foolbox

• batch support: check out the new example in the README
• model and defense zoo: https://foolbox.readthedocs.io/en/latest/user/zoo.html
• attacks take an optional threshold argument to stop attacks once that threshold is reached

foolbox.attacks now refers to the attacks with batch support. The old attacks can still be accessed under foolbox.v1.attacks. Batch support has been added to almost all attacks and new attacks will only be implemented with batch support. If you need batch support for an old attack that has not yet been adapted, please open an issue.

Batch-support is finally here!

See #316 for details until we have updated the documentation. Right now it's still limited to a few attacks, but feel free to open an issue for any attack that you need. It's easy to extend to new attacks, we just haven't done it yet and will prioritize based on requests.

Foolbox Model Zoo

Foolbox now has an easy way to load models or defenses from Git repos: https://foolbox.readthedocs.io/en/latest/user/zoo.html

New Features

• Foolbox now has support for the Spatial Attack (https://arxiv.org/abs/1712.02779)

Bug Fixes

• Foolbox now uses its own random number generators to be independent of seeds set inside models.

added missing backward() support to the CompositeModel model wrapper

The foolbox.models.TensorFlowModel.from_keras constructor now automatically uses the session used by tf.keras instead of TensorFlow's default session.

New features

• support for TensorFlow Eager: TensorFlowEagerModel
• improved support for tensorflow.keras models: TensorFlowModel.from_keras(...)
• Foolbox-native implementation of the Carlini Wagner L2 attack: CarliniWagnerL2Attack

New features

• all Foolbox attacks now support early stopping when reaching a certain perturbation size
  • just pass a threshold to the attack or Adversarial instance during initialization
• the distance metric can now be passed to the attack during initialization (no need to manually create a Adversarial instance anymore)

• The Adversarial class now remembers the model output for the best adversarial so far. For deterministic models this is the same as fmodel.predictions(adversarial.image), but it can be useful for non-deterministic models. Note that very close to the decision boundary even otherwise deterministic models can become stochastic because of non-deterministic floating point operations such as reduce_sum. In addtion to the new output attribute, there is also a new adversarial_class attribute for convience; it just takes the argmax of the output.
• new ADefAttack thanks to @EvgeniaAR
• new NewtonFoolAttack thanks to @bveliqi
• new FAQ section in the docs: https://foolbox.readthedocs.io/en/latest/user/faq.html

Fixed assertions that prevented custom preprocessing functions from changing the shape of the input (see #187).

New Features

• added the EvoluationaryStrategiesGradientEstimator as an alternative to the CoordinateWiseGradientEstimator introduced in 1.3.0 (thanks to @lukas-schott)

Highlights

• added support for arbitrary preprocessing functions with custom gradients (e.g. input binarization with a straight-through approximation in the backward pass)
• added the ModelWithEstimatedGradients model wrapper to replace a model's gradients with gradients estimated by an arbitrary gradient estimator
• added the CoordinateWiseGradientEstimator and an easy template to implement custom gradient estimators
• added the BinarizationRefinementAttack that uses information about a model's input binarization to refine adversarials found by other attacks
• added the ConfidentMisclassification criterion

Other improvements

• added a binarize function in in utils to provide a consistent way to specify input binarization as part of the preprocessing
• added batch_crossentropy in utils
• added preprocessing support to LasagneModel
• renamed the GradientLess model wrapper to ModelWithoutGradients
• bug fixes
• improved documentation and fixed typos

Highlights

• Basic Iterative Method reimplemented (Linfinity, L1, L2)
  • recommended instead of IterativeGradientAttack and IterativeGradientSignAttack
• Projected Gradient Descent attack (with and without random start)
• Momentum Iterative Method
• full PyTorch 0.4.0 support (thanks @cjsg)
• new MXNetGluonModel wrapper for Gluon models (thanks @meissnereric)

Other improvements

• official PyTorch example in the docs
• bug fixes
• updated tests to use newer versions of the different frameworks
• improved documentation and fixed typos

• added the PointwiseAttack (supersedes the ResetAttack)
• attacks now provide the full function signature of their __call__ method as well as parameter documentation
• added additional checks for correctness of the returned adversarials even when attacks misbehave
• replaced the randomstate package with the randomgen package
• bug fixes and improvements

Improved the documentation and the availability of useful function signatures. Attack parameters are now be fully documented, like everything else, and this documentation is directly accessible within Jupyter / IPython and IDEs.

• fixed CompositeModel and added it to docs
• added L0 and Linfinity (Linf) distance measures
• added DeepFoolLinfinityAttack
• renamed DeepFoolAttack to DeepFoolL2Attack
• new DeepFoolAttack now chooses norm to optimize based on the employed distance measure (alternative, p=2 or p=np.inf can be passed)
• fixed integer overflows caused by numpy
• improved tests

Fixed a numeric issue when attacking Keras models that provide probability outputs (instead of logits) using a gradient-based attack.

Fixed package dependency issues.

• Improved GradientAttack and GradientSignAttack (FGSM) to handle smaller epsilons
• fixed Pillow imports
• improved README rendering on PyPI
• other minor changes