π‘ torchattack - A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks.
pip install torchattack # or `torchattack[full]` to install all extra dependencies- π‘οΈ A curated collection of adversarial attacks implemented in PyTorch.
- π Focuses on gradient-based transferable black-box attacks.
- π¦ Easily load pretrained models from torchvision or timm using
AttackModel. - π Simple interface to initialize attacks with
create_attack. - π§ Extensively typed for better code quality and safety.
- π Tooling for fooling rate metrics and model evaluation in
eval. - π Numerous attacks reimplemented for readability and efficiency (TGR, VDC, etc.).
torchattack's docs are available at docs.swo.moe/torchattack.
import torch device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')Load a pretrained model to attack from either torchvision or timm.
from torchattack import AttackModel # Load a model with `AttackModel` model = AttackModel.from_pretrained(model_name='resnet50').to(device) # `AttackModel` automatically attach the model's `transform` and `normalize` functions transform, normalize = model.transform, model.normalize # Additionally, to explicitly specify where to load the pretrained model from (timm or torchvision), # prepend the model name with 'timm/' or 'tv/' respectively, or use the `from_timm` argument, e.g. vit_b16 = AttackModel.from_pretrained(model_name='timm/vit_base_patch16_224').to(device) inv_v3 = AttackModel.from_pretrained(model_name='tv/inception_v3').to(device) pit_b = AttackModel.from_pretrained(model_name='pit_b_224', from_timm=True).to(device)Initialize an attack by importing its attack class.
from torchattack import FGSM, MIFGSM # Initialize an attack adversary = FGSM(model, normalize, device) # Initialize an attack with extra params adversary = MIFGSM(model, normalize, device, eps=0.03, steps=10, decay=1.0)Initialize an attack by its name with create_attack().
from torchattack import create_attack # Initialize FGSM attack with create_attack adversary = create_attack('FGSM', model, normalize, device) # Initialize PGD attack with specific eps with create_attack adversary = create_attack('PGD', model, normalize, device, eps=0.03) # Initialize MI-FGSM attack with extra args with create_attack attack_args = {'steps': 10, 'decay': 1.0} adversary = create_attack('MIFGSM', model, normalize, device, eps=0.03, **attack_args)Check out examples/ and torchattack.evaluate.runner for full examples.
We roughly categorize transferable adversarial attacks into the following categories based on their strategies to improve adversarial transferability:
- Classic attacks: The line of work that first proposed gradient-based adversarial attacks.
- Gradient augmentations: Stabilizing or augmenting the gradient flows to improve transferability.
- Input transformations: Applying all forms of transformations as image augmentations to inputs.
- Feature disruption: Disrupting intermediate features of the surrogate model.
- Surrogate self-refinement: Refining the surrogate model, both structure-wise and in forward/backward passes.
- Generative modelling: Using generative models to generate adversarial examples.
- Others: Other attacks that do not fit into transfer-based attacks but are important black-box attacks.
We provide a detailed list of all supported attacks below.
On how to install dependencies, run tests, and build documentation. See Development - torchattack.