art.attacks

Module providing adversarial attacks under a common interface.

Base Class Attacks

class art.attacks.Attack(estimator, summary_writer: str | bool | SummaryWriter = False)

Abstract base class for all attack abstract base classes.

property estimator

The estimator.

property estimator_requirements

The estimator requirements.

static is_estimator_valid(estimator, estimator_requirements) bool

Checks if the given estimator satisfies the requirements for this attack.

Return type:

bool

Parameters:
  • estimator – The estimator to check.

  • estimator_requirements – Estimator requirements.

Returns:

True if the estimator is valid for the attack.

set_params(**kwargs) None

Take in a dictionary of parameters and apply attack-specific checks before saving them as attributes.

Parameters:

kwargs – A dictionary of attack-specific parameters.

property summary_writer

The summary writer.

Base Class Evasion Attacks

class art.attacks.EvasionAttack(**kwargs)

Abstract base class for evasion attack classes.

abstract generate(x: ndarray, y: ndarray | None = None, **kwargs) ndarray

Generate adversarial examples and return them as an array. This method should be overridden by all concrete evasion attack implementations.

Return type:

ndarray

Parameters:
  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns:

An array holding the adversarial examples.

property targeted: bool

Return Boolean if attack is targeted. Return None if not applicable.

Base Class Poisoning Attacks

class art.attacks.PoisoningAttack(classifier: CLASSIFIER_TYPE | None)

Abstract base class for poisoning attack classes

class art.attacks.PoisoningAttackBlackBox

Abstract base class for poisoning attack classes that have no access to the model (classifier object).

class art.attacks.PoisoningAttackWhiteBox(classifier: CLASSIFIER_TYPE | None)

Abstract base class for poisoning attack classes that have white-box access to the model (classifier object).

class art.attacks.PoisoningAttackTransformer(classifier: CLASSIFIER_TYPE | None)

Abstract base class for poisoning attack classes that return a transformed classifier. These attacks have an additional method, poison_estimator, that returns the poisoned classifier.

abstract poison(x: ndarray, y=typing.Optional[numpy.ndarray], **kwargs) Tuple[ndarray, ndarray]

Generate poisoning examples and return them as an array. This method should be overridden by all concrete poisoning attack implementations.

Parameters:
  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Target labels for x. Untargeted attacks set this value to None.

Returns:

An tuple holding the (poisoning examples, poisoning labels).

Return type:

(np.ndarray, np.ndarray)

abstract poison_estimator(x: ndarray, y: ndarray, **kwargs) CLASSIFIER_TYPE

Returns a poisoned version of the classifier used to initialize the attack :type y: ndarray :type x: ndarray :param x: Training data :param y: Training labels :return: A poisoned classifier

Base Class Extraction Attacks

class art.attacks.ExtractionAttack(estimator, summary_writer: str | bool | SummaryWriter = False)

Abstract base class for extraction attack classes.

abstract extract(x: ndarray, y: ndarray | None = None, **kwargs) CLASSIFIER_TYPE

Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction attack implementations.

Parameters:
  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns:

ART classifier of the extracted model.

Base Class Inference Attacks

class art.attacks.InferenceAttack(estimator)

Abstract base class for inference attack classes.

class art.attacks.AttributeInferenceAttack(estimator, attack_feature: int | slice = 0)

Abstract base class for attribute inference attack classes.

abstract infer(x: ndarray, y: ndarray | None = None, **kwargs) ndarray

Infer sensitive attributes from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type:

ndarray

Parameters:
  • x (ndarray) – An array with reference inputs to be used in the attack.

  • y – Labels for x. This parameter is only used by some of the attacks.

Returns:

An array holding the inferred attribute values.

Base Class Reconstruction Attacks

class art.attacks.ReconstructionAttack(estimator)

Abstract base class for reconstruction attack classes.

abstract reconstruct(x: ndarray, y: ndarray | None = None, **kwargs) Tuple[ndarray, ndarray]

Reconstruct the training dataset of and from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Parameters:
  • x (ndarray) – An array with known records of the training set of estimator.

  • y – An array with known labels of the training set of estimator, if None predicted labels will be used.

Returns:

A tuple of two arrays for the reconstructed training input and labels.

set_params(**kwargs) None

Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.