art.attacks

Module providing adversarial attacks under a common interface.

Base Class Attacks

class art.attacks.Attack(estimator)

Abstract base class for all attack abstract base classes.

set_params(**kwargs) → None

Take in a dictionary of parameters and apply attack-specific checks before saving them as attributes.

Parameters

kwargs – A dictionary of attack-specific parameters.

Base Class Evasion Attacks

class art.attacks.EvasionAttack(**kwargs)

Abstract base class for evasion attack classes.

generate(*args, **kwargs)

Generate adversarial examples and return them as an array. This method should be overridden by all concrete evasion attack implementations.

Parameters

  • x – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns

An array holding the adversarial examples.

property targeted

Return Boolean if attack is targeted. Return None if not applicable.

Base Class Poisoning Attacks

class art.attacks.PoisoningAttack(classifier: Optional[CLASSIFIER_TYPE])

Abstract base class for poisoning attack classes

class art.attacks.PoisoningAttackBlackBox

Abstract base class for poisoning attack classes that have no access to the model (classifier object).

class art.attacks.PoisoningAttackWhiteBox(classifier: Optional[CLASSIFIER_TYPE])

Abstract base class for poisoning attack classes that have white-box access to the model (classifier object).

class art.attacks.PoisoningAttackTransformer(classifier: Optional[CLASSIFIER_TYPE], **kwargs)

Abstract base class for poisoning attack classes that return a transformed classifier. These attacks have an additional method, poison_estimator, that returns the poisoned classifier.

abstract poison(x: numpy.ndarray, y=typing.Union[numpy.ndarray, NoneType], **kwargs) → Tuple[numpy.ndarray, numpy.ndarray]

Generate poisoning examples and return them as an array. This method should be overridden by all concrete poisoning attack implementations.

Parameters

  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Target labels for x. Untargeted attacks set this value to None.

Returns

An tuple holding the (poisoning examples, poisoning labels).

Return type

(np.ndarray, np.ndarray)

abstract poison_estimator(x: numpy.ndarray, y: numpy.ndarray, **kwargs) → CLASSIFIER_TYPE

Returns a poisoned version of the classifier used to initialize the attack :type y: ndarray :type x: ndarray :param x: Training data :param y: Training labels :return: A poisoned classifier

Base Class Extraction Attacks

class art.attacks.ExtractionAttack(estimator)

Abstract base class for extraction attack classes.

extract(*args, **kwargs)

Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction attack implementations.

Parameters

  • x – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns

ART classifier of the extracted model.

Base Class Inference Attacks

class art.attacks.InferenceAttack(estimator)

Abstract base class for inference attack classes.

class art.attacks.AttributeInferenceAttack(estimator, attack_feature: Union[int, slice] = 0)

Abstract base class for attribute inference attack classes.

abstract infer(x: numpy.ndarray, y: Optional[numpy.ndarray] = None, **kwargs) → numpy.ndarray

Infer sensitive properties (attributes, membership training records) from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type

ndarray

Parameters

  • x (ndarray) – An array with reference inputs to be used in the attack.

  • y – Labels for x. This parameter is only used by some of the attacks.

Returns

An array holding the inferred properties.

set_params(**kwargs) → None

Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.

Base Class Reconstruction Attacks

class art.attacks.ReconstructionAttack(estimator)

Abstract base class for reconstruction attack classes.

abstract reconstruct(x: numpy.ndarray, y: Optional[numpy.ndarray] = None, **kwargs) → Tuple[numpy.ndarray, numpy.ndarray]

Reconstruct the training dataset of and from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type

Tuple

Parameters

  • x (ndarray) – An array with known records of the training set of estimator.

  • y – An array with known labels of the training set of estimator, if None predicted labels will be used.

Returns

A tuple of two arrays for the reconstructed training input and labels.

set_params(**kwargs) → None

Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.