foolbox.attacks
¶
Reduces the contrast of the input using a perturbation of the given size 

Secondorder gradientbased attack on the logits. 

The Decoupled Direction and Norm L2 adversarial attack. 

L2 Projected Gradient Descent 

Linf Projected Gradient Descent 

L2 Basic Iterative Method 

Linfinity Basic Iterative Method 

Fast Gradient Method (FGM) 

Fast Gradient Sign Method (FGSM) 

Samples Gaussian noise with a fixed L2 size 

Samples uniform noise with a fixed L2 size 

Samples uniform noise with a fixed Linfinity size 

Repeatedly samples Gaussian noise with a fixed L2 size 

Repeatedly samples uniform noise with a fixed L2 size 

Repeatedly samples uniform noise with a fixed Linfinity size 

Creates “negative images” by inverting the pixel values. 

Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation 

Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation 

Implementation of the Carlini & Wagner L2 Attack. 

Implementation of the NewtonFool Attack. 

Implementation of the EAD Attack with EN Decision Rule. 

Blurs the inputs using a Gaussian filter with linearly increasing standard deviation. 

A simple and fast gradientbased adversarial attack. 

A simple and fast gradientbased adversarial attack. 

Increases the amount of salt and pepper noise until the input is misclassified. 

Blends the input with a uniform noise input until it is misclassified. 

For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks. 

Draws randomly from the given dataset until adversarial examples for all inputs have been found. 

A powerful adversarial attack that requires neither gradients nor probabilities. 

L0 variant of the Brendel & Bethge adversarial attack. 

L1 variant of the Brendel & Bethge adversarial attack. 

L2 variant of the Brendel & Bethge adversarial attack [#Bren19]_. 

Linfinity variant of the Brendel & Bethge adversarial attack. 

alias of 

alias of 

alias of 

alias of 

alias of 

class
foolbox.attacks.
L2ContrastReductionAttack
(*, target=0.5)¶ Reduces the contrast of the input using a perturbation of the given size
 Parameters
target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced

class
foolbox.attacks.
VirtualAdversarialAttack
(steps, xi=1e06)¶ Secondorder gradientbased attack on the logits. 1 The attack calculate an untargeted adversarial perturbation by performing a approximated second order optimization step on the KL divergence between the unperturbed predictions and the predictions for the adversarial perturbation. This attack was originally introduced as the Virtual Adversarial Training 1 method.
 Parameters
steps (int) – Number of update steps.
xi (float) – L2 distance between original image and first adversarial proposal.
References
 1(1,2)
Takeru Miyato, Shinichi Maeda, Masanori Koyama, Ken Nakae, Shin Ishii, “Distributional Smoothing with Virtual Adversarial Training”, https://arxiv.org/abs/1507.00677

class
foolbox.attacks.
DDNAttack
(*, init_epsilon=1.0, steps=10, gamma=0.05)¶ The Decoupled Direction and Norm L2 adversarial attack. 2
 Parameters
init_epsilon (float) – Initial value for the norm/epsilon ball.
steps (int) – Number of steps for the optimization.
gamma (float) – Factor by which the norm will be modified: new_norm = norm * (1 + or  gamma).
References
 2
Jérôme Rony, Luiz G. Hafemann, Luiz S. Oliveira, Ismail Ben Ayed, Robert Sabourin, Eric Granger, “Decoupling Direction and Norm for Efficient GradientBased L2 Adversarial Attacks and Defenses”, https://arxiv.org/abs/1811.09600

class
foolbox.attacks.
L2ProjectedGradientDescentAttack
(*, rel_stepsize=0.025, abs_stepsize=None, steps=50, random_start=True)¶ L2 Projected Gradient Descent
 Parameters
rel_stepsize (float) – Stepsize relative to epsilon (defaults to 0.01 / 0.3).
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps to perform.
random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.

class
foolbox.attacks.
LinfProjectedGradientDescentAttack
(*, rel_stepsize=0.03333333333333333, abs_stepsize=None, steps=40, random_start=True)¶ Linf Projected Gradient Descent
 Parameters
rel_stepsize (float) – Stepsize relative to epsilon (defaults to 0.01 / 0.3).
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps to perform.
random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.

class
foolbox.attacks.
L2BasicIterativeAttack
(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)¶ L2 Basic Iterative Method
 Parameters
rel_stepsize (float) – Stepsize relative to epsilon.
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps.
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class
foolbox.attacks.
LinfBasicIterativeAttack
(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)¶ Linfinity Basic Iterative Method
 Parameters
rel_stepsize (float) – Stepsize relative to epsilon.
abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.
steps (int) – Number of update steps.
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class
foolbox.attacks.
L2FastGradientAttack
(*, random_start=False)¶ Fast Gradient Method (FGM)
 Parameters
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class
foolbox.attacks.
LinfFastGradientAttack
(*, random_start=False)¶ Fast Gradient Sign Method (FGSM)
 Parameters
random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class
foolbox.attacks.
L2AdditiveGaussianNoiseAttack
¶ Samples Gaussian noise with a fixed L2 size

class
foolbox.attacks.
L2AdditiveUniformNoiseAttack
¶ Samples uniform noise with a fixed L2 size

class
foolbox.attacks.
LinfAdditiveUniformNoiseAttack
¶ Samples uniform noise with a fixed Linfinity size

class
foolbox.attacks.
L2RepeatedAdditiveGaussianNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples Gaussian noise with a fixed L2 size
 Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.

class
foolbox.attacks.
L2RepeatedAdditiveUniformNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples uniform noise with a fixed L2 size
 Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.

class
foolbox.attacks.
LinfRepeatedAdditiveUniformNoiseAttack
(*, repeats=100, check_trivial=True)¶ Repeatedly samples uniform noise with a fixed Linfinity size
 Parameters
repeats (int) – How often to sample random noise.
check_trivial (bool) – Check whether original sample is already adversarial.

class
foolbox.attacks.
InversionAttack
(*, distance=None)¶ Creates “negative images” by inverting the pixel values. 3
References
 3
Hossein Hosseini, Baicen Xiao, Mayoore Jaiswal, Radha Poovendran, “On the Limitation of Convolutional Neural Networks in Recognizing Negative Images”, https://arxiv.org/abs/1607.02533
 Parameters
distance (Optional[foolbox.distances.Distance]) –

class
foolbox.attacks.
BinarySearchContrastReductionAttack
(*, distance=None, binary_search_steps=15, target=0.5)¶ Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation
 Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.
binary_search_steps (int) – Number of iterations in the binary search. This controls the precision of the results.
target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced

class
foolbox.attacks.
LinearSearchContrastReductionAttack
(*, distance=None, steps=1000, target=0.5)¶ Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation
 Parameters
distance (Optional[foolbox.distances.Distance]) –
steps (int) –
target (float) –

class
foolbox.attacks.
L2CarliniWagnerAttack
(binary_search_steps=9, steps=10000, stepsize=0.01, confidence=0, initial_const=0.001, abort_early=True)¶ Implementation of the Carlini & Wagner L2 Attack. 4
 Parameters
binary_search_steps (int) – Number of steps to perform in the binary search over the const c.
steps (int) – Number of optimization steps within each binary search step.
stepsize (float) – Stepsize to update the examples.
confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.
initial_const (float) – Initial value of the const c with which the binary search starts.
abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.
References
 4
Nicholas Carlini, David Wagner, “Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy” https://arxiv.org/abs/1608.04644

class
foolbox.attacks.
NewtonFoolAttack
(steps=100, stepsize=0.01)¶ Implementation of the NewtonFool Attack. 5
 Parameters
steps (int) – Number of update steps to perform.
step_size – Size of each update step.
stepsize (float) –
References
 5
Uyeong Jang et al., “Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning”, https://dl.acm.org/citation.cfm?id=3134635

class
foolbox.attacks.
EADAttack
(binary_search_steps=9, steps=10000, initial_stepsize=0.01, confidence=0.0, initial_const=0.001, regularization=0.01, decision_rule='EN', abort_early=True)¶ Implementation of the EAD Attack with EN Decision Rule. 6
 Parameters
binary_search_steps (int) – Number of steps to perform in the binary search over the const c.
steps (int) – Number of optimization steps within each binary search step.
initial_stepsize (float) – Initial stepsize to update the examples.
confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.
initial_const (float) – Initial value of the const c with which the binary search starts.
regularization (float) – Controls the L1 regularization.
decision_rule (Union[typing_extensions.Literal['EN'], typing_extensions.Literal['L1']]) – Rule according to which the best adversarial examples are selected. They either minimize the L1 or ElasticNet distance.
abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.
References
 6
PinYu Chen, Yash Sharma, Huan Zhang, Jinfeng Yi, ChoJui Hsieh,
“EAD: ElasticNet Attacks to Deep Neural Networks via Adversarial Examples”, https://www.aaai.org/ocs/index.php/AAAI/AAAI18/paper/viewPaper/16893

class
foolbox.attacks.
GaussianBlurAttack
(*, distance=None, steps=1000, channel_axis=None, max_sigma=None)¶ Blurs the inputs using a Gaussian filter with linearly increasing standard deviation.
 Parameters
steps (int) – Number of sigma values tested between 0 and max_sigma.
channel_axis (Optional[int]) – Index of the channel axis in the input data.
max_sigma (Optional[float]) – Maximally allowed sigma value of the Gaussian blur.
distance (Optional[foolbox.distances.Distance]) –

class
foolbox.attacks.
L2DeepFoolAttack
(*, steps=50, candidates=10, overshoot=0.02, loss='logits')¶ A simple and fast gradientbased adversarial attack.
Implements the DeepFool L2 attack. [#Moos15]_
 Parameters
steps (int) – Maximum number of steps to perform.
candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
overshoot (float) – How much to overshoot the boundary.
Loss function to use inside the update function. (loss) –
typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –
References

class
foolbox.attacks.
LinfDeepFoolAttack
(*, steps=50, candidates=10, overshoot=0.02, loss='logits')¶ A simple and fast gradientbased adversarial attack.
Implements the DeepFool LInfinity attack.
 Parameters
steps (int) – Maximum number of steps to perform.
candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.
overshoot (float) – How much to overshoot the boundary.
Loss function to use inside the update function. (loss) –
typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –

class
foolbox.attacks.
SaltAndPepperNoiseAttack
(steps=1000, across_channels=True, channel_axis=None)¶ Increases the amount of salt and pepper noise until the input is misclassified.
 Parameters
steps (int) – The number of steps to run.
across_channels (bool) – Whether the noise should be the same across all channels.
channel_axis (Optional[int]) – The axis across which the noise should be the same (if across_channels is True). If None, will be automatically inferred from the model if possible.

class
foolbox.attacks.
LinearSearchBlendedUniformNoiseAttack
(*, distance=None, directions=1000, steps=1000)¶ Blends the input with a uniform noise input until it is misclassified.
 Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.
directions (int) – Number of random directions in which the perturbation is searched.
steps (int) – Number of blending steps between the original image and the random directions.

class
foolbox.attacks.
BinarizationRefinementAttack
(*, distance=None, threshold=None, included_in='upper')¶ For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks. It does this by utilizing information about the binarization and mapping values to the corresponding value in the clean input or to the right side of the threshold.
 Parameters
threshold (Optional[float]) – The treshold used by the models binarization. If none, defaults to (model.bounds()[1]  model.bounds()[0]) / 2.
included_in (Union[typing_extensions.Literal['lower'], typing_extensions.Literal['upper']]) – Whether the threshold value itself belongs to the lower or upper interval.
distance (Optional[foolbox.distances.Distance]) –

class
foolbox.attacks.
DatasetAttack
(*, distance=None)¶ Draws randomly from the given dataset until adversarial examples for all inputs have been found.
To pass data form the dataset to this attack, call
feed()
.feed()
can be called several times and should only be called with batches that are small enough that they can be passed through the model. Parameters
distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.

class
foolbox.attacks.
BoundaryAttack
(init_attack=None, steps=25000, spherical_step=0.01, source_step=0.01, source_step_convergance=1e07, step_adaptation=1.5, tensorboard=False, update_stats_every_k=10)¶ A powerful adversarial attack that requires neither gradients nor probabilities.
This is the reference implementation for the attack introduced in 7.
Notes
Differences to the original reference implementation: * We do not perform internal operations with float64 * The samples within a batch can currently influence each other a bit * We don’t perform the additional convergence confirmation * The success rate tracking changed a bit * Some other changes due to batching and merged loops
 Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) – Attack to use to find a starting points. Defaults to LinearSearchBlendedUniformNoiseAttack. Only used if starting_points is None.
steps (int) – Maximum number of steps to run. Might converge and stop before that.
spherical_step (float) – Initial step size for the orthogonal (spherical) step.
source_step (float) – Initial step size for the step towards the target.
source_step_convergance (float) – Sets the threshold of the stop criterion: if source_step becomes smaller than this value during the attack, the attack has converged and will stop.
step_adaptation (float) – Factor by which the step sizes are multiplied or divided.
tensorboard (Union[typing_extensions.Literal[False], None, str]) – The log directory for TensorBoard summaries. If False, TensorBoard summaries will be disabled (default). If None, the logdir will be runs/CURRENT_DATETIME_HOSTNAME.
update_stats_every_k (int) –
References
 7
Wieland Brendel (*), Jonas Rauber (*), Matthias Bethge, “DecisionBased Adversarial Attacks: Reliable Attacks Against BlackBox Machine Learning Models”, https://arxiv.org/abs/1712.04248

class
foolbox.attacks.
L0BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L0 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradientbased adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and nonadversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
 8
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
 Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –

class
foolbox.attacks.
L1BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L1 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradientbased adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and nonadversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
 9
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
 Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –

class
foolbox.attacks.
L2BrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ L2 variant of the Brendel & Bethge adversarial attack [#Bren19]_. This is a powerful gradientbased adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and nonadversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
 10
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
 Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –

class
foolbox.attacks.
LinfinityBrendelBethgeAttack
(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)¶ Linfinity variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradientbased adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and nonadversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.
This is the reference implementation of the Brendel & Bethge attack.
 11
Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003
 Parameters
init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –
overshoot (float) –
steps (int) –
lr (float) –
lr_decay (float) –
lr_num_decay (int) –
momentum (float) –
None, str] tensorboard (Union[typing_extensions.Literal[False],) –
binary_search_steps (int) –

foolbox.attacks.
FGM
¶ alias of
foolbox.attacks.fast_gradient_method.L2FastGradientAttack

foolbox.attacks.
FGSM
¶ alias of
foolbox.attacks.fast_gradient_method.LinfFastGradientAttack

foolbox.attacks.
L2PGD
¶ alias of
foolbox.attacks.projected_gradient_descent.L2ProjectedGradientDescentAttack

foolbox.attacks.
LinfPGD
¶ alias of
foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack

foolbox.attacks.
PGD
¶ alias of
foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack