionError                            Traceback (most recent call last)
<ipython-input-23-e5163801e214> in <module>
----> 1 adv_image_2=attack_2.generate(image)~\Anaconda3\lib\site-packages\art\attacks\fast_gradient.py in generate(self, x, **kwargs)
   143             # Use model predictions as correct outputs
   144             logger.info('Using model predictions as correct labels for FGM.')
--> 145             y = get_labels_np_array(self.classifier.predict(x))
   146         else:
   147             y = params_cpy.pop(str('y'))~\Anaconda3\lib\site-packages\art\wrappers\query_efficient_bb.py in _wrap_predict(self, x, logits, batch_size)
   117         :rtype: `np.ndarray`
   118         """
--> 119         return self._predict(clip_and_round(x, self.clip_values, self.round_samples), logits, batch_size)... last 1 frames repeated, from the frame below ...~\Anaconda3\lib\site-packages\art\wrappers\query_efficient_bb.py in _wrap_predict(self, x, logits, batch_size)
   117         :rtype: `np.ndarray`
   118         """
--> 119         return self._predict(clip_and_round(x, self.clip_values, self.round_samples), logits, batch_size)RecursionError: maximum recursion depth exceeded while calling a Python object

This is because wrappers have side effects. Here both wrappers replace the predict function of the same original classifier. Quick fix is to use two separate instances of classifiers, one per wrapper, but long term a better solution could be designed.

hi,
i wanted to know how to fix compatiblity issue of the matrix in detector-for-cifar.ipynb file.
Also the error is
InvalidArgumentError Traceback (most recent call last)
in
----> 1 x_test_pred = np.argmax(classifier.predict(x_test[:100][:100]), axis=1)
2 nb_correct_pred = np.sum(x_test_pred == np.argmax(y_test[:100][:100], axis=1))
3
4 print("Original test data (first 100 images):")
5 print("Correctly classified: {}".format(nb_correct_pred))

~/Downloads/adversarial-robustness-toolbox-master/art/classifiers/keras.py in predict(self, x, logits, batch_size)
220 for b in range(int(np.ceil(x_.shape[0] / float(batch_size)))):
221 begin, end = b * batch_size, min((b + 1) * batch_size, x_.shape[0])
--> 222 preds[begin:end] = self.preds([x[begin:end]])[0]
223
224 if not logits and not self._custom_activation:

~/.local/lib/python3.6/site-packages/keras/backend/tensorflow_backend.py in call(self, inputs)
2713 return self._legacy_call(inputs)
2714
-> 2715 return self._call(inputs)
2716 else:
2717 if py_any(is_tensor(x) for x in inputs):

~/.local/lib/python3.6/site-packages/keras/backend/tensorflow_backend.py in _call(self, inputs)
2673 fetched = self._callable_fn(*array_vals, run_metadata=self.run_metadata)
2674 else:
-> 2675 fetched = self._callable_fn(*array_vals)
2676 return fetched[:len(self.outputs)]
2677

~/Downloads/ENTER/envs/gans/lib/python3.6/site-packages/tensorflow/python/client/session.py in call(self, *args)
1452 else:
1453 return tf_session.TF_DeprecatedSessionRunCallable(
-> 1454 self._session._session, self._handle, args, status, None)
1455
1456 def del(self):

~/Downloads/ENTER/envs/gans/lib/python3.6/site-packages/tensorflow/python/framework/errors_impl.py in exit(self, type_arg, value_arg, traceback_arg)
517 None, None,
518 compat.as_text(c_api.TF_Message(self.status.status)),
--> 519 c_api.TF_GetCode(self.status.status))
520 # Delete the underlying status object from memory otherwise it stays alive
521 # as there is a reference to status from this from the traceback due to

InvalidArgumentError: Matrix size-incompatible: In[0]: [100,2048], In[1]: [100352,1024]
[[Node: dense_1/MatMul = MatMul[T=DT_FLOAT, transpose_a=false, transpose_b=false, _device="/job:localhost/replica:0/task:0/device:CPU:0"](flatten_1/Reshape, dense_1/kernel/read)]]

Submitting this issue on behalf of Seema Nagar, who reported it on Slack.

Describe the bug
I am running into following issue when I am trying to use RestNet, VGG family of models for generate adversarial images using fast gradient.
Error message:

InvalidArgumentError: logits and labels must have the same first dimension, got logits shape [1,1000] and labels shape [1000]
     [[{{node SparseSoftmaxCrossEntropyWithLogits_3/SparseSoftmaxCrossEntropyWithLogits}}]]

Here is the code snippet and error.

To Reproduce

from keras.applications.resnet50 import ResNet50
from keras.preprocessing import image
from keras.applications.resnet50 import preprocess_input, decode_predictions
from art.attacks.fast_gradient import FastGradientMethod
from art.classifiers import KerasClassifier
import numpy as np

model = ResNet50(weights='imagenet')

img_path = 'panda.jpg'
img = image.load_img(img_path, target_size=(224, 224))
x = image.img_to_array(img)
x = np.expand_dims(x, axis=0)
x = preprocess_input(x)

preds = model.predict(x)
print('Predicted:', decode_predictions(preds, top = 5)[0])
classifier = KerasClassifier((0, 255), model, use_logits = False)
attack = FastGradientMethod(classifier, eps = 1)
x_adv = attack.generate(x)

Is your feature request related to a problem? Please describe.
Currently, expectation over transformation is specified as a parameter for each evasion attack. A more elegant design can be imagined, where one does not have to pass both the classifier and the EoT to the attack.

Describe the solution you'd like

Have EoT be a classifier wrapper. In that case, it would be used as follows:

classifier = KerasClassifier(...)
eot = EOT(classifier, ...)
attack = CoolNewAttack(eot, ...)

Describe alternatives you've considered
The current implementation is functional, and the proposed solution does not change anything from this point of view. It's just a matter of design.

Hi,
I just want to know how to use the defense algorithms inbuilt in the toolbox. For example, I want to use the Feature Squeezing. Is the following line is correct?

adv_smoothing = art.defences.FeatureSqueezing(x_test_adv) # passing the adversarial images generated

Thanks in advance

Hi,

There is a bug in the "to_categorical" utility function making it construct an array totally filled with "1".
This in turn prevents the classifier loss from dropping etc...
(discovered that when playing with the CIFAR example)

I have replaced - categorical[np.arange(labels.shape[0]), labels] = 1
with -
_ for i in range(labels.shape[0]):
categorical[i][labels[i]] = 1_

which solved the problem
Ziv.

Describe the bug
When running FGM with random init, the random initialization step is applied, followed by an eps pertubation attack. This results in a final attack budget larger than eps, which is incorrect

To Reproduce
Steps to reproduce the behavior:

1. Run FastGradientMethod on MNIST with, e.g. eps=0.3 and random_init=1.
2. Measure L_inf of perturbation introduced and observe that it is larger than 0.3.

This issue was reported by Albin.

Any plan for cutting an alpha release and publish it on place like PyPi?

Hello,

Was running the code on CIFAR for 150 epochs and with batch size 32

Craft attack on training examples
/adversarial-robustness-toolbox-master/art/attacks/deepfool.py:84: RuntimeWarning: divide by zero encountered in true_divide
r = (abs(f_diff[l]) / pow(np.linalg.norm(grad_diff[l]), 2)) * grad_diff[l]
/adversarial-robustness-toolbox-master/art/attacks/deepfool.py:84: RuntimeWarning: invalid value encountered in multiply
r = (abs(f_diff[l]) / pow(np.linalg.norm(grad_diff[l]), 2)) * grad_diff[l]

Describe the solution you'd like
The method predict is expensive and we should call it only if necessary. For num_random_init=1 we don't need to call predict and can significant save time.

Describe the bug
I implement a simple resnet9 and want to test cw2 result. All is good when I set max_iter=10. But when I set max_iter=1000 that is same value as cw2 original version. The index error comes.

To Reproduce
Steps to reproduce the behavior:

1. Set a simple CarliniL2Method.
2. cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=1000)
3. run the cw2 code like in the cw2unittest
4. See error

Expected behavior
No index error and the result comes out.

System information (please complete the following information):

• Linux 16.04
• Python 3.6
• ART version 0.4.0
• PyTorch 0.4.1

# First attack
cl2m = CarliniL2Method(classifier=ptc, targeted=True, max_iter=1000)
params={'y': targets}
x_test_adv = cl2m.generate(inputs, **params)
y_pred_adv = np.argmax(ptc.predict(x_test_adv , batch_size=32), axis=1)
logger.info('CW2 Success Rate: %.2f', (sum(adv_label == y_pred_adv) / float(len(adv_label))))
logger.info('Model Acc: %.2f', (sum(adv_original_label == y_pred_adv) / float(len(adv_original_label))))

Traceback (most recent call last):
  File "cw_pytorch.py", line 172, in <module>
    x_test_adv = cl2m.generate(inputs, **params)
  File "/home/weitian/anaconda3/envs/xnor/lib/python3.6/site-packages/art/attacks/carlini.py", line 380, in generate
    x_adv_batch_tanh[active_and_update_adv] = x_adv_batch_tanh[update_adv] + \
IndexError: boolean index did not match indexed array along dimension 0; dimension is 18 but corresponding boolean dimension is 17

Describe the bug
Tried loading a keras model implement under(https://keras.io/examples/cifar10_resnet/) and attacking it using FGSM.
Model is read and the training/prediction works properly but when trying to attack the following error appears:
ValueError: Cannot feed value of shape (128,) for Tensor 'Placeholder_1815:0', which has shape '(?, 10)'

where 128 is the batch size.
This does not occur with the keras test model provided by get_classifier_kr() nor when loading the model provided in
https://github.com/IBM/adversarial-robustness-toolbox/blob/c40e6326c434ea22a14fd890e3578a964e2e94ad/notebooks/detector-for-CIFAR10.ipynb

although when reviewing the model's summary the two models are almost identical.
This occurred with a few other models, all had custom keras layers.
To Reproduce
Steps to reproduce the behavior:

1. Go to https://keras.io/examples/cifar10_resnet/ and use Resnet implementation

2. load the model
   kears_resnet_model = resnet_v1((32,32,3),32,10)

3. Attack the model
   import art.attacks import art.wrappers import art.classifiers import art.utils art_target_model = art.classifiers.KerasClassifier((-1, 1), kears_resnet_model, use_logits=True) fgsm = art.attacks.FastGradientMethod(classifier=art_target_model, targeted=True,batch_size=1) params = {'y': art.utils.random_targets(y_test, art_target_model.nb_classes)} x_test_adv = fgsm.generate(x_test, **params)

4. See error

5. repeat the process with
   kears_resnet_model = load_model("models/cifar_resnet.h5") provided

System information (please complete the following information):

• OS: ubuntu 16.4
• Python version : 3.6
• TensorFlow:1.7.0 Keras:2.2.0

This is for simplicity purpose. The command for test discovery should also be updated.

Hi,

Seems like the line "from keras import backend as k" in utils.py should not be commented out.
When it does a call to load_dataset() fails over an undefined "k"

I think that the variable "img" in the third block of code should add a step of preprocess:
img = preprocess_input(img)
And then the reverse the preprocess for the generated adversarial example later.

Maybe other notebook example has the same problem, could you check it?

Some of the current default values for attack parameters are not the most appropriate as starting points. A few examples are:

• max_iter=10000 as default: this value is very high and results in never ending attacks.
• targeted=True for attacks in the C&W family; this forces the user to pass target values when calling generate and will raise an error otherwise.
• batch_size=128 is too high for datasets like ImageNet. Default should probably be 1.

We should adapt these consistently over all attacks at the same time.

@AkashGanesan I raised this issue as a follow-up to our conversation and some other feedback I have received from users.

Describe the bug
The loss calculated in loss_gradient is based on the model_outputs[-1] and the corresponding label. However, the model_outputs[-1] in Pytorch Wrapper is the softmax outputs. Should model_ouputs[0] be used if we use cross_entropy loss like in the test of Pytorch ?

For convenient, related codes are shown below

1. The code to compute model_outputs:

result = []
if isinstance(self._model, nn.Sequential):
    for _, module_ in self._model._modules.items():
        x = module_(x)
        result.append(x)
elif isinstance(self._model, nn.Module):
    x = self._model(x)
    result.append(x)
else:
    raise TypeError("The input model must inherit from `nn.Module`.")
output_layer = nn.functional.softmax(x, dim=1)
result.append(output_layer)
return result

2. The code to compute the loss:

# Compute the gradient and return
model_outputs = self._model(inputs_t)
loss = self._loss(model_outputs[-1], labels_t)

Hi all, I apply CarliniL2Method(classifier...).generate(img_variable.data.numpy()) to generate asversary samples. It shows that
Traceback (most recent call last):
File "adv_tool.py", line 127, in
adv_gen()
File "adv_tool.py", line 113, in adv_gen
img_adv = adv.generate(img_variable.data.numpy())
File "/Users/ostdong/anaconda2/lib/python2.7/site-packages/art/attacks/carlini.py", line 184, in generate
grad_l2p = self.classifier.class_gradient(np.array([adv_image]), label=i_add, logits=True)[0]
File "/Users/ostdong/anaconda2/lib/python2.7/site-packages/art/classifiers/pytorch.py", line 216, in class_gradient
assert grds.shape == (x_.shape[0], 1) + self.input_shape
AssertionError

The classifier I used is Pytorchclassifier. It works for other methods like FastGradientMethod.
img_variable.data.numpy() has shape (1, 3, 224, 224), as stated in the classifier arguments.
The same error with DeepFool method (both targeted and untargeted).
anybody knows why? Thanks!

I wrote a sample notebook in python to test the models provided and run the samples notebooks, but none of them are being loaded correctly when invoked.
here is the python snippet I used

from keras.models import load_model
....
!wget 'https://github.com/IBM/adversarial-robustness-toolbox/blob/master/models/mnist_cnn_original.h5'
!ls -l
Saving to: ‘mnist_cnn_original.h5’

[ <=>                                   ] 44,357      --.-K/s   in 0.06s   

2018-10-30 16:11:29 (725 KB/s) - ‘mnist_cnn_original.h5’ saved [44357]

total 88
-rw-r----- 1 dsxuser dsxuser 44357 Oct 30 16:06 mnist_cnn_original.h5

classifier = load_model("mnist_cnn_original.h5")
...
/opt/conda/envs/DSX-Python35/lib/python3.5/site-packages/h5py/_hl/files.py in make_fid(name, mode, userblock_size, fapl, fcpl, swmr)
99 if swmr and swmr_support:
100 flags |= h5f.ACC_SWMR_READ
--> 101 fid = h5f.open(name, flags, fapl=fapl)
102 elif mode == 'r+':
103 fid = h5f.open(name, h5f.ACC_RDWR, fapl=fapl)

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

h5py/h5f.pyx in h5py.h5f.open()

OSError: Unable to open file (File signature not found)

SO THE FILE IS FOUND BUT SOMETHING WRONG WITH THE FORMAT !!!
THANKS in advance

I think the pytorch version is >0.4, but I get the following error

======================================================================
ERROR: test_ptclassifier (attacks.carlini_unittest.TestCarliniL2)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/data1/helend/lucasgyshen/adversarial-robustness-toolbox/art/attacks/carlini_unittest.py", line 268, in test_ptclassifier
    ptc.fit(x_train, y_train, batch_size=batch_size, nb_epochs=1)
  File "/data1/helend/lucasgyshen/adversarial-robustness-toolbox/art/classifiers/pytorch.py", line 143, in fit
    (_, m_batch) = self._model(i_batch)
  File "/data1/helend/anaconda3/envs/lucasgyshen/lib/python3.5/site-packages/torch/nn/modules/module.py", line 477, in __call__
    result = self.forward(*input, **kwargs)
  File "/data1/helend/lucasgyshen/adversarial-robustness-toolbox/art/attacks/carlini_unittest.py", line 46, in forward
    x = self.pool(F.relu(self.conv(x)))
  File "/data1/helend/anaconda3/envs/lucasgyshen/lib/python3.5/site-packages/torch/nn/modules/module.py", line 477, in __call__
    result = self.forward(*input, **kwargs)
  File "/data1/helend/anaconda3/envs/lucasgyshen/lib/python3.5/site-packages/torch/nn/modules/conv.py", line 301, in forward
    self.padding, self.dilation, self.groups)
RuntimeError: Expected object of type torch.FloatTensor but found type torch.cuda.FloatTensor for argument #2 'weight'

I think it is because of the new feature of pytorch 0.4. Can you fix it? Thank you.

Hi,
I am IBM intern. I found a bug in Spatial Transformation Attack.

I tried to create an example of using Spatial Transformation Attack. After a lot of attemps with various factors I always get NO adversarial image (type of None) without any error messages.

Part of the code I used:
The image is an image (np.array; shape: (1,224,244,3)), others variables are simple and common.

image = Image.open(image_path)

if image.mode is not "RGB":
    image = image.convert("RGB")

image = image.resize((224, 224))
image = img_to_array(image)
image = np.expand_dims(image, axis=0)
image = imagenet_utils.preprocess_input(image)

model_RN50 = ResNet50(weights="imagenet")

classifier = KerasClassifier((image_norm.min(), image_norm.max()), model=model_RN50)
ST_attacker = SpatialTransformation(classifier, max_translation=10.0,num_translations=5,max_rotation=30.0,num_rotations=3)  
adversarial_image_ST = ST_attacker.generate(image)
type(adversarial_image_ST)    # result: NoneType

What are the appropriate parameters for this attack? In the docs and source code I didn't find any information about the range and "units" (% or pixels or sth else) of max_translation & max_rotation.

System information:

• Windows 10
• Python 3.7
• ART 0.6.0
• TensorFlow 1.13.1
• Keras 2.2.4

Attack success rates are computed for logging purposes. Those computations are performed even if logging is deactivated. This should be refactored for the entire library.

I use the gaussian augmentation and label smoothing method on the cifar-10 adversarial training example. But the accuracy of defences methods is lower than the clean train dataset. Is this normal?

Is your feature request related to a problem? Please describe.
I'm trying to set dropout layers to be in train mode while in test mode. Currently, predict will force the entire model into test mode.

Describe the solution you'd like
I'll be using Pytorch models so if there is a way where I have to can set the model's learning phases explicitly instead of the predict forcing the model to true would be what I'm looking for essentially.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

 def predict(self, x, logits=False, batch_size=128, force_test_mode=True):
    if force_test_mode: 
       self._model.train(False)

If this is needed for crafting adversarial examples is something I'm not very sure of. I'll need to dig up some more literature before I can be certain if that'll be needed as well.

Hello. I tried to use this toolbox to create some adversarial example.
When I write
from art.classifiers import KerasClassifier

It prints me an error :
No module named 'torch'

the example cifar_adversarial_training.py doesn't work either. (same error)
Edit : actually, none of the examples work.
Edit2 : even the run_tests script doesn't work (for the same reason)

Why do I need torch to use this toolbox with keras ?

This requires multiple changes to all modules:

• Allow clip_values to be None in all classifiers
• Allow clip_values to have a different value per feature
• Similarly, change attack strength (often eps, eps_step) from just scalar to scalar or vector. If a vector is provided, it should have the same size as the number of features. This is to allow attacks to be applied on features with different ranges and mostly concerns L_inf attacks.
• In line with the previous item, adapt random initialization in boundary attack to take into account the different scales in features for feature vectors.
• Only perform clipping in attacks if the targeted model has clip_values
• Generalize the shape of the input assumed in Classifier and other modules: moving from four dimensions (first one being the batch) to any number of dimensions (where first one is still the batch size)
• Add checks and safeguards on number of dimensions of data for the attacks / defences that can only be applied on images
• Add tests for feature vectors classifiers
• Add tests with no clipping / clipping per feature for both images and feature vectors
• Update examples and notebooks to ensure that they still work
• Create notebook with attacks on feature vectors using some malware dataset

I am receiving this notification when running the tests per instructions in the README.md file.

This message is received on both Ubuntu 18.04 and macOS 10.13.6

Please advise.

Travis are now recommending removing the sudo tag.

"If you currently specify sudo: false in your .travis.yml, we recommend removing that configuration"

See models folder.

Hi, I encountered the following error when running the examples:

Traceback (most recent call last):
File "examples/mnist_cnn_fgsm.py", line 11, in
from config import config_dict
File "/anaconda3/lib/python3.6/site-packages/config/init.py", line 47, in
with open(config_file, mode='rt') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/anaconda3/lib/python3.6/site-packages/config/config.ini'

img_adv = adv.generate(img_variable.data.numpy())
File "/usr/local/lib/python2.7/dist-packages/art/attacks/carlini.py", line 184, in generate
grad_l2p = self.classifier.class_gradient(np.array([adv_image]), label=i_add, logits=True)[0]
File "/usr/local/lib/python2.7/dist-packages/art/classifiers/pytorch.py", line 211, in class_gradient
torch.autograd.backward(preds[:, label], torch.Tensor([1.] * len(preds[:, 0])), retain_graph=True)
File "/usr/local/lib/python2.7/dist-packages/torch/autograd/init.py", line 90, in backward
allow_unreachable=True) # allow_unreachable flag
RuntimeError: invalid gradient at index 0 - expected type torch.cuda.FloatTensor but got torch.FloatTensor

To produce the error:
classifier = PyTorchClassifier(clip_values=(-2.11790394, 2.2489084), model=model, loss= nn.CrossEntropyLoss(),
optimizer= torch.optim.SGD(model.parameters(), lr = 0.01),
input_shape=(3, 224, 224), nb_classes = 1000, defences = None, preprocessing=(0, 1))

adv = CarliniL2Method(classifier, targeted=False, max_iter=10, binary_search_steps=10, learning_rate=0.01)

img_adv = adv.generate(image a numpy array)

When running on a GPU, it will an error. No problem on a CPU.
Thanks for talking this issue!

Is your feature request related to a problem? Please describe.
It was unclear to some users whether ART supported logging and how to leverage it.

Describe the solution you'd like

• Edit code examples to show how to configure logging
• Document logger in wiki

Describe the bug
Shape error in Zoo attack:

x_adv = attack.generate(x_test)
 File "/job/model-code/art/attacks/zoo.py", line 180, in generate
   res = self._generate_batch(x_batch, y_batch)
 File "/job/model-code/art/attacks/zoo.py", line 223, in _generate_batch
   best_dist, best_label, best_attack = self._generate_bss(x_batch, y_batch, c)
 File "/job/model-code/art/attacks/zoo.py", line 320, in _generate_bss
   x_adv = self._optimizer(x_adv, y_batch, c)
 File "/job/model-code/art/attacks/zoo.py", line 380, in _optimizer
   _,_ , loss = self._loss(expanded_x, expanded_x + coord_batch.reshape(expanded_x.shape), expanded_targets,
ValueError: cannot reshape array of size 8388608 into shape (256,3,32,32)

To Reproduce
CIFAR-10 dataset

This mostly implies changing the way different backend implementations handle model outputs. In order to be effective, most attacks need to be applied at logits level. Some of the new models types ART will support do not have logits. The following describes the proposed solution for this problem:

• All backend __init__ functions would have a flag specifying if the output of the given model represents logits. When such a model is created, attacks are applied on the regular model output, as was done previously.
• If the outputs are not logits, we can check if the sum of the outputs on a fake input is 1. In that case, we have detected probabilities as outputs and will try to estimate the logits from them. These would not be the real logits of the model, but would perform numerical scaling that makes attacks efficient.
• If the outputs are not logits and don't sum to 1 either, this might be a different type of model, and attacks will be applied directly on its outputs.
• Another flag could indicate that the outputs of the model are probabilities, but the user explicitly requests that the previous layer (logits) should be used for attacks. This option is specific to the frameworks that support the notion of layer. Moreover, finding the correct logits would not be guaranteed.
• The loss function for a given model will also be part of the input provided by the user. The loss will be applied directly on the output of the model.

In practice, the implications are that predictions / gradient computations will not be available at both logits and probabilities level, as it is currently the case. This would attract a change in the Classifier API for the respective functions.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
It won't run when using tensorflow 2.0

Describe the solution you'd like
A clear and concise description of what you want to happen.
Support tensorflow 2.0

Since TF 2.0 is coming and it's a great library that engineers and data scientists will switch to, it would be great to support it. Thank you very much!

Hello, I am using the function load_dataset() but it doesn't work.

I have the following error :
~\Anaconda3\lib\site-packages\art\utils.py in load_imagenet()
313
314 dataset = np.asarray(dataset)
--> 315 y = to_categorical(np.asarray([label] * len(dataset)), 1000)
316
317 try:

UnboundLocalError: local variable 'label' referenced before assignment

and in utils.py, int the function load_imagenet() :
`fpath = get_file('imagenet_class_index.json', class_index_path, cache_subdir='models')
class_index = json.load(open(fpath))

for k, v in class_index.items():
    if v[0] == class_id:
        label = k
        break`

I can't find the file imagenet_class_index.json, so I can't check if it's there or if it's correct.
(I get the download)

I have tried to run the Keras Classifier using gpu, however it seems to be non a default option as in keras. I found there is a param ctx for other classifier but for the Keras wrapper not. Is it possible to use gpu in this case?

Describe the bug
I am unable to create any instances of art.classifiers.KerasClassifier whenever the underlying Keras model contains an Embedding layer. Using the TensorFlow backend, this invariably leads to a TypeError: Can not convert a NoneType into a Tensor or Operation.

To Reproduce
Steps to reproduce the behavior:

1. Create any Keras model with an Embedding layer on the TensorFlow backend.
2. Attempt to instantiate art.classifiers.KerasClassifier on it.
3. Watch it fail.

Expected behavior
I expected ART to simply return an instance of KerasClassifier as it usually does.

Screenshots
N/A, but here's a minimal non-working example:

from keras.layers import Dense, Activation, Dropout, Embedding, LSTM
from art.classifiers import KerasClassifier

model = Sequential()
model.add(Embedding(100, 128, input_length=50))
model.add(LSTM(128))
model.add(Dropout(0.5))
model.add(Dense(1))
model.add(Activation('sigmoid'))

model.compile(loss='binary_crossentropy', optimizer='rmsprop', metrics=['binary_accuracy'])

classifier = KerasClassifier((0, 1), model=model)
classifier.fit(x_train, y_train, nb_epochs=10, batch_size=128)

System information (please complete the following information):

• Ubuntu 18.04 LTS
• Python version 3.6.5
• ART version 0.5.0
• TensorFlow version 1.12.0
• Keras version 2.2.4

similar to this one https://github.com/IBM/Fashion-MNIST-using-FfDL/blob/master/MAINTAINERS.md

Describe the solution you'd like
Provide __setstate__ and __getstate__ implementations for all classifiers in order to support serialization with pickle. To be determined if all frameworks can support this. The function can build on the pre existing save function from the Classifier API.

• Keras
• MXNet
• PyTorch
• TensorFlow

Hey folks!

This project is a great effort. Similar way, can we pass Caffe models to this tool?

Thanks

This is a black-box attack search strategy allowing to reduce the number of queries to a model by 2-4x. It is based on discrete cosine transform (DCT). This selection strategy can be combined with existing black-box attacks, e.g., the paper proves effectiveness with NES and boundary attack. This should be implemented as a wrapper if possible, to allow the usage with existing black-box attacks in ART.

Paper link: https://arxiv.org/abs/1809.08758

When using the PyPl install (instead of the clone and install procedure described in the main readme), the KerasClassifier is not copied to the classifiers folder, hence failing to execute

Regards
Ziv.