`art.attacks`¶

Module providing adversarial attacks under a common interface.

Base Class Attacks¶

class art.attacks.Attack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)¶

Abstract base class for all attack abstract base classes.

property estimator¶: The estimator.

property estimator_requirements¶: The estimator requirements.

static is_estimator_valid(estimator, estimator_requirements) → bool¶

Checks if the given estimator satisfies the requirements for this attack.

Return type:

bool

Parameters:

estimator – The estimator to check.
estimator_requirements – Estimator requirements.

Returns:

True if the estimator is valid for the attack.

set_params(**kwargs) → None¶

Take in a dictionary of parameters and apply attack-specific checks before saving them as attributes.

Parameters:: kwargs – A dictionary of attack-specific parameters.

property summary_writer¶: The summary writer.

Base Class Evasion Attacks¶

class art.attacks.EvasionAttack(**kwargs)¶

Abstract base class for evasion attack classes.

abstract generate(x: ndarray, y: Optional[ndarray] = None, **kwargs) → ndarray¶

Generate adversarial examples and return them as an array. This method should be overridden by all concrete evasion attack implementations.

Return type:

ndarray

Parameters:

x (ndarray) – An array with the original inputs to be attacked.
y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns:

An array holding the adversarial examples.

property targeted: bool¶: Return Boolean if attack is targeted. Return None if not applicable.

Base Class Poisoning Attacks¶

class art.attacks.PoisoningAttack(classifier: Optional[CLASSIFIER_TYPE])¶: Abstract base class for poisoning attack classes

class art.attacks.PoisoningAttackBlackBox¶: Abstract base class for poisoning attack classes that have no access to the model (classifier object).

class art.attacks.PoisoningAttackWhiteBox(classifier: Optional[CLASSIFIER_TYPE])¶: Abstract base class for poisoning attack classes that have white-box access to the model (classifier object).

class art.attacks.PoisoningAttackTransformer(classifier: Optional[CLASSIFIER_TYPE])¶

Abstract base class for poisoning attack classes that return a transformed classifier. These attacks have an additional method, poison_estimator, that returns the poisoned classifier.

abstract poison(x: ndarray, y=typing.Union[numpy.ndarray, NoneType], **kwargs) → Tuple[ndarray, ndarray]¶

Generate poisoning examples and return them as an array. This method should be overridden by all concrete poisoning attack implementations.

Parameters:

x (ndarray) – An array with the original inputs to be attacked.
y – Target labels for x. Untargeted attacks set this value to None.

Returns:

An tuple holding the (poisoning examples, poisoning labels).

Return type:

(np.ndarray, np.ndarray)

abstract poison_estimator(x: ndarray, y: ndarray, **kwargs) → CLASSIFIER_TYPE¶: Returns a poisoned version of the classifier used to initialize the attack :type y: ndarray :type x: ndarray :param x: Training data :param y: Training labels :return: A poisoned classifier

Base Class Extraction Attacks¶

class art.attacks.ExtractionAttack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)¶

Abstract base class for extraction attack classes.

abstract extract(x: ndarray, y: Optional[ndarray] = None, **kwargs) → CLASSIFIER_TYPE¶

Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction attack implementations.

Parameters:

x (ndarray) – An array with the original inputs to be attacked.
y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns:

ART classifier of the extracted model.

Base Class Inference Attacks¶

class art.attacks.InferenceAttack(estimator)¶: Abstract base class for inference attack classes.

class art.attacks.AttributeInferenceAttack(estimator, attack_feature: Union[int, slice] = 0)¶

Abstract base class for attribute inference attack classes.

abstract infer(x: ndarray, y: Optional[ndarray] = None, **kwargs) → ndarray¶

Infer sensitive attributes from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type:

ndarray

Parameters:

x (ndarray) – An array with reference inputs to be used in the attack.
y – Labels for x. This parameter is only used by some of the attacks.

Returns:

An array holding the inferred attribute values.

Base Class Reconstruction Attacks¶

class art.attacks.ReconstructionAttack(estimator)¶

Abstract base class for reconstruction attack classes.

abstract reconstruct(x: ndarray, y: Optional[ndarray] = None, **kwargs) → Tuple[ndarray, ndarray]¶

Reconstruct the training dataset of and from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type:

Tuple

Parameters:

x (ndarray) – An array with known records of the training set of estimator.
y – An array with known labels of the training set of estimator, if None predicted labels will be used.

Returns:

A tuple of two arrays for the reconstructed training input and labels.

set_params(**kwargs) → None¶: Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.

art.attacks¶

Base Class Attacks¶

Base Class Evasion Attacks¶

Base Class Poisoning Attacks¶

Base Class Extraction Attacks¶

Base Class Inference Attacks¶

Base Class Reconstruction Attacks¶

`art.attacks`¶