torchattack 1.6.0

A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks

---

🛡 torchattack - A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks.

pip install torchattack

Highlights

• 🛡️ A curated collection of adversarial attacks implemented in PyTorch.
• 🔍 Focuses on gradient-based transferable black-box attacks.
• 📦 Easily load pretrained models from torchvision or timm using AttackModel.
• 🔄 Simple interface to initialize attacks with create_attack.
• 🔧 Extensively typed for better code quality and safety.
• 📊 Tooling for fooling rate metrics and model evaluation in eval.
• 🔁 Numerous attacks reimplemented for readability and efficiency (TGR, VDC, etc.).

Documentation

torchattack's docs are available at docs.swo.moe/torchattack.

Usage

import torch

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

Load a pretrained model to attack from either torchvision or timm.

from torchattack import AttackModel

# Load a model with `AttackModel`
model = AttackModel.from_pretrained(model_name='resnet50').to(device)
# `AttackModel` automatically attach the model's `transform` and `normalize` functions
transform, normalize = model.transform, model.normalize

# Additionally, to explicitly specify where to load the pretrained model from (timm or torchvision),
# prepend the model name with 'timm/' or 'tv/' respectively, or use the `from_timm` argument, e.g.
vit_b16 = AttackModel.from_pretrained(model_name='timm/vit_base_patch16_224').to(device)
inv_v3 = AttackModel.from_pretrained(model_name='tv/inception_v3').to(device)
pit_b = AttackModel.from_pretrained(model_name='pit_b_224', from_timm=True).to(device)

Initialize an attack by importing its attack class.

from torchattack import FGSM, MIFGSM

# Initialize an attack
adversary = FGSM(model, normalize, device)

# Initialize an attack with extra params
adversary = MIFGSM(model, normalize, device, eps=0.03, steps=10, decay=1.0)

Initialize an attack by its name with create_attack().

from torchattack import create_attack

# Initialize FGSM attack with create_attack
adversary = create_attack('FGSM', model, normalize, device)

# Initialize PGD attack with specific eps with create_attack
adversary = create_attack('PGD', model, normalize, device, eps=0.03)

# Initialize MI-FGSM attack with extra args with create_attack
attack_args = {'steps': 10, 'decay': 1.0}
adversary = create_attack('MIFGSM', model, normalize, device, eps=0.03, **attack_args)

Check out examples/ and torchattack.evaluate.runner for full examples.

Attacks

Name	Class Name	Publication	Paper (Open Access)
Gradient-based attacks
FGSM	FGSM		Explaining and Harnessing Adversarial Examples
PGD	PGD		Towards Deep Learning Models Resistant to Adversarial Attacks
PGD (L2)	PGDL2		Towards Deep Learning Models Resistant to Adversarial Attacks
MI-FGSM	MIFGSM		Boosting Adversarial Attacks with Momentum
DI-FGSM	DIFGSM		Improving Transferability of Adversarial Examples with Input Diversity
TI-FGSM	TIFGSM		Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks
NI-FGSM	NIFGSM		Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks
SI-NI-FGSM	SINIFGSM		Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks
DR	DR		Enhancing Cross-Task Black-Box Transferability of Adversarial Examples With Dispersion Reduction
VMI-FGSM	VMIFGSM		Enhancing the Transferability of Adversarial Attacks through Variance Tuning
VNI-FGSM	VNIFGSM		Enhancing the Transferability of Adversarial Attacks through Variance Tuning
Admix	Admix		Admix: Enhancing the Transferability of Adversarial Attacks
FIA	FIA		Feature Importance-aware Transferable Adversarial Attacks
PNA-PatchOut	PNAPatchOut		Towards Transferable Adversarial Attacks on Vision Transformers
NAA	NAA		Improving Adversarial Transferability via Neuron Attribution-Based Attacks
SSA	SSA		Frequency Domain Model Augmentation for Adversarial Attack
TGR	TGR		Transferable Adversarial Attacks on Vision Transformers with Token Gradient Regularization
ILPD	ILPD		Improving Adversarial Transferability via Intermediate-level Perturbation Decay
MIG	MIG		Transferable Adversarial Attack for Both Vision Transformers and Convolutional Networks via Momentum Integrated Gradients
GRA	GRA		Boosting Adversarial Transferability via Gradient Relevance Attack
DeCoWA	DeCoWA		Boosting Adversarial Transferability across Model Genus by Deformation-Constrained Warping
VDC	VDC		Improving the Adversarial Transferability of Vision Transformers with Virtual Dense Connection
BSR	BSR		Boosting Adversarial Transferability by Block Shuffle and Rotation
L2T	L2T		Learning to Transform Dynamically for Better Adversarial Transferability
ATT	ATT		Boosting the Transferability of Adversarial Attack on Vision Transformer with Adaptive Token Tuning
BFA	BFA		Improving the transferability of adversarial examples through black-box feature attacks
MuMoDIG	MuMoDIG		Improving Integrated Gradient-based Transferable Adversarial Examples by Refining the Integration Path
Generative attacks
CDA	CDA		Cross-Domain Transferability of Adversarial Perturbations
LTP	LTP		Learning Transferable Adversarial Perturbations
BIA	BIA		Beyond ImageNet Attack: Towards Crafting Adversarial Examples for Black-box Domains
GAMA	GAMA		GAMA: Generative Adversarial Multi-Object Scene Attacks
Others
DeepFool	DeepFool		DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
GeoDA	GeoDA		GeoDA: A Geometric Framework for Black-box Adversarial Attacks
SSP	SSP		A Self-supervised Approach for Adversarial Robustness

Development

On how to install dependencies, run tests, and build documentation. See Development - torchattack.

License

MIT

Related

• Harry24k/adversarial-attacks-pytorch
• Trusted-AI/adversarial-robustness-toolbox