holisticai.robustness.attackers.ZooAttack#

class holisticai.robustness.attackers.ZooAttack(name='Zoo', confidence=0.0, targeted=False, learning_rate=0.01, max_iter=20, binary_search_steps=10, initial_const=0.001, abort_early=True, use_resize=False, use_importance=False, nb_parallel=1, variable_h=0.2, verbose=True, input_is_feature_vector=False, proxy=None, input_size=0, nb_classes=2, adam_mean=None, adam_var=None, adam_epochs=None)[source]#

The black-box zeroth-order optimization attack from Pin-Yu Chen et al. (2018). This attack is a variant of the C&W attack which uses ADAM coordinate descent to perform numerical estimation of gradients.

Parameters

namestr, optional

The name of the attack. The default is “Zoo”.

confidencefloat, optional

Confidence of adversarial examples. A higher value produces examples that are farther away, but more stronglyclassified as adversarial. The default is 0.0.

targetedbool, optional

Indicates whether the attack is targeted. The default is False. If True, the positive ground truth is used as the target.

learning_ratefloat, optional

The learning rate for the ADAM optimizer. The default is 1e-2.

max_iterint, optional

The maximum number of iterations. The default is 20.

binary_search_stepsint, optional

The number of binary search steps. The default is 10.

initial_constfloat, optional

The initial constant used to scale the adversarial perturbation. The default is 1e-3.

abort_earlybool, optional

Indicates whether to abort the optimization early. The default is True.

use_resizebool, optional

Indicates whether to use resizing. The default is False.

use_importancebool, optional

Indicates whether to use importance sampling. The default is False.

nb_parallelint, optional

The number of parallel coordinates to update. The default is 1.

variable_hfloat, optional

The variable h. The default is 0.2.

verbosebool, optional

Indicates whether to print verbose output. The default is True.

input_is_feature_vectorbool, optional

Indicates whether the input is a feature vector. The default is False.

proxycallable, optional

The model used to predict the probabilities of the input. The default is None.

input_sizeint, optional

The size of the input. The default is 0.

nb_classesint, optional

The number of classes. The default is 2.

adam_meanOptional[NDArray|ArrayLike|None], optional

The mean of the ADAM optimizer. The default is None.

adam_varOptional[NDArray|ArrayLike|None], optional

The variance of the ADAM optimizer. The default is None.

adam_epochsOptional[NDArray|ArrayLike|None], optional

The epochs of the ADAM optimizer. The default is None.

generate(x_df: DataFrame, y: ndarray | None = None) DataFrame[source]#

Generate adversarial samples and return them in an array.

Parameters

x_dfpd.DataFrame

The input samples.

yOptional[np.ndarray], optional

The target labels. The default is None.

Returns

pd.DataFrame

The adversarial samples.