art.attacks
¶
Module providing adversarial attacks under a common interface.
Base Class Attacks¶
- class art.attacks.Attack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)¶
Abstract base class for all attack abstract base classes.
- property estimator¶
The estimator.
- property estimator_requirements¶
The estimator requirements.
- static is_estimator_valid(estimator, estimator_requirements) bool ¶
Checks if the given estimator satisfies the requirements for this attack.
- Return type:
bool
- Parameters:
estimator – The estimator to check.
estimator_requirements – Estimator requirements.
- Returns:
True if the estimator is valid for the attack.
- set_params(**kwargs) None ¶
Take in a dictionary of parameters and apply attack-specific checks before saving them as attributes.
- Parameters:
kwargs – A dictionary of attack-specific parameters.
- property summary_writer¶
The summary writer.
Base Class Evasion Attacks¶
- class art.attacks.EvasionAttack(**kwargs)¶
Abstract base class for evasion attack classes.
- abstract generate(x: ndarray, y: Optional[ndarray] = None, **kwargs) ndarray ¶
Generate adversarial examples and return them as an array. This method should be overridden by all concrete evasion attack implementations.
- Return type:
ndarray
- Parameters:
x (
ndarray
) – An array with the original inputs to be attacked.y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.
- Returns:
An array holding the adversarial examples.
- property targeted: bool¶
Return Boolean if attack is targeted. Return None if not applicable.
Base Class Poisoning Attacks¶
- class art.attacks.PoisoningAttack(classifier: Optional[CLASSIFIER_TYPE])¶
Abstract base class for poisoning attack classes
- class art.attacks.PoisoningAttackBlackBox¶
Abstract base class for poisoning attack classes that have no access to the model (classifier object).
- class art.attacks.PoisoningAttackWhiteBox(classifier: Optional[CLASSIFIER_TYPE])¶
Abstract base class for poisoning attack classes that have white-box access to the model (classifier object).
- class art.attacks.PoisoningAttackTransformer(classifier: Optional[CLASSIFIER_TYPE])¶
Abstract base class for poisoning attack classes that return a transformed classifier. These attacks have an additional method, poison_estimator, that returns the poisoned classifier.
- abstract poison(x: ndarray, y=typing.Union[numpy.ndarray, NoneType], **kwargs) Tuple[ndarray, ndarray] ¶
Generate poisoning examples and return them as an array. This method should be overridden by all concrete poisoning attack implementations.
- Parameters:
x (
ndarray
) – An array with the original inputs to be attacked.y – Target labels for x. Untargeted attacks set this value to None.
- Returns:
An tuple holding the (poisoning examples, poisoning labels).
- Return type:
(np.ndarray, np.ndarray)
- abstract poison_estimator(x: ndarray, y: ndarray, **kwargs) CLASSIFIER_TYPE ¶
Returns a poisoned version of the classifier used to initialize the attack :type y:
ndarray
:type x:ndarray
:param x: Training data :param y: Training labels :return: A poisoned classifier
Base Class Extraction Attacks¶
- class art.attacks.ExtractionAttack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)¶
Abstract base class for extraction attack classes.
- abstract extract(x: ndarray, y: Optional[ndarray] = None, **kwargs) CLASSIFIER_TYPE ¶
Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction attack implementations.
- Parameters:
x (
ndarray
) – An array with the original inputs to be attacked.y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.
- Returns:
ART classifier of the extracted model.
Base Class Inference Attacks¶
- class art.attacks.InferenceAttack(estimator)¶
Abstract base class for inference attack classes.
- class art.attacks.AttributeInferenceAttack(estimator, attack_feature: Union[int, slice] = 0)¶
Abstract base class for attribute inference attack classes.
- abstract infer(x: ndarray, y: Optional[ndarray] = None, **kwargs) ndarray ¶
Infer sensitive attributes from the targeted estimator. This method should be overridden by all concrete inference attack implementations.
- Return type:
ndarray
- Parameters:
x (
ndarray
) – An array with reference inputs to be used in the attack.y – Labels for x. This parameter is only used by some of the attacks.
- Returns:
An array holding the inferred attribute values.
Base Class Reconstruction Attacks¶
- class art.attacks.ReconstructionAttack(estimator)¶
Abstract base class for reconstruction attack classes.
- abstract reconstruct(x: ndarray, y: Optional[ndarray] = None, **kwargs) Tuple[ndarray, ndarray] ¶
Reconstruct the training dataset of and from the targeted estimator. This method should be overridden by all concrete inference attack implementations.
- Return type:
Tuple
- Parameters:
x (
ndarray
) – An array with known records of the training set of estimator.y – An array with known labels of the training set of estimator, if None predicted labels will be used.
- Returns:
A tuple of two arrays for the reconstructed training input and labels.
- set_params(**kwargs) None ¶
Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.