art.estimators.classification

Classifier API for applying all attacks. Use the Classifier wrapper to be able to apply an attack to a preexisting model.

Mixin Base Class Classifier

class art.estimators.classification.ClassifierMixin

Mixin abstract base class defining functionality for classifiers.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

Mixin Base Class Class Gradients

class art.estimators.classification.ClassGradientsMixin

Mixin abstract base class defining classifiers providing access to class gradients. A classifier of this type can be combined with certain white-box attacks. This mixin abstract base class has to be mixed in with class Classifier.

abstract class_gradient(x: numpy.ndarray, label: Optional[Union[int, List[int]]] = None, **kwargs) → numpy.ndarray

Compute per-class derivatives w.r.t. x.

Return type

ndarray

Parameters
  • x (np.ndarray or pandas.DataFrame) – Samples.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

BlackBox Classifier

class art.estimators.classification.BlackBoxClassifier(predict: Callable, input_shape: Tuple[int, ], nb_classes: int, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = 0, 1)

Wrapper class for black-box classifiers.

__init__(predict: Callable, input_shape: Tuple[int, ], nb_classes: int, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = 0, 1)

Create a Classifier instance for a black-box model.

Parameters
  • predict (Callable) – Function that takes in one input of the data and returns the one-hot encoded predicted class.

  • input_shape (Tuple) – Size of input.

  • nb_classes (int) – Number of prediction classes.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data.

  • y – Labels, one-vs-rest encoding.

  • kwargs – Dictionary of framework-specific arguments. These should be parameters supported by the fit_generator function in Keras and will be passed to this function as such. Including the number of epochs or the number of steps per epoch as part of this argument will result in as error.

Raises

NotImplementedException – This method is not supported for blackbox classifiers.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. For Keras, .h5 format is used.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

Raises

NotImplementedException – This method is not supported for blackbox classifiers.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

Keras Classifier

class art.estimators.classification.KerasClassifier(**kwargs)

Wrapper class for importing Keras models. The supported backends for Keras are TensorFlow and Theano.

__init__(model: Union[keras.models.Model, tf.keras.models.Model], use_logits: bool = False, channel_index=<art.utils._Deprecated object>, channels_first: bool = False, clip_values: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = (0, 1), input_layer: int = 0, output_layer: int = 0) → None

Create a Classifier instance from a Keras model. Assumes the model passed as argument is compiled.

Parameters
  • model – Keras model, neural network or other.

  • use_logits (bool) – True if the output of the model are logits; false for probabilities or any other type of outputs. Logits output should be favored when possible to ensure attack efficiency.

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

  • input_layer (int) – The index of the layer to consider as input for models with multiple input layers. The layer with this index will be considered for computing gradients. For models with only one input layer this values is not required.

  • output_layer (int) – Which layer to consider as the output when the models has multiple output layers. The layer with this index will be considered for computing gradients. For models with only one output layer this values is not required.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values are provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

custom_loss_gradient(nn_function, tensors, input_values, name='default')

Returns the gradient of the nn_function with respect to model input

Parameters
  • nn_function (a Keras tensor) – an intermediate tensor representation of the function to differentiate

  • tensors (list) – the tensors or variables to differentiate with respect to

  • input_values (list) – the inputs to evaluate the gradient

  • name (str) – The name of the function. Functions of the same name are cached

Returns

the gradient of the function w.r.t vars

Return type

np.ndarray

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of shape (nb_samples,).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. These should be parameters supported by the fit_generator function in Keras and will be passed to this function as such. Including the number of epochs or the number of steps per epoch as part of this argument will result in as error.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified.

Parameters
  • generator – Batch generator providing (x, y) for each epoch. If the generator can be used for native training in Keras, it will.

  • nb_epochs (int) – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. These should be parameters supported by the fit_generator function in Keras and will be passed to this function as such. Including the number of epochs as part of this argument will result in as error.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations.

  • batch_size – Size of batches.

  • framework – If true, return the intermediate tensor representation of the activation.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the names of the hidden layers in the model, if applicable.

Returns

The names of the hidden layers in the model, input and output layers are ignored.

Warning

layer_names tries to infer the internal structure of the model. This feature comes with no guarantees on the correctness of the result. The intended order of the layers tries to match their order in the model, but this is not guaranteed either.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Array of gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. For Keras, .h5 format is used.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

MXNet Classifier

class art.estimators.classification.MXClassifier(**kwargs)

Wrapper class for importing MXNet Gluon models.

__init__(model: mx.gluon.Block, loss: Union[mx.nd.loss, mx.gluon.loss], input_shape: Tuple[int, ...], nb_classes: int, optimizer: Optional[mx.gluon.Trainer] = None, ctx: Optional[mx.context.Context] = None, channel_index=<art.utils._Deprecated object>, channels_first: bool = True, clip_values: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = (0, 1)) → None

Initialize an MXClassifier object. Assumes the model passed as parameter is a Gluon model.

Parameters
  • model – The Gluon model. The output of the model can be logits, probabilities or anything else. Logits output should be preferred where possible to ensure attack efficiency.

  • loss – The loss function for which to compute gradients for training.

  • input_shape (Tuple) – The shape of one input instance.

  • nb_classes (int) – The number of classes of the model.

  • optimizer – The optimizer used to train the classifier. This parameter is only required if fitting will be done with method fit.

  • ctx – The device on which the model runs (CPU or GPU). If not provided, CPU is assumed.

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (inputs, outputs).

Parameters
  • x – Training data.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of shape (nb_samples,).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for MXNet and providing it takes no effect.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified.

Parameters
  • generator – Batch generator providing (x, y) for each epoch.

  • nb_epochs (int) – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for MXNet and providing it takes no effect.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations

  • batch_size – Size of batches.

  • framework – If true, return the intermediate tensor representation of the activation.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the hidden layers in the model, if applicable.

Returns

The hidden layers in the model, input and output layers excluded.

Warning

layer_names tries to infer the internal structure of the model. This feature comes with no guarantees on the correctness of the result. The intended order of the layers tries to match their order in the model, but this is not guaranteed either.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Array of gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. For Gluon, only parameters are saved in file with name <filename>.params at the specified path. To load the saved model, the original model code needs to be run before calling load_parameters on the generated Gluon model.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

PyTorch Classifier

class art.estimators.classification.PyTorchClassifier(**kwargs)

This class implements a classifier with the PyTorch framework.

__init__(model: torch.nn.Module, loss: torch.nn.modules.loss._Loss, input_shape: Tuple[int, ...], nb_classes: int, optimizer: Optional[torch.optim.Optimizer] = None, channel_index=<art.utils._Deprecated object>, channels_first: bool = True, clip_values: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = (0, 1), device_type: str = 'gpu') → None

Initialization specifically for the PyTorch-based implementation.

Parameters
  • model – PyTorch model. The output of the model can be logits, probabilities or anything else. Logits output should be preferred where possible to ensure attack efficiency.

  • loss – The loss function for which to compute gradients for training. The target label must be raw categorical, i.e. not converted to one-hot encoding.

  • input_shape (Tuple) – The shape of one input instance.

  • optimizer – The optimizer used to train the classifier.

  • nb_classes (int) – The number of classes of the model.

  • optimizer – The optimizer used to train the classifier.

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

  • device_type (str) – Type of device on which the classifier is run, either gpu or cpu.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

property device

Get current used device.

Returns

Current used device.

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of shape (nb_samples,).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for PyTorch and providing it takes no effect.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified.

Parameters
  • generator – Batch generator providing (x, y) for each epoch.

  • nb_epochs (int) – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for PyTorch and providing it takes no effect.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations

  • batch_size – Size of batches.

  • framework – If true, return the intermediate tensor representation of the activation.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the names of the hidden layers in the model, if applicable.

Returns

The names of the hidden layers in the model, input and output layers are ignored.

Warning

layer_names tries to infer the internal structure of the model. This feature comes with no guarantees on the correctness of the result. The intended order of the layers tries to match their order in the model, but this is not guaranteed either.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Array of gradients of the same shape as x.

loss_gradient_framework(x: torch.Tensor, y: torch.Tensor, **kwargs) → torch.Tensor

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

TensorFlow Classifier

class art.estimators.classification.TensorFlowClassifier(**kwargs)

This class implements a classifier with the TensorFlow framework.

__init__(input_ph: tf.Placeholder, output: tf.Tensor, labels_ph: Optional[tf.Placeholder] = None, train: Optional[tf.Tensor] = None, loss: Optional[tf.Tensor] = None, learning: Optional[tf.Placeholder] = None, sess: Optional[tf.Session] = None, channel_index=<art.utils._Deprecated object>, channels_first: bool = False, clip_values: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = (0, 1), feed_dict: Dict[Any, Any] = {}) → None

Initialization specific to TensorFlow models implementation.

Parameters
  • input_ph – The input placeholder.

  • output – The output layer of the model. This can be logits, probabilities or anything else. Logits output should be preferred where possible to ensure attack efficiency.

  • labels_ph – The labels placeholder of the model. This parameter is necessary when training the model and when computing gradients w.r.t. the loss function.

  • train – The train tensor for fitting, including an optimizer. Use this parameter only when training the model.

  • loss – The loss function for which to compute gradients. This parameter is necessary when training the model and when computing gradients w.r.t. the loss function.

  • learning – The placeholder to indicate if the model is training.

  • sess – Computation session.

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

  • feed_dict (Dict) – A feed dictionary for the session run evaluating the classifier. This dictionary includes all additionally required placeholders except the placeholders defined in this class.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or index labels of shape (nb_samples,).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for TensorFlow and providing it takes no effect.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified.

Parameters
  • generator – Batch generator providing (x, y) for each epoch. If the generator can be used for native training in TensorFlow, it will.

  • nb_epochs (int) – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for TensorFlow and providing it takes no effect.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations.

  • batch_size – Size of batches.

  • framework – If true, return the intermediate tensor representation of the activation.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the names of the hidden layers in the model, if applicable.

Returns

The names of the hidden layers in the model, input and output layers are ignored.

Warning

layer_names tries to infer the internal structure of the model. This feature comes with no guarantees on the correctness of the result. The intended order of the layers tries to match their order in the model, but this is not guaranteed either.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Array of gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (num_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. For TensorFlow, .ckpt is used.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

TensorFlow v2 Classifier

class art.estimators.classification.TensorFlowV2Classifier(**kwargs)

This class implements a classifier with the TensorFlow v2 framework.

__init__(model: Callable, nb_classes: int, input_shape: Tuple[int, ...], loss_object: Optional[tf.keras.losses.Loss] = None, train_step: Optional[Callable] = None, channel_index=<art.utils._Deprecated object>, channels_first: bool = False, clip_values: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: Optional[Tuple[Union[int, float, numpy.ndarray], Union[int, float, numpy.ndarray]]] = (0, 1)) → None

Initialization specific to TensorFlow v2 models.

Parameters
  • model (Callable) – a python functions or callable class defining the model and providing it prediction as output.

  • nb_classes (int) – the number of classes in the classification task.

  • input_shape (Tuple) – shape of one input for the classifier, e.g. for MNIST input_shape=(28, 28, 1).

  • loss_object (tf.keras.losses) – The loss function for which to compute gradients. This parameter is applied for training the model and computing gradients of the loss w.r.t. the input.

  • train_step – A function that applies a gradient update to the trainable variables with signature train_step(model, images, labels).

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (substractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be substracted from the input. The input will then be divided by the second one.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data.

  • y – Labels, one-hot-encoded of shape (nb_samples, nb_classes) or index labels of shape (nb_samples,).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for TensorFlow and providing it takes no effect.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified.

Parameters
  • generator – Batch generator providing (x, y) for each epoch. If the generator can be used for native training in TensorFlow, it will.

  • nb_epochs (int) – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments. This parameter is not currently supported for TensorFlow and providing it takes no effect.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations.

  • batch_size – Batch size.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the hidden layers in the model, if applicable.

Returns

The hidden layers in the model, input and output layers excluded.

Warning

layer_names tries to infer the internal structure of the model. This feature comes with no guarantees on the correctness of the result. The intended order of the layers tries to match their order in the model, but this is not guaranteed either.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Correct labels, one-vs-rest encoding.

Returns

Array of gradients of the same shape as x.

loss_gradient_framework(x: tf.Tensor, y: tf.Tensor, **kwargs) → tf.Tensor

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. For TensorFlow, .ckpt is used.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

Ensemble Classifier

class art.estimators.classification.EnsembleClassifier(**kwargs)

Class allowing to aggregate multiple classifiers as an ensemble. The individual classifiers are expected to be trained when the ensemble is created and no training procedures are provided through this class.

__init__(classifiers: List[art.estimators.classification.classifier.ClassifierNeuralNetwork], classifier_weights: Optional[Union[list, numpy.ndarray]] = None, channel_index=<art.utils._Deprecated object>, channels_first: bool = False, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = (0, 1)) → None

Initialize a EnsembleClassifier object. The data range values and colour channel index have to be consistent for all the classifiers in the ensemble.

Parameters
  • classifiers (List) – List of Classifier instances to be ensembled together.

  • classifier_weights – List of weights, one scalar per classifier, to assign to their prediction when aggregating results. If None, all classifiers are assigned the same weight.

  • channel_index (int) – Index of the axis in data containing the color channels or features.

  • channels_first (bool) – Set channels first or last.

  • clip_values – Tuple of the form (min, max) of floats or np.ndarray representing the minimum and maximum values allowed for features. If floats are provided, these will be used as the range of all features. If arrays are provided, each value will be considered the bound for a feature, thus the shape of clip values needs to match the total number of features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier. Not applicable in this classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one. Not applicable in this classifier.

property channel_index
Returns

Index of the axis containing the color channels in the samples x.

property channels_first
Returns

Boolean to indicate index of the color channels in the sample x.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If None, then gradients for all classes will be computed.

  • raw – Return the individual classifier raw outputs (not aggregated).

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified. If raw=True, an additional dimension is added at the beginning of the array, indexing the different classifiers.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (x, y). This function is not supported for ensembles.

Parameters
  • x – Training data.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).

  • batch_size – Size of batches.

  • nb_epochs – Number of epochs to use for training.

  • kwargs – Dictionary of framework-specific arguments.

Raises

NotImplementedException – This method is not supported for ensembles.

fit_generator(generator: DataGenerator, nb_epochs: int = 20, **kwargs) → None

Fit the classifier using the generator that yields batches as specified. This function is not supported for ensembles.

Parameters
  • generator – Batch generator providing (x, y) for each epoch. If the generator can be used for native training in Keras, it will.

  • nb_epochs (int) – Number of epochs to use for trainings.

  • kwargs – Dictionary of framework-specific argument.

Raises

NotImplementedException – This method is not supported for ensembles.

get_activations(*args, **kwargs)

Return the output of the specified layer for input x. layer is specified by layer index (between 0 and nb_layers - 1) or by name. The number of layers can be determined by counting the results returned by calling layer_names. This function is not supported for ensembles.

Parameters
  • x – Input for computing the activations.

  • layer – Layer for computing the activations.

  • batch_size – Size of batches.

  • framework – If true, return the intermediate tensor representation of the activation.

Returns

The output of layer, where the first dimension is the batch size corresponding to x.

Raises

NotImplementedException – This method is not supported for ensembles.

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

property layer_names

Return the hidden layers in the model, if applicable. This function is not supported for ensembles.

Returns

The hidden layers in the model, input and output layers excluded.

Raises

NotImplementedException – This method is not supported for ensembles.

property learning_phase

The learning phase set by the user. Possible values are True for training or False for prediction and None if it has not been set by the library. In the latter case, the library does not do any explicit learning phase manipulation and the current value of the backend framework is used. If a value has been set by the user for this property, it will impact all following computations for model fitting, prediction and gradients.

Returns

Learning phase.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

  • raw – Return the individual classifier raw outputs (not aggregated).

Returns

Array of gradients of the same shape as x. If raw=True, shape becomes [nb_classifiers, x.shape].

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs. Predictions from classifiers should only be aggregated if they all have the same type of output (e.g., probabilities). Otherwise, use raw=True to get predictions from all models without aggregation. The same option should be used for logits output, as logits are not comparable between models and should not be aggregated.

Parameters
  • x – Test set.

  • batch_size – Size of batches.

  • raw – Return the individual classifier raw outputs (not aggregated).

Returns

Array of predictions of shape (nb_inputs, nb_classes), or of shape (nb_classifiers, nb_inputs, nb_classes) if raw=True.

save(filename: str, path: Optional[str] = None) → None

Save a model to file in the format specific to the backend framework. This function is not supported for ensembles.

Parameters
  • filename (str) – Name of the file where to store the model.

  • path – Path of the folder where to store the model. If no path is specified, the model will be stored in the default data location of the library ART_DATA_PATH.

Raises

NotImplementedException – This method is not supported for ensembles.

set_learning_phase(train: bool) → None

Set the learning phase for the backend framework.

Parameters

train (bool) – True to set the learning phase to training, False to set it to prediction.

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.

Scikit-learn Classifier Classifier

art.estimators.classification.SklearnClassifier(model: sklearn.base.BaseEstimator, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = 0, 1) → ScikitlearnClassifier

Create a Classifier instance from a scikit-learn Classifier model. This is a convenience function that instantiates the correct wrapper class for the given scikit-learn model.

Parameters
  • model – scikit-learn Classifier model.

  • clip_values – Tuple of the form (min, max) representing the minimum and maximum values allowed for features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

GPy Gaussian Process Classifier

class art.estimators.classification.GPyGaussianProcessClassifier(model: Optional[GPClassification] = None, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = 0, 1)

Wrapper class for GPy Gaussian Process classification models.

__init__(model: Optional[GPClassification] = None, clip_values: Optional[CLIP_VALUES_TYPE] = None, preprocessing_defences: Optional[Union[Preprocessor, List[Preprocessor]]] = None, postprocessing_defences: Optional[Union[Postprocessor, List[Postprocessor]]] = None, preprocessing: PREPROCESSING_TYPE = 0, 1) → None

Create a Classifier instance GPY Gaussian Process classification models.

Parameters
  • model – GPY Gaussian Process Classification model.

  • clip_values – Tuple of the form (min, max) representing the minimum and maximum values allowed for features.

  • preprocessing_defences – Preprocessing defence(s) to be applied by the classifier.

  • postprocessing_defences – Postprocessing defence(s) to be applied by the classifier.

  • preprocessing – Tuple of the form (subtractor, divider) of floats or np.ndarray of values to be used for data preprocessing. The first value will be subtracted from the input. The input will then be divided by the second one.

class_gradient(*args, **kwargs)

Compute per-class derivatives w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • label – Index of a specific per-class derivative. If an integer is provided, the gradient of that class output is computed for all samples. If multiple values as provided, the first dimension should match the batch size of x, and each value will be used as target for its corresponding sample in x. If None, then gradients for all classes will be computed for each sample.

  • eps – Fraction added to the diagonal elements of the input x.

Returns

Array of gradients of input features w.r.t. each class in the form (batch_size, nb_classes, input_shape) when computing for all classes, otherwise shape becomes (batch_size, 1, input_shape) when label parameter is specified.

property clip_values

Return the clip values of the input samples.

Returns

Clip values (min, max).

fit(*args, **kwargs)

Fit the classifier on the training set (x, y).

Parameters
  • x – Training data. Not used, as given to model in initialized earlier.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes).

get_params() → Dict[str, Any]

Get all parameters and their values of this estimator.

Returns

A dictionary of string parameter names to their value.

property input_shape

Return the shape of one input sample.

Returns

Shape of one input sample.

loss_gradient(*args, **kwargs)

Compute the gradient of the loss function w.r.t. x.

Parameters
  • x – Sample input with shape as expected by the model.

  • y – Target values (class labels) one-hot-encoded of shape (nb_samples, nb_classes) or indices of shape (nb_samples,).

Returns

Array of gradients of the same shape as x.

property model

Return the model.

Returns

The model.

property nb_classes

Return the number of output classes.

Returns

Number of classes in the data.

predict(*args, **kwargs)

Perform prediction for a batch of inputs.

Parameters
  • x – Test set.

  • logitsTrue if the prediction should be done without squashing function.

Returns

Array of predictions of shape (nb_inputs, nb_classes).

predict_uncertainty(x: numpy.ndarray) → numpy.ndarray

Perform uncertainty prediction for a batch of inputs.

Return type

ndarray

Parameters

x (ndarray) – Test set.

Returns

Array of uncertainty predictions of shape (nb_inputs).

set_params(**kwargs) → None

Take a dictionary of parameters and apply checks before setting them as attributes.

Parameters

kwargs – A dictionary of attributes.