Fix several minor typos in some notebooks and an example

jamestiotio · jamestiotio · commit 20c95db4c3b0 · 2022-02-21T20:43:06.000+08:00
Signed-off-by: James Raphael Tiovalen &lt;james_raphael@mymail.sutd.edu.sg&gt;
Signed-off-by: James R T &lt;jamestiotio@gmail.com&gt;
diff --git a/examples/inverse_gan_author_utils.py b/examples/inverse_gan_author_utils.py
@@ -274,7 +274,7 @@ class Dataset(object):
     """
 
     def __init__(self, name, data_dir=path_locations["data"]):
-        """The datasaet default constructor.
+        """The dataset default constructor.
 
         Args:
             name: A string, name of the dataset.
@@ -959,7 +959,7 @@ def __init__(
         verbose=True,
         **args
     ):
-        self.dataset_name = None  # Name of the datsaet.
+        self.dataset_name = None  # Name of the dataset.
         self.batch_size = 32  # Batch size for training the GAN.
         self.use_bn = True  # Use batchnorm in the discriminator and generator.
         self.use_resblock = False  # Use resblocks in DefenseGAN.
@@ -1045,7 +1045,7 @@ def _load_dataset(self):
     def _build(self):
         """Builds the computation graph."""
 
-        assert (self.batch_size % self.rec_rr) == 0, "Batch size should be divisable by random restart"
+        assert (self.batch_size % self.rec_rr) == 0, "Batch size should be divisible by random restart"
 
         self.discriminator_training = tf.placeholder(tf.bool)
         self.encoder_training = tf.placeholder(tf.bool)
@@ -1525,7 +1525,7 @@ def __init__(self, batch_size):
         # original self.init_opt = tf.variables_initializer(var_list=[modifier] + new_vars)
         self.init_opt = tf.variables_initializer(var_list=[] + new_vars)
 
-        print("Reconstruction module initialzied...\n")
+        print("Reconstruction module initialized...\n")
 
     def generate_z_extrapolated_k(self):
         x_shape = [28, 28, 1]
@@ -1894,7 +1894,7 @@ def spectral_norm(w, num_iters=1, update_collection=None):
 
 
 ##################################################################################
-# Residual Blockes
+# Residual Blocks
 ##################################################################################
 
 
diff --git a/notebooks/adaptive_defence_evaluations/evaluation_12_EMPIR.ipynb b/notebooks/adaptive_defence_evaluations/evaluation_12_EMPIR.ipynb
@@ -172,7 +172,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "# Create placegolders\n",
+    "# Create placeholders\n",
     "x = tf.placeholder(tf.float32, shape=(None, img_rows, img_cols, channels))\n",
     "y = tf.placeholder(tf.float32, shape=(None, 10))\n",
     "phase = tf.placeholder(tf.bool, name=\"phase\")\n",
@@ -560,7 +560,7 @@
     }
    ],
    "source": [
-    "# Get accuracy on benging test samples for each model separately\n",
+    "# Get accuracy on benign test samples for each model separately\n",
     "\n",
     "accuracy_test_benign_1 = get_accuracy(X=X_test, Y=Y_test, batch_size=batch_size, predictions=preds_prob_1)\n",
     "print('Model 1 - Accuracy on benign test samples: {0:.2f}%.'.format(accuracy_test_benign_1 * 100))\n",
diff --git a/notebooks/adversarial_training_mnist.ipynb b/notebooks/adversarial_training_mnist.ipynb
@@ -312,7 +312,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "# We had performed this before, starting with a randomly intialized model.\n",
+    "# We had performed this before, starting with a randomly initialized model.\n",
     "# Adversarial training takes about 80 minutes on an NVIDIA V100.\n",
     "# The resulting model is the one loaded from mnist_cnn_robust.h5 above.\n",
     "\n",
diff --git a/notebooks/attack_database_reconstruction.ipynb b/notebooks/attack_database_reconstruction.ipynb
@@ -29,7 +29,7 @@
     "\n",
     "In this example, we train a Gaussian Naive Bayes classifier (`model`) with the training dataset, then remove a single row from that dataset, and seek to reconstruct that row using `model`. For typical examples, this attack is successful up to machine precision.\n",
     "\n",
-    "We then show that launching the same attack on a ML model trained with differential privacy guarantees provides protection for the traning dataset, and prevents learning the target row with precision."
+    "We then show that launching the same attack on a ML model trained with differential privacy guarantees provides protection for the training dataset, and prevents learning the target row with precision."
    ]
   },
   {
@@ -228,7 +228,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "We can mitigate against this attack by training the public ML model with differential privacy.  We will use [diffprivlib](https://github.com/Trusted-AI/differential-privacy-library) to train a differentially private Guassian naive Bayes classifier. We can mitigate against any loss in accuracy of the model by choosing an `epsilon` value appropriate to our needs."
+    "We can mitigate against this attack by training the public ML model with differential privacy.  We will use [diffprivlib](https://github.com/Trusted-AI/differential-privacy-library) to train a differentially private Gaussian naive Bayes classifier. We can mitigate against any loss in accuracy of the model by choosing an `epsilon` value appropriate to our needs."
    ]
   },
   {
diff --git a/notebooks/attack_defence_imagenet.ipynb b/notebooks/attack_defence_imagenet.ipynb
@@ -1663,7 +1663,7 @@
     }
    ],
    "source": [
-    "# Initalize the SpatialSmoothing defence. \n",
+    "# Initialize the SpatialSmoothing defence. \n",
     "ss = SpatialSmoothing(window_size=3)\n",
     "\n",
     "# Apply the defence to the original input and to the adversarial sample, respectively:\n",
diff --git a/notebooks/attack_laser.ipynb b/notebooks/attack_laser.ipynb
@@ -10,7 +10,7 @@
     "[paper](https://openaccess.thecvf.com/content/CVPR2021/papers/Duan_Adversarial_Laser_Beam_Effective_Physical-World_Attack_to_DNNs_in_a_CVPR_2021_paper.pdf) is based on the following idea. \n",
     "Image of the laser beam is generated and then added to the attacked image. \n",
     "Laser beam is described by four parameters: wavelength(nanometers), angle(rad), bias(px) and width(px). \n",
-    "During the attack those parameters are optimised in order to achievie prediction change. \n"
+    "During the attack those parameters are optimised in order to achieve prediction change. \n"
    ]
   },
   {
@@ -89,7 +89,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "### Image of random laser beam based on prevoius parameters"
+    "### Image of random laser beam based on previous parameters"
    ]
   },
   {
diff --git a/notebooks/attack_membership_inference.ipynb b/notebooks/attack_membership_inference.ipynb
@@ -237,7 +237,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "Acheives much better results than the rule-based attack."
+    "Achieves much better results than the rule-based attack."
    ]
   },
   {
@@ -462,7 +462,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "For the pytorch target model we were able to acheive slightly better than random attack performance, but not as good as for the random forest model."
+    "For the pytorch target model we were able to achieve slightly better than random attack performance, but not as good as for the random forest model."
    ]
   }
  ],
diff --git a/notebooks/attack_membership_inference_shadow_models.ipynb b/notebooks/attack_membership_inference_shadow_models.ipynb
@@ -32,7 +32,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "The data is seperated, 25% will go towards and training and testing the target model, 75% of data will be used as shadow training data."
+    "The data is separated, 25% will go towards and training and testing the target model, 75% of data will be used as shadow training data."
    ]
   },
   {
diff --git a/notebooks/classifier_blackbox_lookup_table.ipynb b/notebooks/classifier_blackbox_lookup_table.ipynb
@@ -168,7 +168,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "### Create a black-box classifier based on exisiting predictions"
+    "### Create a black-box classifier based on existing predictions"
    ]
   },
   {
diff --git a/notebooks/classifier_gpy_gaussian_process.ipynb b/notebooks/classifier_gpy_gaussian_process.ipynb
@@ -76,7 +76,7 @@
     "#get the model\n",
     "m = GPy.models.GPClassification(X, y.reshape(-1,1), kernel=gpkern)\n",
     "m.rbf.lengthscale.fix(0.4)\n",
-    "#determining the infernce method\n",
+    "#determining the inference method\n",
     "m.inference_method = GPy.inference.latent_function_inference.laplace.Laplace()\n",
     "#now train the model\n",
     "m.optimize(messages=True, optimizer='lbfgs')\n",
@@ -98,7 +98,7 @@
     "### Confidence optimized adversarial examples\n",
     "We craft adversarial examples which are optimized for confidence. We plot the initial seeds for the adversarial examples in green and the resulting adversarial examples in black, and connect the initial and final points using a straight line (which is not equivalent to the path the optimization took).\n",
     "\n",
-    "We observe that some examples are not moving towards the other class, but instead seem to move randomly away from the data. This stems from the problem that the Gaussian Processes' gradients point away from the data in all directions, and might lead the attack far away from the actauly boundary."
+    "We observe that some examples are not moving towards the other class, but instead seem to move randomly away from the data. This stems from the problem that the Gaussian Processes' gradients point away from the data in all directions, and might lead the attack far away from the actual boundary."
    ]
   },
   {
@@ -143,7 +143,7 @@
    "metadata": {},
    "source": [
     "### Uncertainty optimized adversarial examples\n",
-    "We can additionally optimize for uncetainty by setting unc_increase to 0.9, thereby forcing the adversarial examples to be closer to the original training data."
+    "We can additionally optimize for uncertainty by setting unc_increase to 0.9, thereby forcing the adversarial examples to be closer to the original training data."
    ]
   },
   {
@@ -188,8 +188,8 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "### PGD on Guassian process classification\n",
-    "To conclude, we show how to compute PGD adversarial exmples on our model. We observe that as before, many attempts fail, as the model misleads the attack to take a wrong path away from the boundary. In this case, examples are classified as default: either of the two classes."
+    "### PGD on Gaussian process classification\n",
+    "To conclude, we show how to compute PGD adversarial examples on our model. We observe that as before, many attempts fail, as the model misleads the attack to take a wrong path away from the boundary. In this case, examples are classified as default: either of the two classes."
    ]
   },
   {
diff --git a/notebooks/classifier_scikitlearn_AdaBoostClassifier.ipynb b/notebooks/classifier_scikitlearn_AdaBoostClassifier.ipynb
@@ -46,7 +46,7 @@
     "    model = AdaBoostClassifier()\n",
     "    model.fit(X=x_train, y=y_train)\n",
     "\n",
-    "    # Create ART classfier for scikit-learn AdaBoostClassifier\n",
+    "    # Create ART classifier for scikit-learn AdaBoostClassifier\n",
     "    art_classifier = SklearnClassifier(model=model)\n",
     "\n",
     "    # Create ART Zeroth Order Optimization attack\n",
diff --git a/notebooks/classifier_scikitlearn_RandomForestClassifier.ipynb b/notebooks/classifier_scikitlearn_RandomForestClassifier.ipynb
@@ -46,7 +46,7 @@
     "    model = RandomForestClassifier()\n",
     "    model.fit(X=x_train, y=y_train)\n",
     "\n",
-    "    # Create ART classfier for scikit-learn RandomForestClassifier\n",
+    "    # Create ART classifier for scikit-learn RandomForestClassifier\n",
     "    art_classifier = SklearnClassifier(model=model)\n",
     "\n",
     "    # Create ART Zeroth Order Optimization attack\n",
diff --git a/notebooks/classifier_scikitlearn_SVC_LinearSVC.ipynb b/notebooks/classifier_scikitlearn_SVC_LinearSVC.ipynb
@@ -53,7 +53,7 @@
     "                    decision_function_shape='ovr', random_state=None)\n",
     "    model.fit(X=x_train, y=y_train)\n",
     "\n",
-    "    #  Create ART classfier for scikit-learn SVC\n",
+    "    #  Create ART classifier for scikit-learn SVC\n",
     "    art_classifier = SklearnClassifier(model=model, clip_values=(0, 10))\n",
     "\n",
     "    # Create ART attack\n",
diff --git a/notebooks/classifier_scikitlearn_pipeline_pca_cv_svc.ipynb b/notebooks/classifier_scikitlearn_pipeline_pca_cv_svc.ipynb
@@ -11,7 +11,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "This notebook contains an example of generating adversarial samples using a black-box attack against a scikit-learn pipeline consisting of principal component analysis (PCA) and a support vector machine classifier (SVC), but any other valid pipeline would work too. The pipeline is first optimised using grid search with cross validation. The adversarial samples are created with black-box `HopSkipJump` attack. The training data is MNIST, becasue of its intuitive visualisation, but any other dataset including tabular data would be suitable too."
+    "This notebook contains an example of generating adversarial samples using a black-box attack against a scikit-learn pipeline consisting of principal component analysis (PCA) and a support vector machine classifier (SVC), but any other valid pipeline would work too. The pipeline is first optimised using grid search with cross validation. The adversarial samples are created with black-box `HopSkipJump` attack. The training data is MNIST, because of its intuitive visualisation, but any other dataset including tabular data would be suitable too."
    ]
   },
   {
diff --git a/notebooks/expectation_over_transformation_classification_rotation.ipynb b/notebooks/expectation_over_transformation_classification_rotation.ipynb
@@ -343,7 +343,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "To make the adversarial example robust against rotation we apply Expectation over Transformation (EoT) sampling using ART's `art.preprocessing.expectation_over_transformation.EoTImageRotationTensorFlow` tool. The instance `eot_rotation` will draw `eot_samples` samples and roate each with a differen random angle in each evaluation of the classifier model, including predictions and loss gradient calculations."
+    "To make the adversarial example robust against rotation we apply Expectation over Transformation (EoT) sampling using ART's `art.preprocessing.expectation_over_transformation.EoTImageRotationTensorFlow` tool. The instance `eot_rotation` will draw `eot_samples` samples and rotate each with a different random angle in each evaluation of the classifier model, including predictions and loss gradient calculations."
    ]
   },
   {
@@ -410,7 +410,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "Applying EoT sampling of rotations to the classifier used by the attack generates adversarial examples that are robust against rotations. The plots below show that the adversarial exmaple created in the previous section remains adversarial with high confidence for a large variety of rotation angles (red bars). The evaluation was done with predictions of the ART classifier without EoT, but the same classifier model, created first above, to not add additional rotation to the evaluated input."
+    "Applying EoT sampling of rotations to the classifier used by the attack generates adversarial examples that are robust against rotations. The plots below show that the adversarial example created in the previous section remains adversarial with high confidence for a large variety of rotation angles (red bars). The evaluation was done with predictions of the ART classifier without EoT, but the same classifier model, created first above, to not add additional rotation to the evaluated input."
    ]
   },
   {
diff --git a/notebooks/imperceptible_attack_on_tabular_data.ipynb b/notebooks/imperceptible_attack_on_tabular_data.ipynb
@@ -853,7 +853,7 @@
      "output_type": "stream",
      "text": [
       "Test set size: 114\n",
-      "Succes rate:   100.00%\n"
+      "Success rate:  100.00%\n"
      ]
     }
    ],
@@ -864,7 +864,7 @@
     "    y_valid_cancer.apply(lambda x: np.random.choice([i for i in range(n_classes) if i != x]))\n",
     ")]\n",
     "\n",
-    "# Generate adverasies\n",
+    "# Generate adversaries\n",
     "adversaries = lpf_svc.generate(x=X_valid_cancer, y=targets)\n",
     "\n",
     "# Check the success rate\n",
@@ -874,7 +874,7 @@
     "correct = (expected == predicted)\n",
     "success_rate = np.sum(correct) / correct.shape[0]\n",
     "print(\"Test set size: {}\".format(targets.shape[0]))\n",
-    "print(\"Succes rate:   {:.2f}%\".format(100*success_rate))"
+    "print(\"Success rate:  {:.2f}%\".format(100*success_rate))"
    ]
   },
   {
@@ -1092,7 +1092,7 @@
     "    correct = (expected == predicted)\n",
     "    \n",
     "    success_rate = np.sum(correct) / correct.shape[0]\n",
-    "    print(\"Succes rate: {:.2f}%\".format(100*success_rate))\n",
+    "    print(\"Success rate: {:.2f}%\".format(100*success_rate))\n",
     "    \n",
     "    return adversaries"
    ]
@@ -1113,12 +1113,12 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Succes rate: 100.00%\n"
+      "Success rate: 100.00%\n"
      ]
     }
    ],
    "source": [
-    "# Wrapping classifier into appropiate ART-friendly wrapper\n",
+    "# Wrapping classifier into appropriate ART-friendly wrapper\n",
     "logistic_regression_iris_wrapper = ScikitlearnLogisticRegression(\n",
     "    model       = log_regression_clf_iris, \n",
     "    clip_values = scaled_clip_values_iris\n",
@@ -1251,12 +1251,12 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Succes rate: 100.00%\n"
+      "Success rate: 100.00%\n"
      ]
     }
    ],
    "source": [
-    "# Wrapping classifier into appropiate ART-friendly wrapper\n",
+    "# Wrapping classifier into appropriate ART-friendly wrapper\n",
     "logistic_regression_cancer_wrapper = ScikitlearnLogisticRegression(\n",
     "    model       = log_regression_clf_cancer, \n",
     "    clip_values = scaled_clip_values_cancer\n",
@@ -1382,7 +1382,7 @@
     "    correct = (expected == predicted)\n",
     "    \n",
     "    success_rate = np.sum(correct) / correct.shape[0]\n",
-    "    print(\"Succes rate: {:.2f}%\".format(100*success_rate))\n",
+    "    print(\"Success rate: {:.2f}%\".format(100*success_rate))\n",
     "    \n",
     "    return adversaries"
    ]
@@ -1403,12 +1403,12 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Succes rate: 100.00%\n"
+      "Success rate: 100.00%\n"
      ]
     }
    ],
    "source": [
-    "# Wrapping classifier into appropiate ART-friendly wrapper\n",
+    "# Wrapping classifier into appropriate ART-friendly wrapper\n",
     "# (in this case it is PyTorch NN classifier wrapper from ART)\n",
     "neural_network_iris_wrapper = PyTorchClassifier(\n",
     "    model       = nn_model_iris, \n",
@@ -1516,12 +1516,12 @@
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "Succes rate: 97.37%\n"
+      "Success rate: 97.37%\n"
      ]
     }
    ],
    "source": [
-    "# Wrapping classifier into appropiate ART-friendly wrapper\n",
+    "# Wrapping classifier into appropriate ART-friendly wrapper\n",
     "# (in this case it is PyTorch NN classifier wrapper from ART)\n",
     "neural_network_cancer_wrapper = PyTorchClassifier(\n",
     "    model       = nn_model_cancer, \n",
diff --git a/notebooks/label_only_membership_inference.ipynb b/notebooks/label_only_membership_inference.ipynb
@@ -17,7 +17,7 @@
     "\n",
     "The basic intuition behind the attack is that samples used in training will be farther away from the decision boundary than non-training data.\n",
     "\n",
-    "The attacker uses various means of **perturbations** to measure the amount of noise that is needed to \"change the classifier's mind\" about their prediction for a given sample. Since the ML model is more confident on training data, the attacker will need to perturb the input more to force the model to misclassify. Thus, the amount of perturbation needed will be analogue to the sample's distance from the decision boundary. Both of the below listed attacks use an adversarial perturbation techique called [**HopSkipJump**](https://arxiv.org/abs/1904.02144).\n",
+    "The attacker uses various means of **perturbations** to measure the amount of noise that is needed to \"change the classifier's mind\" about their prediction for a given sample. Since the ML model is more confident on training data, the attacker will need to perturb the input more to force the model to misclassify. Thus, the amount of perturbation needed will be analogue to the sample's distance from the decision boundary. Both of the below listed attacks use an adversarial perturbation technique called [**HopSkipJump**](https://arxiv.org/abs/1904.02144).\n",
     "\n",
     "![title](img/label_only_boundary_intuition.png)\n",
     "\n",
@@ -268,7 +268,7 @@
    "metadata": {},
    "source": [
     "<a id='infer'></a>\n",
-    "### Infer membeship on evaluation data"
+    "### Infer membership on evaluation data"
    ]
   },
   {
@@ -415,7 +415,7 @@
    "metadata": {},
    "source": [
     "<a id='infer_nodata'></a>\n",
-    "### Infer membeship on evaluation data"
+    "### Infer membership on evaluation data"
    ]
   },
   {
@@ -440,7 +440,7 @@
     }
    ],
    "source": [
-    "pred_label_unsuperviseed = mia_label_only_unsupervised.infer(x_eval, y_eval)"
+    "pred_label_unsupervised = mia_label_only_unsupervised.infer(x_eval, y_eval)"
    ]
   },
   {
@@ -460,7 +460,7 @@
     }
    ],
    "source": [
-    "print(\"Accuracy: %f\" % accuracy_score(eval_label, pred_label_unsuperviseed))"
+    "print(\"Accuracy: %f\" % accuracy_score(eval_label, pred_label_unsupervised))"
    ]
   },
   {
diff --git a/notebooks/poisoning_attack_svm.ipynb b/notebooks/poisoning_attack_svm.ipynb
diff --git a/notebooks/poisoning_defense_deep_partition_aggregation.ipynb b/notebooks/poisoning_defense_deep_partition_aggregation.ipynb
diff --git a/notebooks/provenance_defence.ipynb b/notebooks/provenance_defence.ipynb

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`"\n",`
`30`	`30`	"In this example, we train a Gaussian Naive Bayes classifier (`model`) with the training dataset, then remove a single row from that dataset, and seek to reconstruct that row using `model`. For typical examples, this attack is successful up to machine precision.\n",
`31`	`31`	`"\n",`
`32`		`- "We then show that launching the same attack on a ML model trained with differential privacy guarantees provides protection for the traning dataset, and prevents learning the target row with precision."`
	`32`	`+ "We then show that launching the same attack on a ML model trained with differential privacy guarantees provides protection for the training dataset, and prevents learning the target row with precision."`
`33`	`33`	`]`
`34`	`34`	`},`
`35`	`35`	`{`
`@@ -228,7 +228,7 @@`
`228`	`228`	`"cell_type": "markdown",`
`229`	`229`	`"metadata": {},`
`230`	`230`	`"source": [`
`231`		- "We can mitigate against this attack by training the public ML model with differential privacy. We will use [diffprivlib](https://github.com/Trusted-AI/differential-privacy-library) to train a differentially private Guassian naive Bayes classifier. We can mitigate against any loss in accuracy of the model by choosing an `epsilon` value appropriate to our needs."
	`231`	+ "We can mitigate against this attack by training the public ML model with differential privacy. We will use [diffprivlib](https://github.com/Trusted-AI/differential-privacy-library) to train a differentially private Gaussian naive Bayes classifier. We can mitigate against any loss in accuracy of the model by choosing an `epsilon` value appropriate to our needs."
`232`	`232`	`]`
`233`	`233`	`},`
`234`	`234`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1663,7 +1663,7 @@`
`1663`	`1663`	`}`
`1664`	`1664`	`],`
`1665`	`1665`	`"source": [`
`1666`		`- "# Initalize the SpatialSmoothing defence. \n",`
	`1666`	`+ "# Initialize the SpatialSmoothing defence. \n",`
`1667`	`1667`	`"ss = SpatialSmoothing(window_size=3)\n",`
`1668`	`1668`	`"\n",`
`1669`	`1669`	`"# Apply the defence to the original input and to the adversarial sample, respectively:\n",`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`"[paper](https://openaccess.thecvf.com/content/CVPR2021/papers/Duan_Adversarial_Laser_Beam_Effective_Physical-World_Attack_to_DNNs_in_a_CVPR_2021_paper.pdf) is based on the following idea. \n",`
`11`	`11`	`"Image of the laser beam is generated and then added to the attacked image. \n",`
`12`	`12`	`"Laser beam is described by four parameters: wavelength(nanometers), angle(rad), bias(px) and width(px). \n",`
`13`		`- "During the attack those parameters are optimised in order to achievie prediction change. \n"`
	`13`	`+ "During the attack those parameters are optimised in order to achieve prediction change. \n"`
`14`	`14`	`]`
`15`	`15`	`},`
`16`	`16`	`{`
`@@ -89,7 +89,7 @@`
`89`	`89`	`"cell_type": "markdown",`
`90`	`90`	`"metadata": {},`
`91`	`91`	`"source": [`
`92`		`- "### Image of random laser beam based on prevoius parameters"`
	`92`	`+ "### Image of random laser beam based on previous parameters"`
`93`	`93`	`]`
`94`	`94`	`},`
`95`	`95`	`{`
Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@`
`237`	`237`	`"cell_type": "markdown",`
`238`	`238`	`"metadata": {},`
`239`	`239`	`"source": [`
`240`		`- "Acheives much better results than the rule-based attack."`
	`240`	`+ "Achieves much better results than the rule-based attack."`
`241`	`241`	`]`
`242`	`242`	`},`
`243`	`243`	`{`
`@@ -462,7 +462,7 @@`
`462`	`462`	`"cell_type": "markdown",`
`463`	`463`	`"metadata": {},`
`464`	`464`	`"source": [`
`465`		`- "For the pytorch target model we were able to acheive slightly better than random attack performance, but not as good as for the random forest model."`
	`465`	`+ "For the pytorch target model we were able to achieve slightly better than random attack performance, but not as good as for the random forest model."`
`466`	`466`	`]`
`467`	`467`	`}`
`468`	`468`	`],`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@`
`32`	`32`	`"cell_type": "markdown",`
`33`	`33`	`"metadata": {},`
`34`	`34`	`"source": [`
`35`		`- "The data is seperated, 25% will go towards and training and testing the target model, 75% of data will be used as shadow training data."`
	`35`	`+ "The data is separated, 25% will go towards and training and testing the target model, 75% of data will be used as shadow training data."`
`36`	`36`	`]`
`37`	`37`	`},`
`38`	`38`	`{`
Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@`
`168`	`168`	`"cell_type": "markdown",`
`169`	`169`	`"metadata": {},`
`170`	`170`	`"source": [`
`171`		`- "### Create a black-box classifier based on exisiting predictions"`
	`171`	`+ "### Create a black-box classifier based on existing predictions"`
`172`	`172`	`]`
`173`	`173`	`},`
`174`	`174`	`{`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`"cell_type": "markdown",`
`12`	`12`	`"metadata": {},`
`13`	`13`	`"source": [`
`14`		- "This notebook contains an example of generating adversarial samples using a black-box attack against a scikit-learn pipeline consisting of principal component analysis (PCA) and a support vector machine classifier (SVC), but any other valid pipeline would work too. The pipeline is first optimised using grid search with cross validation. The adversarial samples are created with black-box `HopSkipJump` attack. The training data is MNIST, becasue of its intuitive visualisation, but any other dataset including tabular data would be suitable too."
	`14`	+ "This notebook contains an example of generating adversarial samples using a black-box attack against a scikit-learn pipeline consisting of principal component analysis (PCA) and a support vector machine classifier (SVC), but any other valid pipeline would work too. The pipeline is first optimised using grid search with cross validation. The adversarial samples are created with black-box `HopSkipJump` attack. The training data is MNIST, because of its intuitive visualisation, but any other dataset including tabular data would be suitable too."
`15`	`15`	`]`
`16`	`16`	`},`
`17`	`17`	`{`
Original file line number	Diff line number	Diff line change
`@@ -343,7 +343,7 @@`
`343`	`343`	`"cell_type": "markdown",`
`344`	`344`	`"metadata": {},`
`345`	`345`	`"source": [`
`346`		- "To make the adversarial example robust against rotation we apply Expectation over Transformation (EoT) sampling using ART's `art.preprocessing.expectation_over_transformation.EoTImageRotationTensorFlow` tool. The instance `eot_rotation` will draw `eot_samples` samples and roate each with a differen random angle in each evaluation of the classifier model, including predictions and loss gradient calculations."
	`346`	+ "To make the adversarial example robust against rotation we apply Expectation over Transformation (EoT) sampling using ART's `art.preprocessing.expectation_over_transformation.EoTImageRotationTensorFlow` tool. The instance `eot_rotation` will draw `eot_samples` samples and rotate each with a different random angle in each evaluation of the classifier model, including predictions and loss gradient calculations."
`347`	`347`	`]`
`348`	`348`	`},`
`349`	`349`	`{`
`@@ -410,7 +410,7 @@`
`410`	`410`	`"cell_type": "markdown",`
`411`	`411`	`"metadata": {},`
`412`	`412`	`"source": [`
`413`		- "Applying EoT sampling of rotations to the classifier used by the attack generates adversarial examples that are robust against rotations. The plots below show that the adversarial exmaple created in the previous section remains adversarial with high confidence for a large variety of rotation angles (red bars). The evaluation was done with predictions of the ART classifier without EoT, but the same classifier model, created first above, to not add additional rotation to the evaluated input."
	`413`	+ "Applying EoT sampling of rotations to the classifier used by the attack generates adversarial examples that are robust against rotations. The plots below show that the adversarial example created in the previous section remains adversarial with high confidence for a large variety of rotation angles (red bars). The evaluation was done with predictions of the ART classifier without EoT, but the same classifier model, created first above, to not add additional rotation to the evaluated input."
`414`	`414`	`]`
`415`	`415`	`},`
`416`	`416`	`{`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`"\n",`
`18`	`18`	`"The basic intuition behind the attack is that samples used in training will be farther away from the decision boundary than non-training data.\n",`
`19`	`19`	`"\n",`
`20`		- "The attacker uses various means of perturbations to measure the amount of noise that is needed to \"change the classifier's mind\" about their prediction for a given sample. Since the ML model is more confident on training data, the attacker will need to perturb the input more to force the model to misclassify. Thus, the amount of perturbation needed will be analogue to the sample's distance from the decision boundary. Both of the below listed attacks use an adversarial perturbation techique called [HopSkipJump](https://arxiv.org/abs/1904.02144).\n",
	`20`	+ "The attacker uses various means of perturbations to measure the amount of noise that is needed to \"change the classifier's mind\" about their prediction for a given sample. Since the ML model is more confident on training data, the attacker will need to perturb the input more to force the model to misclassify. Thus, the amount of perturbation needed will be analogue to the sample's distance from the decision boundary. Both of the below listed attacks use an adversarial perturbation technique called [HopSkipJump](https://arxiv.org/abs/1904.02144).\n",
`21`	`21`	`"\n",`
`22`	`22`	`"![title](img/label_only_boundary_intuition.png)\n",`
`23`	`23`	`"\n",`
`@@ -268,7 +268,7 @@`
`268`	`268`	`"metadata": {},`
`269`	`269`	`"source": [`
`270`	`270`	`"<a id='infer'></a>\n",`
`271`		`- "### Infer membeship on evaluation data"`
	`271`	`+ "### Infer membership on evaluation data"`
`272`	`272`	`]`
`273`	`273`	`},`
`274`	`274`	`{`
`@@ -415,7 +415,7 @@`
`415`	`415`	`"metadata": {},`
`416`	`416`	`"source": [`
`417`	`417`	`"<a id='infer_nodata'></a>\n",`
`418`		`- "### Infer membeship on evaluation data"`
	`418`	`+ "### Infer membership on evaluation data"`
`419`	`419`	`]`
`420`	`420`	`},`
`421`	`421`	`{`
`@@ -440,7 +440,7 @@`
`440`	`440`	`}`
`441`	`441`	`],`
`442`	`442`	`"source": [`
`443`		`- "pred_label_unsuperviseed = mia_label_only_unsupervised.infer(x_eval, y_eval)"`
	`443`	`+ "pred_label_unsupervised = mia_label_only_unsupervised.infer(x_eval, y_eval)"`
`444`	`444`	`]`
`445`	`445`	`},`
`446`	`446`	`{`
`@@ -460,7 +460,7 @@`
`460`	`460`	`}`
`461`	`461`	`],`
`462`	`462`	`"source": [`
`463`		`- "print(\"Accuracy: %f\" % accuracy_score(eval_label, pred_label_unsuperviseed))"`
	`463`	`+ "print(\"Accuracy: %f\" % accuracy_score(eval_label, pred_label_unsupervised))"`
`464`	`464`	`]`
`465`	`465`	`},`
`466`	`466`	`{`