art.attacks

Module providing adversarial attacks under a common interface.

Base Class Attacks

class art.attacks.Attack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)

Abstract base class for all attack abstract base classes.

property estimator

The estimator.

property estimator_requirements

The estimator requirements.

static is_estimator_valid(estimator, estimator_requirements) bool

Checks if the given estimator satisfies the requirements for this attack.

Return type

bool

Parameters

  • estimator – The estimator to check.

  • estimator_requirements – Estimator requirements.

Returns

True if the estimator is valid for the attack.

set_params(**kwargs) None

Take in a dictionary of parameters and apply attack-specific checks before saving them as attributes.

Parameters

kwargs – A dictionary of attack-specific parameters.

property summary_writer

The summary writer.

Base Class Evasion Attacks

class art.attacks.EvasionAttack(**kwargs)

Abstract base class for evasion attack classes.

abstract generate(x: ndarray, y: Optional[ndarray] = None, **kwargs) ndarray

Generate adversarial examples and return them as an array. This method should be overridden by all concrete evasion attack implementations.

Return type

ndarray

Parameters

  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns

An array holding the adversarial examples.

property targeted: bool

Return Boolean if attack is targeted. Return None if not applicable.

Base Class Poisoning Attacks

class art.attacks.PoisoningAttack(classifier: Optional[CLASSIFIER_TYPE])

Abstract base class for poisoning attack classes

class art.attacks.PoisoningAttackBlackBox

Abstract base class for poisoning attack classes that have no access to the model (classifier object).

class art.attacks.PoisoningAttackWhiteBox(classifier: Optional[CLASSIFIER_TYPE])

Abstract base class for poisoning attack classes that have white-box access to the model (classifier object).

class art.attacks.PoisoningAttackTransformer(classifier: Optional[CLASSIFIER_TYPE])

Abstract base class for poisoning attack classes that return a transformed classifier. These attacks have an additional method, poison_estimator, that returns the poisoned classifier.

abstract poison(x: ndarray, y=typing.Union[numpy.ndarray, NoneType], **kwargs) Tuple[ndarray, ndarray]

Generate poisoning examples and return them as an array. This method should be overridden by all concrete poisoning attack implementations.

Parameters

  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Target labels for x. Untargeted attacks set this value to None.

Returns

An tuple holding the (poisoning examples, poisoning labels).

Return type

(np.ndarray, np.ndarray)

abstract poison_estimator(x: ndarray, y: ndarray, **kwargs) CLASSIFIER_TYPE

Returns a poisoned version of the classifier used to initialize the attack :type y: ndarray :type x: ndarray :param x: Training data :param y: Training labels :return: A poisoned classifier

Base Class Extraction Attacks

class art.attacks.ExtractionAttack(estimator, summary_writer: Union[str, bool, SummaryWriter] = False)

Abstract base class for extraction attack classes.

abstract extract(x: ndarray, y: Optional[ndarray] = None, **kwargs) CLASSIFIER_TYPE

Extract models and return them as an ART classifier. This method should be overridden by all concrete extraction attack implementations.

Parameters

  • x (ndarray) – An array with the original inputs to be attacked.

  • y – Correct labels or target labels for x, depending if the attack is targeted or not. This parameter is only used by some of the attacks.

Returns

ART classifier of the extracted model.

Base Class Inference Attacks

class art.attacks.InferenceAttack(estimator)

Abstract base class for inference attack classes.

class art.attacks.AttributeInferenceAttack(estimator, attack_feature: Union[int, slice] = 0)

Abstract base class for attribute inference attack classes.

abstract infer(x: ndarray, y: Optional[ndarray] = None, **kwargs) ndarray

Infer sensitive attributes from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type

ndarray

Parameters

  • x (ndarray) – An array with reference inputs to be used in the attack.

  • y – Labels for x. This parameter is only used by some of the attacks.

Returns

An array holding the inferred attribute values.

Base Class Reconstruction Attacks

class art.attacks.ReconstructionAttack(estimator)

Abstract base class for reconstruction attack classes.

abstract reconstruct(x: ndarray, y: Optional[ndarray] = None, **kwargs) Tuple[ndarray, ndarray]

Reconstruct the training dataset of and from the targeted estimator. This method should be overridden by all concrete inference attack implementations.

Return type

Tuple

Parameters

  • x (ndarray) – An array with known records of the training set of estimator.

  • y – An array with known labels of the training set of estimator, if None predicted labels will be used.

Returns

A tuple of two arrays for the reconstructed training input and labels.

set_params(**kwargs) None

Take in a dictionary of parameters and applies attack-specific checks before saving them as attributes.