SkillAgentSearch skills...

Torchattack

🛡 A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks.

GenerateConvertImprove

Install / Use

/learn @spencerwooo/Torchattack
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<div align="center"> <p><br><img src="docs/images/torchattack.png" alt="torchattack banner" width="600" /></p> </div>

Ruff pypi python versions pypi version pypi weekly downloads lint

🛡 torchattack - A curated list of adversarial attacks in PyTorch, with a focus on transferable black-box attacks.

pip install torchattack  # or `torchattack[full]` to install all extra dependencies

Highlights

  • 🛡️ A curated collection of adversarial attacks implemented in PyTorch.
  • 🔍 Focuses on gradient-based transferable black-box attacks.
  • 📦 Easily load pretrained models from torchvision or timm using AttackModel.
  • 🔄 Simple interface to initialize attacks with create_attack.
  • 🔧 Extensively typed for better code quality and safety.
  • 📊 Tooling for fooling rate metrics and model evaluation in eval.
  • 🔁 Numerous attacks reimplemented for readability and efficiency (TGR, VDC, etc.).

Documentation

torchattack's docs are available at docs.swo.moe/torchattack.

Usage

import torch

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

Load a pretrained model to attack from either torchvision or timm.

from torchattack import AttackModel

# Load a model with `AttackModel`
model = AttackModel.from_pretrained(model_name='resnet50').to(device)
# `AttackModel` automatically attach the model's `transform` and `normalize` functions
transform, normalize = model.transform, model.normalize

# Additionally, to explicitly specify where to load the pretrained model from (timm or torchvision),
# prepend the model name with 'timm/' or 'tv/' respectively, or use the `from_timm` argument, e.g.
vit_b16 = AttackModel.from_pretrained(model_name='timm/vit_base_patch16_224').to(device)
inv_v3 = AttackModel.from_pretrained(model_name='tv/inception_v3').to(device)
pit_b = AttackModel.from_pretrained(model_name='pit_b_224', from_timm=True).to(device)

Initialize an attack by importing its attack class.

from torchattack import FGSM, MIFGSM

# Initialize an attack
adversary = FGSM(model, normalize, device)

# Initialize an attack with extra params
adversary = MIFGSM(model, normalize, device, eps=0.03, steps=10, decay=1.0)

Initialize an attack by its name with create_attack().

from torchattack import create_attack

# Initialize FGSM attack with create_attack
adversary = create_attack('FGSM', model, normalize, device)

# Initialize PGD attack with specific eps with create_attack
adversary = create_attack('PGD', model, normalize, device, eps=0.03)

# Initialize MI-FGSM attack with extra args with create_attack
attack_args = {'steps': 10, 'decay': 1.0}
adversary = create_attack('MIFGSM', model, normalize, device, eps=0.03, **attack_args)

Check out examples/ and torchattack.evaluate.runner for full examples.

Attacks

We roughly categorize transferable adversarial attacks into the following categories based on their strategies to improve adversarial transferability:

  • Classic attacks: The line of work that first proposed gradient-based adversarial attacks.
  • Gradient augmentations: Stabilizing or augmenting the gradient flows to improve transferability.
  • Input transformations: Applying all forms of transformations as image augmentations to inputs.
  • Feature disruption: Disrupting intermediate features of the surrogate model.
  • Surrogate self-refinement: Refining the surrogate model, both structure-wise and in forward/backward passes.
  • Generative modelling: Using generative models to generate adversarial examples.
  • Others: Other attacks that do not fit into transfer-based attacks but are important black-box attacks.
<!-- - **Ensemble surrogate refinement**: Constructing and refining surrogate ensembles. -->

We provide a detailed list of all supported attacks below.

<table> <thead> <tr> <th>Name</th> <th>Class Name</th> <th>Publication</th> <th>Paper (Open Access)</th> </tr> </thead> <tbody> <!-- Classic attacks --> <tr> <th colspan="4">Classic attacks</th> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/fgsm">FGSM</a></td> <td><code>FGSM</code></td> <td><img src="https://img.shields.io/badge/ICLR-2015-62B959?labelColor=2D3339" alt="ICLR 2015"></td> <td><a href="https://arxiv.org/abs/1412.6572">Explaining and Harnessing Adversarial Examples</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/pgd">PGD</a></td> <td><code>PGD</code></td> <td><img src="https://img.shields.io/badge/ICLR-2018-62B959?labelColor=2D3339" alt="ICLR 2018"></td> <td><a href="https://arxiv.org/abs/1706.06083">Towards Deep Learning Models Resistant to Adversarial Attacks</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/pgdl2">PGD (L2)</a></td> <td><code>PGDL2</code></td> <td><img src="https://img.shields.io/badge/ICLR-2018-62B959?labelColor=2D3339" alt="ICLR 2018"></td> <td><a href="https://arxiv.org/abs/1706.06083">Towards Deep Learning Models Resistant to Adversarial Attacks</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/ifgsm">I-FGSM</a></td> <td><code>IFGSM</code></td> <td><img src="https://img.shields.io/badge/ICLR-2019-62B959?labelColor=2D3339" alt="ICLR 2019"></td> <td><a href="https://arxiv.org/abs/1607.02533">Adversarial examples in the physical world</a></td> </tr> <!-- Gradient augmentations --> <tr> <th colspan="4">Gradient augmentations</th> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/mifgsm">MI-FGSM</a></td> <td><code>MIFGSM</code></td> <td><img src="https://img.shields.io/badge/CVPR-2018-1A407F?labelColor=2D3339" alt="CVPR 2018"></td> <td><a href="https://arxiv.org/abs/1710.06081">Boosting Adversarial Attacks with Momentum</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/nifgsm">NI-FGSM</a></td> <td><code>NIFGSM</code></td> <td><img src="https://img.shields.io/badge/ICLR-2020-62B959?labelColor=2D3339" alt="ICLR 2020"></td> <td><a href="https://arxiv.org/abs/1908.06281">Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/vmifgsm">VMI-FGSM</a></td> <td><code>VMIFGSM</code></td> <td><img src="https://img.shields.io/badge/CVPR-2021-1A407F?labelColor=2D3339" alt="CVPR 2021"></td> <td><a href="https://arxiv.org/abs/2103.15571">Enhancing the Transferability of Adversarial Attacks through Variance Tuning</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/vnifgsm">VNI-FGSM</a></td> <td><code>VNIFGSM</code></td> <td><img src="https://img.shields.io/badge/CVPR-2021-1A407F?labelColor=2D3339" alt="CVPR 2021"></td> <td><a href="https://arxiv.org/abs/2103.15571">Enhancing the Transferability of Adversarial Attacks through Variance Tuning</a></td> </tr> <tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/mig">MIG</a></td> <td><code>MIG</code></td> <td><img src="https://img.shields.io/badge/ICCV-2023-5A428D?labelColor=2D3339" alt="ICCV 2023"></td> <td><a href="https://openaccess.thecvf.com/content/ICCV2023/html/Ma_Transferable_Adversarial_Attack_for_Both_Vision_Transformers_and_Convolutional_Networks_ICCV_2023_paper.html">Transferable Adversarial Attack for Both Vision Transformers and Convolutional Networks via Momentum Integrated Gradients</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/gra">GRA</a></td> <td><code>GRA</code></td> <td><img src="https://img.shields.io/badge/ICCV-2023-5A428D?labelColor=2D3339" alt="ICCV 2023"></td> <td><a href="https://openaccess.thecvf.com/content/ICCV2023/html/Zhu_Boosting_Adversarial_Transferability_via_Gradient_Relevance_Attack_ICCV_2023_paper.html">Boosting Adversarial Transferability via Gradient Relevance Attack</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/mumodig">MuMoDIG</a></td> <td><code>MuMoDIG</code></td> <td><img src="https://img.shields.io/badge/AAAI-2025-C8172C?labelColor=2D3339" alt="AAAI 2025"></td> <td><a href="https://www.arxiv.org/abs/2412.18844">Improving Integrated Gradient-based Transferable Adversarial Examples by Refining the Integration Path</a></td> </tr> <!-- Input transformations --> <tr> <th colspan="4">Input transformations</th> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/difgsm">DI-FGSM</a></td> <td><code>DIFGSM</code></td> <td><img src="https://img.shields.io/badge/CVPR-2019-1A407F?labelColor=2D3339" alt="CVPR 2019"></td> <td><a href="https://arxiv.org/abs/1803.06978">Improving Transferability of Adversarial Examples with Input Diversity</a></td> </tr> <tr> <td><a href="https://docs.swo.moe/torchattack/attacks/tifgsm">

spencerwooo

View profile

View on GitHub
GitHub Stars70
CategoryDevelopment
Updated6d ago
Forks6
spencerwooo/torchattack

Languages

Python

Security Score

100/100

Audited on Mar 25, 2026

No findings