advertorch.attacks

Attacks

Attack Abstract base class for all attack classes.
GradientAttack Perturbs the input with gradient (not gradient sign) of the loss wrt the input.
GradientSignAttack One step fast gradient sign method (Goodfellow et al, 2014).
FastFeatureAttack Fast attack against a target internal representation of a model using gradient descent (Sabour et al.
L2BasicIterativeAttack Like GradientAttack but with several steps for each epsilon.
LinfBasicIterativeAttack Like GradientSignAttack but with several steps for each epsilon.
PGDAttack The projected gradient descent attack (Madry et al, 2017).
LinfPGDAttack PGD Attack with order=Linf
L2PGDAttack PGD Attack with order=L2
MomentumIterativeAttack The L-inf projected gradient descent attack (Dong et al.
CarliniWagnerL2Attack Carlini, Nicholas, and David Wagner “Towards evaluating the robustness of neural networks” 2017 IEEE Symposium on Security and Privacy (SP) IEEE, 2017.
LBFGSAttack The attack that uses L-BFGS to minimize the distance of the original and perturbed images
SinglePixelAttack Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf
LocalSearchAttack Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf
SpatialTransformAttack Sptially Transformed Attack
JacobianSaliencyMapAttack Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1

Detailed description

class advertorch.attacks.Attack(predict, loss_fn, clip_min, clip_max)[source]

Abstract base class for all attack classes.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function that takes .
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
perturb(x, **kwargs)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.GradientAttack(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Perturbs the input with gradient (not gradient sign) of the loss wrt the input.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – indicate if this is a targeted attack.
perturb(x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.

class advertorch.attacks.GradientSignAttack(predict, loss_fn=None, eps=0.3, clip_min=0.0, clip_max=1.0, targeted=False)[source]

One step fast gradient sign method (Goodfellow et al, 2014). Paper: https://arxiv.org/abs/1412.6572

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – indicate if this is a targeted attack.
perturb(x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.

class advertorch.attacks.FastFeatureAttack(predict, loss_fn=None, eps=0.3, eps_iter=0.05, nb_iter=10, rand_init=True, clip_min=0.0, clip_max=1.0)[source]

Fast attack against a target internal representation of a model using gradient descent (Sabour et al. 2016). Paper: https://arxiv.org/abs/1511.05122

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • eps_iter – attack step size.
  • nb_iter – number of iterations
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
perturb(source, guide, delta=None)[source]

Given source, returns their adversarial counterparts with representations close to that of the guide.

Parameters:
  • source – input tensor which we want to perturb.
  • guide – targeted input.
  • delta – tensor contains the random initialization.
Returns:

tensor containing perturbed inputs.

class advertorch.attacks.L2BasicIterativeAttack(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Like GradientAttack but with several steps for each epsilon.

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.LinfBasicIterativeAttack(predict, loss_fn=None, eps=0.1, nb_iter=10, eps_iter=0.05, clip_min=0.0, clip_max=1.0, targeted=False)[source]

Like GradientSignAttack but with several steps for each epsilon. Aka Basic Iterative Attack. Paper: https://arxiv.org/pdf/1611.01236.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • ord – (optional) the order of maximum distortion (inf or 2).
  • targeted – if the attack is targeted.
class advertorch.attacks.PGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, ord=<Mock name='mock.inf' id='140247141390488'>, targeted=False)[source]

The projected gradient descent attack (Madry et al, 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. Paper: https://arxiv.org/pdf/1706.06083.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • ord – (optional) the order of maximum distortion (inf or 2).
  • targeted – if the attack is targeted.
perturb(x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.

class advertorch.attacks.LinfPGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]

PGD Attack with order=Linf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.L2PGDAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0, targeted=False)[source]

PGD Attack with order=L2

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations.
  • eps_iter – attack step size.
  • rand_init – (optional bool) random initialization.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
class advertorch.attacks.MomentumIterativeAttack(predict, loss_fn=None, eps=0.3, nb_iter=40, decay_factor=1.0, eps_iter=0.01, clip_min=0.0, clip_max=1.0, targeted=False)[source]

The L-inf projected gradient descent attack (Dong et al. 2017). The attack performs nb_iter steps of size eps_iter, while always staying within eps from the initial point. The optimization is performed with momentum. Paper: https://arxiv.org/pdf/1710.06081.pdf

Parameters:
  • predict – forward pass function.
  • loss_fn – loss function.
  • eps – maximum distortion.
  • nb_iter – number of iterations
  • decay_factor – momentum decay factor.
  • eps_iter – attack step size.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • targeted – if the attack is targeted.
perturb(x, y=None)[source]

Given examples (x, y), returns their adversarial counterparts with an attack length of eps.

Parameters:
  • x – input tensor.
  • y

    label tensor. - if None and self.targeted=False, compute y as predicted

    labels.
    • if self.targeted=True, then y must be the targeted labels.
Returns:

tensor containing perturbed inputs.

class advertorch.attacks.CarliniWagnerL2Attack(predict, num_classes, confidence=0, targeted=False, learning_rate=0.01, binary_search_steps=9, max_iterations=10000, abort_early=True, initial_const=0.001, clip_min=0.0, clip_max=1.0, loss_fn=None)[source]

Carlini, Nicholas, and David Wagner “Towards evaluating the robustness of neural networks” 2017 IEEE Symposium on Security and Privacy (SP) IEEE, 2017. https://arxiv.org/abs/1608.04644

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • confidence – confidence of the adversarial examples.
  • targeted – TODO
  • learning_rate – the learning rate for the attack algorithm
  • binary_search_steps – number of binary search times to find the optimum
  • max_iterations – the maximum number of iterations
  • abort_early – if set to true, abort early if getting stuck in local min
  • initial_const – initial value of the constant c
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.LBFGSAttack(predict, num_classes, batch_size=1, binary_search_steps=9, max_iterations=100, initial_const=0.01, clip_min=0, clip_max=1, loss_fn=None, targeted=False)[source]

The attack that uses L-BFGS to minimize the distance of the original and perturbed images

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • batch_size – number of samples in the batch
  • binary_search_steps – number of binary search times to find the optimum
  • max_iterations – the maximum number of iterations
  • initial_const – initial value of the constant c
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
  • targeted – if the attack is targeted.
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.SinglePixelAttack(predict, max_pixels=100, clip_min=0.0, loss_fn=None, clip_max=1.0, comply_with_foolbox=False, targeted=False)[source]

Single Pixel Attack Algorithm 1 in https://arxiv.org/pdf/1612.06299.pdf

Parameters:
  • predict – forward pass function.
  • max_pixels – max number of pixels to perturb.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • loss_fn – loss function
  • targeted – if the attack is targeted.
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.LocalSearchAttack(predict, clip_min=0.0, clip_max=1.0, p=1.0, r=1.5, loss_fn=None, d=5, t=5, k=1, round_ub=10, seed_ratio=0.1, max_nb_seeds=128, comply_with_foolbox=False, targeted=False)[source]

Local Search Attack Algorithm 3 in https://arxiv.org/pdf/1612.06299.pdf

Parameters:
  • predict – forward pass function.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • p – parameter controls pixel complexity
  • r – perturbation value
  • loss_fn – loss function
  • d – the half side length of the neighbourhood square
  • t – the number of pixels perturbed at each round
  • k – the threshold for k-misclassification
  • round_ub – an upper bound on the number of rounds
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.SpatialTransformAttack(predict, num_classes, confidence=0, initial_const=1, max_iterations=1000, search_steps=1, loss_fn=None, clip_min=0.0, clip_max=1.0, abort_early=True, targeted=False)[source]

Sptially Transformed Attack

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • confidence – confidence of the adversarial examples.
  • initial_const – initial value of the constant c
  • max_iterations – the maximum number of iterations
  • search_steps – number of search times to find the optimum
  • loss_fn – loss function
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • abort_early – if set to true, abort early if getting stuck in local min
  • targeted – if the attack is targeted
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.

class advertorch.attacks.JacobianSaliencyMapAttack(predict, num_classes, clip_min=0.0, clip_max=1.0, loss_fn=None, theta=1.0, gamma=1.0, comply_cleverhans=False)[source]

Jacobian Saliency Map Attack This includes Algorithm 1 and 3 in v1

Parameters:
  • predict – forward pass function.
  • num_classes – number of clasess.
  • clip_min – mininum value per input dimension.
  • clip_max – maximum value per input dimension.
  • gamma – highest percentage of pixels can be modified
  • theta – perturb length, range is either [theta, 0], [0, theta]
perturb(x, y=None)[source]

Generate the adversarial examples. This method should be overriden in any child class that implements an actual attack.

Parameters:
  • x – the model’s input tensor.
  • **kwargs

    optional parameters used by child classes.

Returns:

adversarial examples.