PGD attack on multi-modal CLIP model

[GiulioZizzo]

Description

We include an experimental feature on handling multimodal inputs in ART and demonstrate its use for attacking CLIP. This is a new type of attack for ART and this PR shows a potential route for integrating multimodal inputs in ART without a full re-write of the backend code.

Fixes # (issue)

Type of change

Please check all relevant options.

• Improvement (non-breaking)
• Bug fix (non-breaking)
• New feature (non-breaking)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Testing

Please describe the tests that you ran to verify your changes. Consider listing any relevant details of your test configuration.

• New test in tests/estimators/classification/test_multimodal.py
• New test in tests/attacks/evasion/classification/test_multimodal_attack.py

Test Configuration:

• OS: Mac OS
• Python version: 3.8
• ART version or commit number: ART 1.16
• TensorFlow / Keras / PyTorch / MXNet version: torch 1.13.1

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• My changes have been tested using both CPU and GPU devices

[beat-buesser]

This is more duplicate code in the experimental module than I have expected. I think we need to extend the primary implementation of the attack to be input data agnostic or design a general data API.