advertorch.attacks

Attacks

Attack Abstract base class for all attack classes.
GradientAttack Perturbs the input with gradient (not gradient sign) of the loss wrt the input.
GradientSignAttack One step fast gradient sign method (Goodfellow et al, 2014).
FastFeatureAttack Fast attack against a target internal representation of a model using gradient descent (Sabour et al.
L2BasicIterativeAttack Like GradientAttack but with several steps for each epsilon.
LinfBasicIterativeAttack Like GradientSignAttack but with several steps for each epsilon.
PGDAttack The projected gradient descent attack (Madry et al, 2017).
LinfPGDAttack PGD Attack with order=Linf
L2PGDAttack PGD Attack with order=L2
L1PGDAttack PGD Attack with order=L1
LinfSPSAAttack SPSA Attack (Uesato et al.
FABAttack Fast Adaptive Boundary Attack (Linf, L2, L1) https://arxiv.org/abs/1907.02044
LinfFABAttack Linf - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
L2FABAttack L2 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
L1FABAttack L1 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044
SparseL1DescentAttack SparseL1Descent Attack
MomentumIterativeAttack The Momentum Iterative Attack (Dong et al.
LinfMomentumIterativeAttack The Linf Momentum Iterative Attack Paper: https://arxiv.org/pdf/1710.06081.pdf
L2MomentumIterativeAttack The L2 Momentum Iterative Attack Paper: https://arxiv.org/pdf/1710.06081.pdf
CarliniWagnerL2Attack The Carlini and Wagner L2 Attack, https://arxiv.org/abs/1608.04644
ElasticNetL1Attack The ElasticNet L1 Attack, https://arxiv.org/abs/1709.04114
DDNL2Attack The decoupled direction and norm attack (Rony et al, 2018).
LBFGSAttack The attack that uses L-BFGS to minimize the distance of the original and perturbed images
SinglePixelAttack Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf
LocalSearchAttack Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf
SpatialTransformAttack Spatially Transformed Attack (Xiao et al.
JacobianSaliencyMapAttack Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1, https://arxiv.org/abs/1511.07528v1

Detailed description

class advertorch.attacks.Attack(predict, loss_fn, clip_min, clip_max)[source]

Abstract base class for all attack classes.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function that takes .
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
perturb(self, x, **kwargs)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.GradientAttack(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Perturbs the input with gradient (not gradient sign) of the loss wrt the input.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – indicate if this is a targeted attack.
perturb(self, x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.GradientSignAttack(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]

One step fast gradient sign method (Goodfellow et al, 2014). Paper: https://arxiv.org/abs/1412.6572

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – indicate if this is a targeted attack.
perturb(self, x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.FastFeatureAttack(predict, loss_fn=None, eps=0.3, eps_iter=0.05, nb_iter=10, rand_init=True, clip_min=0.0, clip_max=1.0)[source]

Fast attack against a target internal representation of a model using gradient descent (Sabour et al. 2016). Paper: https://arxiv.org/abs/1511.05122

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • eps_iter – attack step size.
  • nb_iter – number of iterations
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
perturb(self, source, guide, delta=None)[source]

Given source, returns their adversarial counterparts with representations close to that of the guide.

Parameters:
  • source – input tensor which we want to perturb.
  • guide – targeted input.
  • delta – tensor contains the random initialization.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.L2BasicIterativeAttack(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Like GradientAttack but with several steps for each epsilon.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.LinfBasicIterativeAttack(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Like GradientSignAttack but with several steps for each epsilon. Aka Basic Iterative Attack. Paper: https://arxiv.org/pdf/1611.01236.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.PGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, ord=<Mock name='mock.inf' id='140651820369960'>, l1_sparsity=None, targeted=False)[source]

The projected gradient descent attack (Madry et al, 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. Paper: https://arxiv.org/pdf/1706.06083.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • ord – (optional) the order of maximum distortion (inf or 2).
  • targeted – if the attack is targeted.
perturb(self, x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.LinfPGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]

PGD Attack with order=Linf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.L2PGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]

PGD Attack with order=L2

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.L1PGDAttack(predict, loss_fn=None, eps=10.0, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]

PGD Attack with order=L1

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.SparseL1DescentAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=False, clip_min=0.0, clip_max=1.0, l1_sparsity=0.95, targeted=False)[source]

SparseL1Descent Attack

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
  • l1_sparsity – proportion of zeros in gradient updates
class advertorch.attacks.LinfSPSAAttack(predict, eps, delta=0.01, lr=0.01, nb_iter=1, nb_sample=128, max_batch_size=64, targeted=False, loss_fn=None, clip_min=0.0, clip_max=1.0)[source]

SPSA Attack (Uesato et al. 2018). Based on: https://arxiv.org/abs/1802.05666

Parameters:
  • predict – predict function (single argument: input).
  • eps – the L_inf budget of the attack.
  • delta – scaling parameter of SPSA.
  • lr – the learning rate of the Adam optimizer.
  • nb_iter – number of iterations of the attack.
  • nb_sample – number of samples for SPSA gradient approximation.
  • max_batch_size – maximum batch size to be evaluated at once.
  • targeted – [description]
  • loss_fn – loss function (dual arguments: output, target).
  • clip_min – upper bound of image values.
  • clip_max – lower bound of image values.
perturb(self, x, y=None)[source]

Perturbs the input x based on SPSA attack.

Parameters:
  • x – input tensor.
  • y – label tensor (default=`None`). if self.targeted is False, y is the ground-truth label. if it’s None, then y is computed as the predicted label of x. if self.targeted is True, y is the target label.
Returns:

the perturbated input.
class advertorch.attacks.FABAttack(predict, norm='Linf', n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]

Fast Adaptive Boundary Attack (Linf, L2, L1) https://arxiv.org/abs/1907.02044

Parameters:
  • predict – forward pass function
  • norm – Lp-norm to minimize (‘Linf’, ‘L2’, ‘L1’ supported)
  • n_restarts – number of random restarts
  • n_iter – number of iterations
  • eps – epsilon for the random restarts
  • alpha_max – alpha_max
  • eta – overshooting
  • beta – backward step
  • device – device to use (‘cuda’ or ‘cpu’)
perturb(self, x, y=None)[source]
Parameters:
  • x – clean images
  • y – clean labels, if None we use the predicted labels
class advertorch.attacks.LinfFABAttack(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]

Linf - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044

Parameters:
  • predict – forward pass function
  • n_restarts – number of random restarts
  • n_iter – number of iterations
  • eps – epsilon for the random restarts
  • alpha_max – alpha_max
  • eta – overshooting
  • beta – backward step
  • device – device to use (‘cuda’ or ‘cpu’)
class advertorch.attacks.L2FABAttack(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]

L2 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044

Parameters:
  • predict – forward pass function
  • n_restarts – number of random restarts
  • n_iter – number of iterations
  • eps – epsilon for the random restarts
  • alpha_max – alpha_max
  • eta – overshooting
  • beta – backward step
  • device – device to use (‘cuda’ or ‘cpu’)
class advertorch.attacks.L1FABAttack(predict, n_restarts=1, n_iter=100, eps=None, alpha_max=0.1, eta=1.05, beta=0.9, loss_fn=None, verbose=False)[source]

L1 - Fast Adaptive Boundary Attack https://arxiv.org/abs/1907.02044

Parameters:
  • predict – forward pass function
  • n_restarts – number of random restarts
  • n_iter – number of iterations
  • eps – epsilon for the random restarts
  • alpha_max – alpha_max
  • eta – overshooting
  • beta – backward step
  • device – device to use (‘cuda’ or ‘cpu’)
class advertorch.attacks.MomentumIterativeAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, decay_factor=1.0, eps_iter=0.01, clip_min=0.0, clip_max=1.0, targeted=False, ord=<Mock name='mock.inf' id='140651820369960'>)[source]

The Momentum Iterative Attack (Dong et al. 2017).

The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. The optimization is performed with momentum. Paper: https://arxiv.org/pdf/1710.06081.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations
  • decay_factor – momentum decay factor.
  • eps_iter – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
  • ord – the order of maximum distortion (inf or 2).
perturb(self, x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.CarliniWagnerL2Attack(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=True, initial_const=0.001, clip_min=0.0, clip_max=1.0, loss_fn=None)[source]

The Carlini and Wagner L2 Attack, https://arxiv.org/abs/1608.04644

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • confidence – confidence of the adversarial examples.
  • targeted – if the attack is targeted.
  • learning_rate – the learning rate for the attack algorithm
  • binary_search_steps – number of binary search times to find the optimum
  • max_iterations – the maximum number of iterations
  • abort_early – if set to true, abort early if getting stuck in local min
  • initial_const – initial value of the constant c
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.ElasticNetL1Attack(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=False, initial_const=0.001, clip_min=0.0, clip_max=1.0, beta=0.01, decision_rule='EN', loss_fn=None)[source]

The ElasticNet L1 Attack, https://arxiv.org/abs/1709.04114

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • confidence – confidence of the adversarial examples.
  • targeted – if the attack is targeted.
  • learning_rate – the learning rate for the attack algorithm
  • binary_search_steps – number of binary search times to find the optimum
  • max_iterations – the maximum number of iterations
  • abort_early – if set to true, abort early if getting stuck in local min
  • initial_const – initial value of the constant c
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • beta – hyperparameter trading off L2 minimization for L1 minimization
  • decision_rule – EN or L1. Select final adversarial example from all successful examples based on the least elastic-net or L1 distortion criterion.
  • loss_fn – loss function
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.DDNL2Attack(predict, nb_iter=100, gamma=0.05, init_norm=1.0, quantize=True, levels=256, clip_min=0.0, clip_max=1.0, targeted=False, loss_fn=None)[source]

The decoupled direction and norm attack (Rony et al, 2018). Paper: https://arxiv.org/abs/1811.09600

Parameters:
  • predict – forward pass function.
  • nb_iter – number of iterations.
  • gamma – factor to modify the norm at each iteration.
  • init_norm – initial norm of the perturbation.
  • quantize – perform quantization at each iteration.
  • levels – number of quantization levels (e.g. 256 for 8 bit images).
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
  • loss_fn – loss function.
perturb(self, x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.
class advertorch.attacks.LBFGSAttack(predict, num_classes, batch_size=1, binary_search_steps=9, max_iterations=100, initial_const=0.01, clip_min=0, clip_max=1, loss_fn=None, targeted=False)[source]

The attack that uses L-BFGS to minimize the distance of the original and perturbed images

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • batch_size – number of samples in the batch
  • binary_search_steps – number of binary search times to find the optimum
  • max_iterations – the maximum number of iterations
  • initial_const – initial value of the constant c
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
  • targeted – if the attack is targeted.
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.SinglePixelAttack(predict, max_pixels=100, clip_min=0.0, loss_fn=None, clip_max=1.0, comply_with_foolbox=False, targeted=False)[source]

Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf

Parameters:
  • predict – forward pass function.
  • max_pixels – max number of pixels to perturb.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
  • targeted – if the attack is targeted.
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.LocalSearchAttack(predict, clip_min=0.0, clip_max=1.0, p=1.0, r=1.5, loss_fn=None, d=5, t=5, k=1, round_ub=10, seed_ratio=0.1, max_nb_seeds=128, comply_with_foolbox=False, targeted=False)[source]

Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf

Parameters:
  • predict – forward pass function.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • p – parameter controls pixel complexity
  • r – perturbation value
  • loss_fn – loss function
  • d – the half side length of the neighbourhood square
  • t – the number of pixels perturbed at each round
  • k – the threshold for k-misclassification
  • round_ub – an upper bound on the number of rounds
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.SpatialTransformAttack(predict, num_classes, confidence=0, initial_const=1, max_iterations=1000, search_steps=1, loss_fn=None, clip_min=0.0, clip_max=1.0, abort_early=True, targeted=False)[source]

Spatially Transformed Attack (Xiao et al. 2018) https://openreview.net/forum?id=HyydRMZC-

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • confidence – confidence of the adversarial examples.
  • initial_const – initial value of the constant c
  • max_iterations – the maximum number of iterations
  • search_steps – number of search times to find the optimum
  • loss_fn – loss function
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • abort_early – if set to true, abort early if getting stuck in local min
  • targeted – if the attack is targeted
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.
class advertorch.attacks.JacobianSaliencyMapAttack(predict, num_classes, clip_min=0.0, clip_max=1.0, loss_fn=None, theta=1.0, gamma=1.0, comply_cleverhans=False)[source]

Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1, https://arxiv.org/abs/1511.07528v1

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • gamma – highest percentage of pixels can be modified
  • theta – perturb length, range is either [theta, 0], [0, theta]
perturb(self, x, y=None)[source]

Virtual method for generating the adversarial examples.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.
Returns:

adversarial examples.