Add support for scikit-learn models about adversarial-robustness-toolbox HOT 14 CLOSED

I started working on a classifier for sklearn.svm.SVC. This is a short list of items that I'm implementing:

• gradients for linear kernel
• gradients for polynomial kernel
• gradients for radial basis function kernel
• gradients for sigmoid kernel
• account for sklearn.svm.LinearSVC
• account for probability option

from adversarial-robustness-toolbox.

I can help with this one.

from adversarial-robustness-toolbox.

I'm interested to help

from adversarial-robustness-toolbox.

@beat-buesser @imolloy I think this is quite a big task, so I suggest you share responsibilities. One of you could perform the analysis discussed above. Based on that, you can split the implementation between you. Let me know what you think.

from adversarial-robustness-toolbox.

@ririnicolae Completely agree. We should start with a list of the models we're interested in, e.g., classifiers, regression, etc. Next, there's a question about whether or not the existing sklearn interfaces are going to be sufficient, or if we need to be model-specific. For example, using the fit, predict, predict_proba, transform, fit_transform will be sufficient (implies blackbox attacks) or if we need to dig into any of the models themselves, e.g.,.coef_ and intercept_ for LinearRegression and SVC (along with dual_coef_), and so on.

My initial target would be SVC and LogisticRegression.

from adversarial-robustness-toolbox.

@imolloy I think classification is a good place to start, and we should at least be able to cover SVC & LogisticRegression, as you suggested. One of the questions at this point is: will we be able to extract gradients from scikit-learn? These would be vital for white-box attacks (class_gradient and loss_gradient in the Classifier API). But you're right, we can always limit the support to black-box attacks if we can't get gradients.

from adversarial-robustness-toolbox.

Looking at the main modules and classes, this list might get us started. I don't think we'll be able to write a generic gradient function in a whitebox setting, but we can default to a blackbox approximation using something similar to ZOO or NES. We can try to computing gradients for some of the simpler classes and see how it goes.

• sklearn.linear_model.{LinearRegression, LogisticRegression}
• sklearn.tree.{DecisionTreeClassifier}
• sklearn.svm.{SVC}
• sklearn.naive_bayes.{}
• sklearn.preprocessing.{}
• sklearn.ensemble.{RandomForestClassifier, AdaBoostClassifier, GradientBoostingClassifier}
• sklearn.discriminant_analysis.{LinearDiscriminantAnalysis, QuadraticDiscriminantAnalysis}
• sklearn.decomposition.{NMF, PCA}
• sklearn.neighbors .{}

from adversarial-robustness-toolbox.

Sounds good to me. I have created a new development branch development_sklearn and will start to build there prototypes for sklearn.linear_model.LogisticRegression to explore some of the challenges ahead.

from adversarial-robustness-toolbox.

I have pushed a prototype of a classifier for sklearn.linear_model.LogisticRegression to branch development_sklearn in 49a9429.

The new notebook sklearn_logistic_regression.ipynb includes examples using the MNIST dataset and art.attacks.projected_gradient_descent.ProjectedGradientDescent.

So far I can see a few TODOs remaining and I'll continue working on them:

• account for class_weights: implemented in bdc1b26
• vectorisation: implemented in 82b4bcb
• implement remaining art.classifier functions: implemented in 6ac03e0, e7e2245
• targeted attacks: implemented in 26f56b8
• add unit tests: implemented in 63c659b

Please let me know what you think.

from adversarial-robustness-toolbox.

I have created a new development branch development_sklearn_SVM and started to implement support for Support Vector Machines.

from adversarial-robustness-toolbox.

The ART classifier for sklearn.svm.SVC has now loss_gradients for linear and rbf kernels. Check out the PGD attack examples on Iris and MNIST datasets in sklearn_svm_svc.ipynb

from adversarial-robustness-toolbox.

I have created a new development branch development_decision_trees for the exploration and development on decision tree classifiers from sklearn.tree.DecisionTreeClassifier, sklearn.ensemble.{RandomForestClassifier, AdaBoostClassifier, GradientBoostingClassifier}, XGBoost, LightGBM and CatBoost and related attacks and defenses.

This is an interesting, very recent article on adversarial examples and robustness for decision trees: https://arxiv.org/abs/1902.10660

from adversarial-robustness-toolbox.

Progress with tree-based classifiers:

• sklearn.ensemble.AdaBoostClassifier
• sklearn.ensemble.BaggingClassifier
• sklearn.tree.DecisionTreeClassifier
• sklearn.tree.ExtraTreeClassifier
• sklearn.ensemble.ExtraTreesClassifier
• sklearn.ensemble.GradientBoostingClassifier
• sklearn.ensemble.RandomForestClassifier
• XGBoost
• LightGBM
• CatBoost

from adversarial-robustness-toolbox.

All new classifiers and example notebooks have been merged to branch development_sklearn. There development will continue to implement unit tests and improve notebooks.

from adversarial-robustness-toolbox.