torchattack 1.7.1

A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks

---

🛡 torchattack - A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks.

pip install torchattack  # or `torchattack[full]` to install all extra dependencies

Highlights

• 🛡️ A curated collection of adversarial attacks implemented in PyTorch.
• 🔍 Focuses on gradient-based transferable black-box attacks.
• 📦 Easily load pretrained models from torchvision or timm using AttackModel.
• 🔄 Simple interface to initialize attacks with create_attack.
• 🔧 Extensively typed for better code quality and safety.
• 📊 Tooling for fooling rate metrics and model evaluation in eval.
• 🔁 Numerous attacks reimplemented for readability and efficiency (TGR, VDC, etc.).

Documentation

torchattack's docs are available at docs.swo.moe/torchattack.

Usage

import torch

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

Load a pretrained model to attack from either torchvision or timm.

from torchattack import AttackModel

# Load a model with `AttackModel`
model = AttackModel.from_pretrained(model_name='resnet50').to(device)
# `AttackModel` automatically attach the model's `transform` and `normalize` functions
transform, normalize = model.transform, model.normalize

# Additionally, to explicitly specify where to load the pretrained model from (timm or torchvision),
# prepend the model name with 'timm/' or 'tv/' respectively, or use the `from_timm` argument, e.g.
vit_b16 = AttackModel.from_pretrained(model_name='timm/vit_base_patch16_224').to(device)
inv_v3 = AttackModel.from_pretrained(model_name='tv/inception_v3').to(device)
pit_b = AttackModel.from_pretrained(model_name='pit_b_224', from_timm=True).to(device)

Initialize an attack by importing its attack class.

from torchattack import FGSM, MIFGSM

# Initialize an attack
adversary = FGSM(model, normalize, device)

# Initialize an attack with extra params
adversary = MIFGSM(model, normalize, device, eps=0.03, steps=10, decay=1.0)

Initialize an attack by its name with create_attack().

from torchattack import create_attack

# Initialize FGSM attack with create_attack
adversary = create_attack('FGSM', model, normalize, device)

# Initialize PGD attack with specific eps with create_attack
adversary = create_attack('PGD', model, normalize, device, eps=0.03)

# Initialize MI-FGSM attack with extra args with create_attack
attack_args = {'steps': 10, 'decay': 1.0}
adversary = create_attack('MIFGSM', model, normalize, device, eps=0.03, **attack_args)

Check out examples/ and torchattack.evaluate.runner for full examples.

Attacks

We roughly categorize transferable adversarial attacks into the following categories based on their strategies to improve adversarial transferability:

• Classic attacks: The line of work that first proposed gradient-based adversarial attacks.
• Gradient augmentations: Stabilizing or augmenting the gradient flows to improve transferability.
• Input transformations: Applying all forms of transformations as image augmentations to inputs.
• Feature disruption: Disrupting intermediate features of the surrogate model.
• Surrogate self-refinement: Refining the surrogate model, both structure-wise and in forward/backward passes.
• Generative modelling: Using generative models to generate adversarial examples.
• Others: Other attacks that do not fit into transfer-based attacks but are important black-box attacks.

We provide a detailed list of all supported attacks below.

Name	Class Name	Publication	Paper (Open Access)
Classic attacks
FGSM	FGSM		Explaining and Harnessing Adversarial Examples
PGD	PGD		Towards Deep Learning Models Resistant to Adversarial Attacks
PGD (L2)	PGDL2		Towards Deep Learning Models Resistant to Adversarial Attacks
I-FGSM	IFGSM		Adversarial examples in the physical world
Gradient augmentations
MI-FGSM	MIFGSM		Boosting Adversarial Attacks with Momentum
NI-FGSM	NIFGSM		Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks
VMI-FGSM	VMIFGSM		Enhancing the Transferability of Adversarial Attacks through Variance Tuning
VNI-FGSM	VNIFGSM		Enhancing the Transferability of Adversarial Attacks through Variance Tuning
MIG	MIG		Transferable Adversarial Attack for Both Vision Transformers and Convolutional Networks via Momentum Integrated Gradients
GRA	GRA		Boosting Adversarial Transferability via Gradient Relevance Attack
MuMoDIG	MuMoDIG		Improving Integrated Gradient-based Transferable Adversarial Examples by Refining the Integration Path
Input transformations
DI-FGSM	DIFGSM		Improving Transferability of Adversarial Examples with Input Diversity
TI-FGSM	TIFGSM		Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks
SI-NI-FGSM	SINIFGSM		Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks
Admix	Admix		Admix: Enhancing the Transferability of Adversarial Attacks
SSA	SSA		Frequency Domain Model Augmentation for Adversarial Attack
DeCoWA	DeCoWA		Boosting Adversarial Transferability across Model Genus by Deformation-Constrained Warping
BSR	BSR		Boosting Adversarial Transferability by Block Shuffle and Rotation
L2T	L2T		Learning to Transform Dynamically for Better Adversarial Transferability
Feature disruption
FDA	FDA		FDA: Feature Disruptive Attack
DR	DR		Enhancing Cross-Task Black-Box Transferability of Adversarial Examples With Dispersion Reduction
FIA	FIA		Feature Importance-aware Transferable Adversarial Attacks
NAA	NAA		Improving Adversarial Transferability via Neuron Attribution-Based Attacks
ILPD	ILPD		Improving Adversarial Transferability via Intermediate-level Perturbation Decay
DANAA	DANAA		DANAA: Towards transferable attacks with double adversarial neuron attribution
BFA	BFA		Improving the transferability of adversarial examples through black-box feature attacks
Surrogate self-refinement
SGM	SGM		Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets
PNA-PatchOut	PNAPatchOut		Towards Transferable Adversarial Attacks on Vision Transformers
TGR	TGR		Transferable Adversarial Attacks on Vision Transformers with Token Gradient Regularization
BPA	BPA		Rethinking the Backward Propagation for Adversarial Transferability
VDC	VDC		Improving the Adversarial Transferability of Vision Transformers with Virtual Dense Connection
ATT	ATT		Boosting the Transferability of Adversarial Attack on Vision Transformer with Adaptive Token Tuning
Generative modelling
CDA	CDA		Cross-Domain Transferability of Adversarial Perturbations
LTP	LTP		Learning Transferable Adversarial Perturbations
BIA	BIA		Beyond ImageNet Attack: Towards Crafting Adversarial Examples for Black-box Domains
GAMA	GAMA		GAMA: Generative Adversarial Multi-Object Scene Attacks
Others
DeepFool	DeepFool		DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks
GeoDA	GeoDA		GeoDA: A Geometric Framework for Black-box Adversarial Attacks
SSP	SSP		A Self-supervised Approach for Adversarial Robustness

Development

On how to install dependencies, run tests, and build documentation. See Development - torchattack.

License

MIT

Related

• Harry24k/adversarial-attacks-pytorch
• Trusted-AI/adversarial-robustness-toolbox