foolbox.attacks

L2ContrastReductionAttack

Reduces the contrast of the input using a perturbation of the given size

VirtualAdversarialAttack

Second-order gradient-based attack on the logits.

DDNAttack

The Decoupled Direction and Norm L2 adversarial attack.

L2ProjectedGradientDescentAttack

L2 Projected Gradient Descent

LinfProjectedGradientDescentAttack

Linf Projected Gradient Descent

L2BasicIterativeAttack

L2 Basic Iterative Method

LinfBasicIterativeAttack

L-infinity Basic Iterative Method

L2FastGradientAttack

Fast Gradient Method (FGM)

LinfFastGradientAttack

Fast Gradient Sign Method (FGSM)

L2AdditiveGaussianNoiseAttack

Samples Gaussian noise with a fixed L2 size

L2AdditiveUniformNoiseAttack

Samples uniform noise with a fixed L2 size

LinfAdditiveUniformNoiseAttack

Samples uniform noise with a fixed L-infinity size

L2RepeatedAdditiveGaussianNoiseAttack

Repeatedly samples Gaussian noise with a fixed L2 size

L2RepeatedAdditiveUniformNoiseAttack

Repeatedly samples uniform noise with a fixed L2 size

LinfRepeatedAdditiveUniformNoiseAttack

Repeatedly samples uniform noise with a fixed L-infinity size

InversionAttack

Creates “negative images” by inverting the pixel values.

BinarySearchContrastReductionAttack

Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation

LinearSearchContrastReductionAttack

Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation

L2CarliniWagnerAttack

Implementation of the Carlini & Wagner L2 Attack.

NewtonFoolAttack

Implementation of the NewtonFool Attack.

EADAttack

Implementation of the EAD Attack with EN Decision Rule.

GaussianBlurAttack

Blurs the inputs using a Gaussian filter with linearly increasing standard deviation.

L2DeepFoolAttack

A simple and fast gradient-based adversarial attack.

LinfDeepFoolAttack

A simple and fast gradient-based adversarial attack.

SaltAndPepperNoiseAttack

Increases the amount of salt and pepper noise until the input is misclassified.

LinearSearchBlendedUniformNoiseAttack

Blends the input with a uniform noise input until it is misclassified.

BinarizationRefinementAttack

For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks.

DatasetAttack

Draws randomly from the given dataset until adversarial examples for all inputs have been found.

BoundaryAttack

A powerful adversarial attack that requires neither gradients nor probabilities.

L0BrendelBethgeAttack

L0 variant of the Brendel & Bethge adversarial attack.

L1BrendelBethgeAttack

L1 variant of the Brendel & Bethge adversarial attack.

L2BrendelBethgeAttack

L2 variant of the Brendel & Bethge adversarial attack [#Bren19]_.

LinfinityBrendelBethgeAttack

L-infinity variant of the Brendel & Bethge adversarial attack.

FGM

alias of foolbox.attacks.fast_gradient_method.L2FastGradientAttack

FGSM

alias of foolbox.attacks.fast_gradient_method.LinfFastGradientAttack

L2PGD

alias of foolbox.attacks.projected_gradient_descent.L2ProjectedGradientDescentAttack

LinfPGD

alias of foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack

PGD

alias of foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack

class foolbox.attacks.L2ContrastReductionAttack(*, target=0.5)

Reduces the contrast of the input using a perturbation of the given size

Parameters

target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced

class foolbox.attacks.VirtualAdversarialAttack(steps, xi=1e-06)

Second-order gradient-based attack on the logits. 1 The attack calculate an untargeted adversarial perturbation by performing a approximated second order optimization step on the KL divergence between the unperturbed predictions and the predictions for the adversarial perturbation. This attack was originally introduced as the Virtual Adversarial Training 1 method.

Parameters
  • steps (int) – Number of update steps.

  • xi (float) – L2 distance between original image and first adversarial proposal.

References

1(1,2)

Takeru Miyato, Shin-ichi Maeda, Masanori Koyama, Ken Nakae, Shin Ishii, “Distributional Smoothing with Virtual Adversarial Training”, https://arxiv.org/abs/1507.00677

class foolbox.attacks.DDNAttack(*, init_epsilon=1.0, steps=10, gamma=0.05)

The Decoupled Direction and Norm L2 adversarial attack. 2

Parameters
  • init_epsilon (float) – Initial value for the norm/epsilon ball.

  • steps (int) – Number of steps for the optimization.

  • gamma (float) – Factor by which the norm will be modified: new_norm = norm * (1 + or - gamma).

References

2

Jérôme Rony, Luiz G. Hafemann, Luiz S. Oliveira, Ismail Ben Ayed, Robert Sabourin, Eric Granger, “Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses”, https://arxiv.org/abs/1811.09600

class foolbox.attacks.L2ProjectedGradientDescentAttack(*, rel_stepsize=0.025, abs_stepsize=None, steps=50, random_start=True)

L2 Projected Gradient Descent

Parameters
  • rel_stepsize (float) – Stepsize relative to epsilon (defaults to 0.01 / 0.3).

  • abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.

  • steps (int) – Number of update steps to perform.

  • random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.

class foolbox.attacks.LinfProjectedGradientDescentAttack(*, rel_stepsize=0.03333333333333333, abs_stepsize=None, steps=40, random_start=True)

Linf Projected Gradient Descent

Parameters
  • rel_stepsize (float) – Stepsize relative to epsilon (defaults to 0.01 / 0.3).

  • abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.

  • steps (int) – Number of update steps to perform.

  • random_start (bool) – Whether the perturbation is initialized randomly or starts at zero.

class foolbox.attacks.L2BasicIterativeAttack(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)

L2 Basic Iterative Method

Parameters
  • rel_stepsize (float) – Stepsize relative to epsilon.

  • abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.

  • steps (int) – Number of update steps.

  • random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class foolbox.attacks.LinfBasicIterativeAttack(*, rel_stepsize=0.2, abs_stepsize=None, steps=10, random_start=False)

L-infinity Basic Iterative Method

Parameters
  • rel_stepsize (float) – Stepsize relative to epsilon.

  • abs_stepsize (Optional[float]) – If given, it takes precedence over rel_stepsize.

  • steps (int) – Number of update steps.

  • random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class foolbox.attacks.L2FastGradientAttack(*, random_start=False)

Fast Gradient Method (FGM)

Parameters

random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class foolbox.attacks.LinfFastGradientAttack(*, random_start=False)

Fast Gradient Sign Method (FGSM)

Parameters

random_start (bool) – Controls whether to randomly start within allowed epsilon ball.

class foolbox.attacks.L2AdditiveGaussianNoiseAttack

Samples Gaussian noise with a fixed L2 size

class foolbox.attacks.L2AdditiveUniformNoiseAttack

Samples uniform noise with a fixed L2 size

class foolbox.attacks.LinfAdditiveUniformNoiseAttack

Samples uniform noise with a fixed L-infinity size

class foolbox.attacks.L2RepeatedAdditiveGaussianNoiseAttack(*, repeats=100, check_trivial=True)

Repeatedly samples Gaussian noise with a fixed L2 size

Parameters
  • repeats (int) – How often to sample random noise.

  • check_trivial (bool) – Check whether original sample is already adversarial.

class foolbox.attacks.L2RepeatedAdditiveUniformNoiseAttack(*, repeats=100, check_trivial=True)

Repeatedly samples uniform noise with a fixed L2 size

Parameters
  • repeats (int) – How often to sample random noise.

  • check_trivial (bool) – Check whether original sample is already adversarial.

class foolbox.attacks.LinfRepeatedAdditiveUniformNoiseAttack(*, repeats=100, check_trivial=True)

Repeatedly samples uniform noise with a fixed L-infinity size

Parameters
  • repeats (int) – How often to sample random noise.

  • check_trivial (bool) – Check whether original sample is already adversarial.

class foolbox.attacks.InversionAttack(*, distance=None)

Creates “negative images” by inverting the pixel values. 3

References

3

Hossein Hosseini, Baicen Xiao, Mayoore Jaiswal, Radha Poovendran, “On the Limitation of Convolutional Neural Networks in Recognizing Negative Images”, https://arxiv.org/abs/1607.02533

Parameters

distance (Optional[foolbox.distances.Distance]) –

class foolbox.attacks.BinarySearchContrastReductionAttack(*, distance=None, binary_search_steps=15, target=0.5)

Reduces the contrast of the input using a binary search to find the smallest adversarial perturbation

Parameters
  • distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.

  • binary_search_steps (int) – Number of iterations in the binary search. This controls the precision of the results.

  • target (float) – Target relative to the bounds from 0 (min) to 1 (max) towards which the contrast is reduced

class foolbox.attacks.LinearSearchContrastReductionAttack(*, distance=None, steps=1000, target=0.5)

Reduces the contrast of the input using a linear search to find the smallest adversarial perturbation

Parameters
class foolbox.attacks.L2CarliniWagnerAttack(binary_search_steps=9, steps=10000, stepsize=0.01, confidence=0, initial_const=0.001, abort_early=True)

Implementation of the Carlini & Wagner L2 Attack. 4

Parameters
  • binary_search_steps (int) – Number of steps to perform in the binary search over the const c.

  • steps (int) – Number of optimization steps within each binary search step.

  • stepsize (float) – Stepsize to update the examples.

  • confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.

  • initial_const (float) – Initial value of the const c with which the binary search starts.

  • abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.

References

4

Nicholas Carlini, David Wagner, “Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy” https://arxiv.org/abs/1608.04644

class foolbox.attacks.NewtonFoolAttack(steps=100, stepsize=0.01)

Implementation of the NewtonFool Attack. 5

Parameters
  • steps (int) – Number of update steps to perform.

  • step_size – Size of each update step.

  • stepsize (float) –

References

5

Uyeong Jang et al., “Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning”, https://dl.acm.org/citation.cfm?id=3134635

class foolbox.attacks.EADAttack(binary_search_steps=9, steps=10000, initial_stepsize=0.01, confidence=0.0, initial_const=0.001, regularization=0.01, decision_rule='EN', abort_early=True)

Implementation of the EAD Attack with EN Decision Rule. 6

Parameters
  • binary_search_steps (int) – Number of steps to perform in the binary search over the const c.

  • steps (int) – Number of optimization steps within each binary search step.

  • initial_stepsize (float) – Initial stepsize to update the examples.

  • confidence (float) – Confidence required for an example to be marked as adversarial. Controls the gap between example and decision boundary.

  • initial_const (float) – Initial value of the const c with which the binary search starts.

  • regularization (float) – Controls the L1 regularization.

  • decision_rule (Union[typing_extensions.Literal['EN'], typing_extensions.Literal['L1']]) – Rule according to which the best adversarial examples are selected. They either minimize the L1 or ElasticNet distance.

  • abort_early (bool) – Stop inner search as soons as an adversarial example has been found. Does not affect the binary search over the const c.

References

6

Pin-Yu Chen, Yash Sharma, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh,

“EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples”, https://www.aaai.org/ocs/index.php/AAAI/AAAI18/paper/viewPaper/16893

class foolbox.attacks.GaussianBlurAttack(*, distance=None, steps=1000, channel_axis=None, max_sigma=None)

Blurs the inputs using a Gaussian filter with linearly increasing standard deviation.

Parameters
  • steps (int) – Number of sigma values tested between 0 and max_sigma.

  • channel_axis (Optional[int]) – Index of the channel axis in the input data.

  • max_sigma (Optional[float]) – Maximally allowed sigma value of the Gaussian blur.

  • distance (Optional[foolbox.distances.Distance]) –

class foolbox.attacks.L2DeepFoolAttack(*, steps=50, candidates=10, overshoot=0.02, loss='logits')

A simple and fast gradient-based adversarial attack.

Implements the DeepFool L2 attack. [#Moos15]_

Parameters
  • steps (int) – Maximum number of steps to perform.

  • candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.

  • overshoot (float) – How much to overshoot the boundary.

  • Loss function to use inside the update function. (loss) –

  • typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –

References

class foolbox.attacks.LinfDeepFoolAttack(*, steps=50, candidates=10, overshoot=0.02, loss='logits')

A simple and fast gradient-based adversarial attack.

Implements the DeepFool L-Infinity attack.

Parameters
  • steps (int) – Maximum number of steps to perform.

  • candidates (Optional[int]) – Limit on the number of the most likely classes that should be considered. A small value is usually sufficient and much faster.

  • overshoot (float) – How much to overshoot the boundary.

  • Loss function to use inside the update function. (loss) –

  • typing_extensions.Literal['crossentropy']] loss (Union[typing_extensions.Literal['logits'],) –

class foolbox.attacks.SaltAndPepperNoiseAttack(steps=1000, across_channels=True, channel_axis=None)

Increases the amount of salt and pepper noise until the input is misclassified.

Parameters
  • steps (int) – The number of steps to run.

  • across_channels (bool) – Whether the noise should be the same across all channels.

  • channel_axis (Optional[int]) – The axis across which the noise should be the same (if across_channels is True). If None, will be automatically inferred from the model if possible.

class foolbox.attacks.LinearSearchBlendedUniformNoiseAttack(*, distance=None, directions=1000, steps=1000)

Blends the input with a uniform noise input until it is misclassified.

Parameters
  • distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.

  • directions (int) – Number of random directions in which the perturbation is searched.

  • steps (int) – Number of blending steps between the original image and the random directions.

class foolbox.attacks.BinarizationRefinementAttack(*, distance=None, threshold=None, included_in='upper')

For models that preprocess their inputs by binarizing the inputs, this attack can improve adversarials found by other attacks. It does this by utilizing information about the binarization and mapping values to the corresponding value in the clean input or to the right side of the threshold.

Parameters
  • threshold (Optional[float]) – The treshold used by the models binarization. If none, defaults to (model.bounds()[1] - model.bounds()[0]) / 2.

  • included_in (Union[typing_extensions.Literal['lower'], typing_extensions.Literal['upper']]) – Whether the threshold value itself belongs to the lower or upper interval.

  • distance (Optional[foolbox.distances.Distance]) –

class foolbox.attacks.DatasetAttack(*, distance=None)

Draws randomly from the given dataset until adversarial examples for all inputs have been found.

To pass data form the dataset to this attack, call feed(). feed() can be called several times and should only be called with batches that are small enough that they can be passed through the model.

Parameters

distance (Optional[foolbox.distances.Distance]) – Distance measure for which minimal adversarial examples are searched.

class foolbox.attacks.BoundaryAttack(init_attack=None, steps=25000, spherical_step=0.01, source_step=0.01, source_step_convergance=1e-07, step_adaptation=1.5, tensorboard=False, update_stats_every_k=10)

A powerful adversarial attack that requires neither gradients nor probabilities.

This is the reference implementation for the attack introduced in 7.

Notes

Differences to the original reference implementation: * We do not perform internal operations with float64 * The samples within a batch can currently influence each other a bit * We don’t perform the additional convergence confirmation * The success rate tracking changed a bit * Some other changes due to batching and merged loops

Parameters
  • init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) – Attack to use to find a starting points. Defaults to LinearSearchBlendedUniformNoiseAttack. Only used if starting_points is None.

  • steps (int) – Maximum number of steps to run. Might converge and stop before that.

  • spherical_step (float) – Initial step size for the orthogonal (spherical) step.

  • source_step (float) – Initial step size for the step towards the target.

  • source_step_convergance (float) – Sets the threshold of the stop criterion: if source_step becomes smaller than this value during the attack, the attack has converged and will stop.

  • step_adaptation (float) – Factor by which the step sizes are multiplied or divided.

  • tensorboard (Union[typing_extensions.Literal[False], None, str]) – The log directory for TensorBoard summaries. If False, TensorBoard summaries will be disabled (default). If None, the logdir will be runs/CURRENT_DATETIME_HOSTNAME.

  • update_stats_every_k (int) –

References

7

Wieland Brendel (*), Jonas Rauber (*), Matthias Bethge, “Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models”, https://arxiv.org/abs/1712.04248

class foolbox.attacks.L0BrendelBethgeAttack(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)

L0 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.

This is the reference implementation of the Brendel & Bethge attack.

8

Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003

Parameters
  • init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –

  • overshoot (float) –

  • steps (int) –

  • lr (float) –

  • lr_decay (float) –

  • lr_num_decay (int) –

  • momentum (float) –

  • None, str] tensorboard (Union[typing_extensions.Literal[False],) –

  • binary_search_steps (int) –

class foolbox.attacks.L1BrendelBethgeAttack(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)

L1 variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.

This is the reference implementation of the Brendel & Bethge attack.

9

Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003

Parameters
  • init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –

  • overshoot (float) –

  • steps (int) –

  • lr (float) –

  • lr_decay (float) –

  • lr_num_decay (int) –

  • momentum (float) –

  • None, str] tensorboard (Union[typing_extensions.Literal[False],) –

  • binary_search_steps (int) –

class foolbox.attacks.L2BrendelBethgeAttack(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)

L2 variant of the Brendel & Bethge adversarial attack [#Bren19]_. This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.

This is the reference implementation of the Brendel & Bethge attack.

10

Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003

Parameters
  • init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –

  • overshoot (float) –

  • steps (int) –

  • lr (float) –

  • lr_decay (float) –

  • lr_num_decay (int) –

  • momentum (float) –

  • None, str] tensorboard (Union[typing_extensions.Literal[False],) –

  • binary_search_steps (int) –

class foolbox.attacks.LinfinityBrendelBethgeAttack(init_attack=None, overshoot=1.1, steps=1000, lr=0.001, lr_decay=0.5, lr_num_decay=20, momentum=0.8, tensorboard=False, binary_search_steps=10)

L-infinity variant of the Brendel & Bethge adversarial attack. [#Bren19]_ This is a powerful gradient-based adversarial attack that follows the adversarial boundary (the boundary between the space of adversarial and non-adversarial images as defined by the adversarial criterion) to find the minimum distance to the clean image.

This is the reference implementation of the Brendel & Bethge attack.

11

Wieland Brendel, Jonas Rauber, Matthias Kümmerer, Ivan Ustyuzhaninov, Matthias Bethge, “Accurate, reliable and fast robustness evaluation”, 33rd Conference on Neural Information Processing Systems (2019) https://arxiv.org/abs/1907.01003

Parameters
  • init_attack (Optional[foolbox.attacks.base.MinimizationAttack]) –

  • overshoot (float) –

  • steps (int) –

  • lr (float) –

  • lr_decay (float) –

  • lr_num_decay (int) –

  • momentum (float) –

  • None, str] tensorboard (Union[typing_extensions.Literal[False],) –

  • binary_search_steps (int) –

foolbox.attacks.FGM

alias of foolbox.attacks.fast_gradient_method.L2FastGradientAttack

foolbox.attacks.FGSM

alias of foolbox.attacks.fast_gradient_method.LinfFastGradientAttack

foolbox.attacks.L2PGD

alias of foolbox.attacks.projected_gradient_descent.L2ProjectedGradientDescentAttack

foolbox.attacks.LinfPGD

alias of foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack

foolbox.attacks.PGD

alias of foolbox.attacks.projected_gradient_descent.LinfProjectedGradientDescentAttack