Implement STRIP Defense Against Poisoning Attacks

[ebubae]

Description

This PR:

• Implements the STRIP defense proposed by Gao. et. al 2020.
• Creates a poison_mitigation folder to host mixins used for poison mitigation
• Resolves Implement STRIP defense against poisoning attacks #664

Type of change

Please check all relevant options.

• Improvement (non-breaking)
• Bug fix (non-breaking)
• New feature (non-breaking)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Testing

Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

Currently tests are running and pass for Keras and TF Keras. I had some issues with the Pytorch unit test classifier.

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[beat-buesser]

Could you please convert these tests to the new pytest pattern: https://github.com/Trusted-AI/adversarial-robustness-toolbox/wiki/ART-Unit-Testing

[ebubae]

Done

[beat-buesser]

Could you please convert these tests to the new pytest pattern: https://github.com/Trusted-AI/adversarial-robustness-toolbox/wiki/ART-Unit-Testing

[ebubae]

Done. Please check that it's truly framework-independent. I'm not sure if it's only testing TF.

[beat-buesser]

Could we make the return type more specific to reflect the STRIPMixin? I think it's not just a general classifier anymore.

[ebubae]

This is a very good point. I've added a TypeVar to bound the return type.

[beat-buesser]

I think this line needs an update.

[ebubae]

Done

[beat-buesser]

Suggested change

	# Perturn the images by combining them
	# Perturb the images by combining them

[ebubae]

Thanks for catching this.

[beat-buesser]

Could you please update art.estimators.__init__.py with an import of poison_mitigation after line 18?

Could you please add the new notebook to notebooks/README.md, probably in the section Poisoning?

[beat-buesser]

I think this docstring needs an update.

[ebubae]

Fixed

[beat-buesser]

Hi @ebubae Thank you very much for implementing a new defence against poisoning! A think it's a very nice implementation and I only have a few formatting requests.

[codecov-io]

Codecov Report

Merging #656 into dev_1.5.0 will decrease coverage by 0.07%.
The diff coverage is 45.00%.

@@              Coverage Diff              @@
##           dev_1.5.0     #656      +/-   ##
=============================================
- Coverage      58.93%   58.86%   -0.08%     
=============================================
  Files            155      159       +4     
  Lines          14206    14282      +76     
  Branches        2551     2559       +8     
=============================================
+ Hits            8373     8407      +34     
- Misses          5031     5072      +41     
- Partials         802      803       +1     

Impacted Files	Coverage Δ
...poison_mitigation/neural_cleanse/neural_cleanse.py	17.85% <ø> (ø)
art/estimators/poison_mitigation/strip/strip.py	29.16% <29.16%> (ø)
art/defences/transformer/poisoning/strip.py	58.33% <58.33%> (ø)
art/defences/transformer/poisoning/__init__.py	100.00% <100.00%> (ø)
...t/defences/transformer/poisoning/neural_cleanse.py	62.50% <100.00%> (ø)
art/estimators/poison_mitigation/__init__.py	100.00% <100.00%> (ø)
...ators/poison_mitigation/neural_cleanse/__init__.py	100.00% <100.00%> (ø)
...timators/poison_mitigation/neural_cleanse/keras.py	15.17% <100.00%> (ø)
art/estimators/poison_mitigation/strip/__init__.py	100.00% <100.00%> (ø)
... and 5 more

[beat-buesser]

Hi @ebubae Thank you very much for implementing the STRIP defense against poisoning attacks!