Fixes

Signed-off-by: Kevin Eykholt <[email protected]>

Author: keykholt

art/attacks/poisoning/__init__.py

@@ -7,3 +7,6 @@
 from art.attacks.poisoning.adversarial_embedding_attack import PoisoningAttackAdversarialEmbedding
 from art.attacks.poisoning.clean_label_backdoor_attack import PoisoningAttackCleanLabelBackdoor
 from art.attacks.poisoning.bullseye_polytope_attack import BullseyePolytopeAttackPyTorch
+from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor import HiddenTriggerBackdoor
+from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor_pytorch import HiddenTriggerBackdoorPyTorch
+from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor_keras import HiddenTriggerBackdoorKeras

art/attacks/poisoning/hidden_trigger_backdoor/__init__.py

@@ -1,3 +0,0 @@
-from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor import HiddenTriggerBackdoor
-from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor_pytorch import HiddenTriggerBackdoorPyTorch
-from art.attacks.poisoning.hidden_trigger_backdoor.hidden_trigger_backdoor_keras import HiddenTriggerBackdoorKeras

art/attacks/poisoning/hidden_trigger_backdoor/hidden_trigger_backdoor.py

@@ -195,7 +195,7 @@ def _check_params(self) -> None:
             raise ValueError("Learning rate must be strictly positive")
 
         if not isinstance(self.backdoor, PoisoningAttackBackdoor):
-            raise ValueError("Backdoor must be of type PoisoningAttackBackdoor")
+            raise TypeError("Backdoor must be of type PoisoningAttackBackdoor")
 
         if self.eps < 0:
             raise ValueError("The perturbation size `eps` has to be non-negative.")

art/attacks/poisoning/hidden_trigger_backdoor/hidden_trigger_backdoor_keras.py

@@ -25,22 +25,22 @@
 from typing import List, Optional, Tuple, Union, TYPE_CHECKING
 
 import numpy as np
+import tensorflow as tf
 from scipy.spatial import distance
 from tqdm.auto import trange
 
 from art.attacks.attack import PoisoningAttackWhiteBox
 from art.attacks.poisoning.backdoor_attack import PoisoningAttackBackdoor
 from art.estimators import BaseEstimator, NeuralNetworkMixin
 from art.estimators.classification.classifier import ClassifierMixin
-from art.estimators.classification.keras import KerasClassifier
 
 if TYPE_CHECKING:
-    from art.utils import CLASSIFIER_NEURALNETWORK_TYPE
+    from art.estimators.classification.keras import KerasClassifier
 
 logger = logging.getLogger(__name__)
 
 
-class LossMeter():
+class LossMeter:
     """
     Computes and stores the average and current loss value
     """
@@ -82,7 +82,7 @@ class HiddenTriggerBackdoorKeras(PoisoningAttackWhiteBox):
 
     attack_params = PoisoningAttackWhiteBox.attack_params + ["target"]
 
-    _estimator_requirements = (BaseEstimator, NeuralNetworkMixin, ClassifierMixin, KerasClassifier)
+    _estimator_requirements = (BaseEstimator, NeuralNetworkMixin, ClassifierMixin)
 
     def __init__(
         self,
@@ -202,10 +202,10 @@ def poison(  # pylint: disable=W0221
                     "There must be at least as many images with the source label as the target. Maybe try reducing poison_percent or providing fewer target indices"
                 )
 
-        logger.info("Number of poison inputs: %d", num_poison_img)
-        logger.info("Number of trigger inputs: %d", num_trigger_img)
+        logger.info("Number of poison inputs: %d", num_poison)
+        logger.info("Number of trigger inputs: %d", num_trigger)
 
-        batches = int(np.ceil(num_poison_img / float(self.batch_size)))
+        batches = int(np.ceil(num_poison / float(self.batch_size)))
 
         losses = LossMeter()
         final_poison = np.copy(data[poison_indices])
@@ -236,22 +236,22 @@ def poison(  # pylint: disable=W0221
                     trigger_samples, self.feature_layer, 1, framework=True
                 )
 
-                attack_loss = tf.norm(poison_features-trigger_features, ord=2)
+                attack_loss = tf.norm(poison_features - trigger_features, ord=2)
 
             trigger_features = self.estimator.get_activations(trigger_samples, self.feature_layer, 1)
 
             for i in range(self.max_iter):
                 learning_rate = self.learning_rate * (self.decay_coeff ** (i // self.decay_iter))
 
-                poison_features = self.estimator.get_activations(poison_samples + poison, self.feature_layer, 1)
+                poison_features = self.estimator.get_activations(poison_samples, self.feature_layer, 1)
 
                 # Compute distance between features and match samples
                 # We are swapping the samples and the features unlike in the original implementation because
                 # we are computing the loss gradient using ART, which needs the inputs rather than the features
                 trigger_samples_copy = np.copy(trigger_samples)
                 trigger_features_copy = np.copy(trigger_features)  # Assuming this is numpy array
                 dist = distance.cdist(trigger_features, poison_features)
-                for _ in range(len(source_features)):
+                for _ in range(len(trigger_features)):
                     min_index = np.squeeze((dist == np.min(dist)).nonzero())
                     trigger_samples[min_index[1]] = trigger_samples_copy[min_index[0]]
                     trigger_features[min_index[1]] = trigger_features_copy[min_index[0]]
@@ -260,7 +260,7 @@ def poison(  # pylint: disable=W0221
                 loss = np.linalg.norm(trigger_features - poison_features)
                 print(loss)
                 losses.update(loss, len(trigger_samples))
-                
+
                 (attack_grad,) = self.estimator.custom_loss_gradient(
                     attack_loss,
                     [poison_placeholder, trigger_placeholder],

art/attacks/poisoning/hidden_trigger_backdoor/hidden_trigger_backdoor_pytorch.py

@@ -24,22 +24,21 @@
 from typing import List, Optional, Tuple, Union, TYPE_CHECKING
 
 import numpy as np
-import torch
 from tqdm.auto import trange
 
 from art.attacks.attack import PoisoningAttackWhiteBox
 from art.attacks.poisoning.backdoor_attack import PoisoningAttackBackdoor
 from art.estimators import BaseEstimator, NeuralNetworkMixin
 from art.estimators.classification.classifier import ClassifierMixin
-from art.estimators.classification.pytorch import PyTorchClassifier
 
 if TYPE_CHECKING:
-    from art.utils import CLASSIFIER_NEURALNETWORK_TYPE
+    # pylint: disable=C0412
+    from art.estimators.classification.pytorch import PyTorchClassifier
 
 logger = logging.getLogger(__name__)
 
 
-class LossMeter():
+class LossMeter:
     """
     Computes and stores the average and current loss value
     """
@@ -120,7 +119,7 @@ def __init__(
         :param batch_size: The number of samples to draw per batch.
         :param poison_percent: The percentage of the data to poison. This is ignored if indices are provided
                                for the source parameter
-        :param is_index: If true, the source and target params are assumed to represent indices rather than a class label. 
+        :param is_index: If true, the source and target params are assumed to represent indices rather than a class label.
                          poison_percent is ignored if true
         :param verbose: Show progress bars.
         """
@@ -151,6 +150,7 @@ def poison(  # pylint: disable=W0221
         :param y: The labels of the provided samples. If none, we will use the classifier to label the data.
         :return: An tuple holding the `(poisoning_examples, poisoning_labels)`.
         """
+        import torch  # lgtm [py/repeated-import]
 
         data = np.copy(x)
         estimated_labels = self.classifier.predict(data) if y is None else np.copy(y)

art/estimators/classification/pytorch.py

@@ -351,8 +351,14 @@ def _predict_framework(self, x: "torch.Tensor") -> "torch.Tensor":
 
         return output
 
-    def fit(
-        self, x: np.ndarray, y: np.ndarray, batch_size: int = 128, nb_epochs: int = 10, train=True, **kwargs
+    def fit(  # pylint: disable=W0221
+        self,
+        x: np.ndarray,
+        y: np.ndarray,
+        batch_size: int = 128,
+        nb_epochs: int = 10,
+        training_mode: bool = True,
+        **kwargs
     ) -> None:
         """
         Fit the classifier on the training set `(x, y)`.
@@ -362,17 +368,14 @@ def fit(
                   shape (nb_samples,).
         :param batch_size: Size of batches.
         :param nb_epochs: Number of epochs to use for training.
-        :param train: Boolean indiciating if the model should be set to training model
+        :param training_mode: `True` for model set to training mode and `'False` for model set to evaluation mode.
         :param kwargs: Dictionary of framework-specific arguments. This parameter is not currently supported for PyTorch
                and providing it takes no effect.
         """
         import torch  # lgtm [py/repeated-import]
 
-        # Put the model in the training mode
-        if train:
-            self._model.train()
-        else:
-            self._model.eval()
+        # Set model mode
+        self._model.train(mode=training_mode)
 
         if self._optimizer is None:  # pragma: no cover
             raise ValueError("An optimizer is needed to train the model, but none for provided.")

notebooks/art-for-tensorflow-v2-keras.ipynb

@@ -388,9 +388,9 @@
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "py37_tf220",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
-   "name": "py37_tf220"
+   "name": "python3"
   },
   "language_info": {
    "codemirror_mode": {
@@ -402,7 +402,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.7.6"
+   "version": "3.9.7"
   }
  },
  "nbformat": 4,

notebooks/poisoning_attack_backdoor_image.ipynb

@@ -277,7 +277,7 @@
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "Python 3",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
    "name": "python3"
   },
@@ -291,7 +291,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.6.10"
+   "version": "3.9.7"
   }
  },
  "nbformat": 4,