Home

Awesome

Adversarial-Attacks-PyTorch

<p> <a href="https://github.com/Harry24k/adversarial-attacks-pytorch/blob/master/LICENSE"><img alt="MIT License" src="https://img.shields.io/github/license/Harry24k/adversarial-attacks-pytorch?&color=brightgreen" /></a> <a href="https://pypi.org/project/torchattacks/"><img alt="Pypi" src="https://img.shields.io/pypi/v/torchattacks.svg?&color=orange" /></a> <a href="https://github.com/Harry24k/adversarial-attacks-pytorch/releases"><img alt="Latest Release" src="https://img.shields.io/github/release/Harry24k/adversarial-attacks-pytorch.svg?&color=blue" /></a> <a href="https://adversarial-attacks-pytorch.readthedocs.io/en/latest/"><img alt="Documentation Status" src="https://readthedocs.org/projects/adversarial-attacks-pytorch/badge/?version=latest" /></a> <a href="https://codecov.io/gh/Harry24k/adversarial-attacks-pytorch"><img src="https://codecov.io/gh/Harry24k/adversarial-attacks-pytorch/branch/master/graph/badge.svg?token=00CQ79UTC2"/></a> <a href="https://lgtm.com/projects/g/Harry24k/adversarial-attacks-pytorch/"><img src="https://img.shields.io/pypi/dm/torchattacks?color=blue"/></a> <a href="https://github.com/psf/black"><img alt="Code style: black" src="https://img.shields.io/badge/code%20style-black-000000.svg"></a> </p>

<strong>Torchattacks is a PyTorch library that provides adversarial attacks to generate adversarial examples.</strong>

It contains PyTorch-like interface and functions that make it easier for PyTorch users to implement adversarial attacks.

import torchattacks
atk = torchattacks.PGD(model, eps=8/255, alpha=2/255, steps=4)
# If inputs were normalized, then
# atk.set_normalization_used(mean=[...], std=[...])
adv_images = atk(images, labels)

Additional Recommended Packages.

Citation. If you use this package, please cite the following BibTex (GoogleScholar):

@article{kim2020torchattacks,
title={Torchattacks: A pytorch repository for adversarial attacks},
author={Kim, Hoki},
journal={arXiv preprint arXiv:2010.01950},
year={2020}
}

:hammer: Requirements and Installation

Requirements

Installation

#  pip
pip install torchattacks

#  source
pip install git+https://github.com/Harry24k/adversarial-attacks-pytorch.git

#  git clone
git clone https://github.com/Harry24k/adversarial-attacks-pytorch.git
cd adversarial-attacks-pytorch/
pip install -e .

:rocket: Getting Started

Precautions

Demos

:page_with_curl: Supported Attacks

The distance measure in parentheses.

NamePaperRemark
FGSM<br />(Linf)Explaining and harnessing adversarial examples (Goodfellow et al., 2014)
BIM<br />(Linf)Adversarial Examples in the Physical World (Kurakin et al., 2016)Basic iterative method or Iterative-FSGM
CW<br />(L2)Towards Evaluating the Robustness of Neural Networks (Carlini et al., 2016)
RFGSM<br />(Linf)Ensemble Adversarial Traning: Attacks and Defences (Tramèr et al., 2017)Random initialization + FGSM
PGD<br />(Linf)Towards Deep Learning Models Resistant to Adversarial Attacks (Mardry et al., 2017)Projected Gradient Method
PGDL2<br />(L2)Towards Deep Learning Models Resistant to Adversarial Attacks (Mardry et al., 2017)Projected Gradient Method
MIFGSM<br />(Linf)Boosting Adversarial Attacks with Momentum (Dong et al., 2017):heart_eyes: Contributor zhuangzi926, huitailangyz
TPGD<br />(Linf)Theoretically Principled Trade-off between Robustness and Accuracy (Zhang et al., 2019)
EOTPGD<br />(Linf)Comment on "Adv-BNN: Improved Adversarial Defense through Robust Bayesian Neural Network" (Zimmermann, 2019)EOT+PGD
APGD<br />(Linf, L2)Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks (Croce et al., 2020)
APGDT<br />(Linf, L2)Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks (Croce et al., 2020)Targeted APGD
FAB<br />(Linf, L2, L1)Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack (Croce et al., 2019)
Square<br />(Linf, L2)Square Attack: a query-efficient black-box adversarial attack via random search (Andriushchenko et al., 2019)
AutoAttack<br />(Linf, L2)Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks (Croce et al., 2020)APGD+APGDT+FAB+Square
DeepFool<br />(L2)DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks (Moosavi-Dezfooli et al., 2016)
OnePixel<br />(L0)One pixel attack for fooling deep neural networks (Su et al., 2019)
SparseFool<br />(L0)SparseFool: a few pixels make a big difference (Modas et al., 2019)
DIFGSM<br />(Linf)Improving Transferability of Adversarial Examples with Input Diversity (Xie et al., 2019):heart_eyes: Contributor taobai
TIFGSM<br />(Linf)Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks (Dong et al., 2019):heart_eyes: Contributor taobai
NIFGSM<br />(Linf)Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks (Lin, et al., 2022):heart_eyes: Contributor Zhijin-Ge
SINIFGSM<br />(Linf)Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks (Lin, et al., 2022):heart_eyes: Contributor Zhijin-Ge
VMIFGSM<br />(Linf)Enhancing the Transferability of Adversarial Attacks through Variance Tuning (Wang, et al., 2022):heart_eyes: Contributor Zhijin-Ge
VNIFGSM<br />(Linf)Enhancing the Transferability of Adversarial Attacks through Variance Tuning (Wang, et al., 2022):heart_eyes: Contributor Zhijin-Ge
Jitter<br />(Linf)Exploring Misclassifications of Robust Neural Networks to Enhance Adversarial Attacks (Schwinn, Leo, et al., 2021)
Pixle<br />(L0)Pixle: a fast and effective black-box attack based on rearranging pixels (Pomponi, Jary, et al., 2022)
LGV<br />(Linf, L2, L1, L0)LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity (Gubri, et al., 2022):heart_eyes: Contributor Martin Gubri
SPSA<br />(Linf)Adversarial Risk and the Dangers of Evaluating Against Weak Attacks (Uesato, Jonathan, et al., 2018):heart_eyes: Contributor Riko Naka
JSMA<br />(L0)The Limitations of Deep Learning in Adversarial Settings (Papernot, Nicolas, et al., 2016):heart_eyes: Contributor Riko Naka
EADL1<br />(L1)EAD: Elastic-Net Attacks to Deep Neural Networks (Chen, Pin-Yu, et al., 2018):heart_eyes: Contributor Riko Naka
EADEN<br />(L1, L2)EAD: Elastic-Net Attacks to Deep Neural Networks (Chen, Pin-Yu, et al., 2018):heart_eyes: Contributor Riko Naka
PIFGSM (PIM)<br />(Linf)Patch-wise Attack for Fooling Deep Neural Network (Gao, Lianli, et al., 2020):heart_eyes: Contributor Riko Naka
PIFGSM++ (PIM++)<br />(Linf)Patch-wise++ Perturbation for Adversarial Targeted Attacks (Gao, Lianli, et al., 2021):heart_eyes: Contributor Riko Naka

:bar_chart: Performance Comparison

As for the comparison packages, currently updated and the most cited methods were selected:

Robust accuracy against each attack and elapsed time on the first 50 images of CIFAR10. For L2 attacks, the average L2 distances between adversarial images and the original images are recorded. All experiments were done on GeForce RTX 2080. For the latest version, please refer to here (code, nbviewer).

AttackPackageStandardWong2020FastRice2020OverfittingRemark
FGSM (Linf)Torchattacks34% (54ms)48% (5ms)62% (82ms)
Foolbox<sup>*</sup>34% (15ms)48% (8ms)62% (30ms)
ART34% (214ms)48% (59ms)62% (768ms)
PGD (Linf)Torchattacks0% (174ms)44% (52ms)58% (1348ms):crown: ​Fastest
Foolbox<sup>*</sup>0% (354ms)44% (56ms)58% (1856ms)
ART0% (1384 ms)44% (437ms)58% (4704ms)
CW<sup>† </sup>(L2)Torchattacks0% / 0.40<br /> (2596ms)14% / 0.61 <br />(3795ms)22% / 0.56<br />(43484ms):crown: ​Highest Success Rate <br /> :crown: Fastest
Foolbox<sup>*</sup>0% / 0.40<br /> (2668ms)32% / 0.41 <br />(3928ms)34% / 0.43<br />(44418ms)
ART0% / 0.59<br /> (196738ms)24% / 0.70 <br />(66067ms)26% / 0.65<br />(694972ms)
PGD (L2)Torchattacks0% / 0.41 (184ms)68% / 0.5<br /> (52ms)70% / 0.5<br />(1377ms):crown: Fastest
Foolbox<sup>*</sup>0% / 0.41 (396ms)68% / 0.5<br /> (57ms)70% / 0.5<br /> (1968ms)
ART0% / 0.40 (1364ms)68% / 0.5<br /> (429ms)70% / 0.5<br /> (4777ms)

<sup>*</sup> Note that Foolbox returns accuracy and adversarial images simultaneously, thus the actual time for generating adversarial images might be shorter than the records.

<sup></sup>Considering that the binary search algorithm for const c can be time-consuming, torchattacks supports MutliAttack for grid searching c.

Additionally, I also recommend to use a recently proposed package, Rai-toolbox.

AttackPackageTime/step (accuracy)
FGSM (Linf)rai-toolbox58 ms (0%)
Torchattacks81 ms (0%)
Foolbox105 ms (0%)
ART83 ms (0%)
PGD (Linf)rai-toolbox58 ms (44%)
Torchattacks79 ms (44%)
Foolbox82 ms (44%)
ART90 ms (44%)
PGD (L2)rai-toolbox58 ms (70%)
Torchattacks81 ms (70%)
Foolbox82 ms (70%)
ART89 ms (70%)

The rai-toolbox takes a unique approach to gradient-based perturbations: they are implemented in terms of parameter-transforming optimizers and perturbation models. This enables users to implement diverse algorithms (like universal perturbations and concept probing with sparse gradients) using the same paradigm as a standard PGD attack.