Update 24-11-2020: the official implementation of DDN, compatible with more recent versions of PyTorch is now implemented in adversarial-library
Code for the article "Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses" (https://arxiv.org/abs/1811.09600), to be presented at CVPR 2019 (Oral presentation)
Implementation is done in PyTorch 0.4.1 and runs with Python 3.6+. The code of the attack is also provided on TensorFlow. This repository also contains an implementation of the C&W L2 attack in PyTorch (ported from Carlini's TF version)
For PyTorch 1.1+, check the pytorch1.1+ branch (scheduler.step()
moved).
This package can be installed via pip as follows:
pip install git+https://github.com/jeromerony/fast_adversarial
from fast_adv.attacks import DDN
attacker = DDN(steps=100, device=device)
adv = attacker.attack(model, x, labels=y, targeted=False)
Where model
is a pytorch nn.Module
that takes inputs x
and outputs the pre-softmax activations (logits), x
is a batch of images (N x C x H x W) and labels
are either the true labels (for targeted=False
) or the target labels (for targeted=True
). Note: x
is expected to be on the [0, 1] range: you can use fast_adv.utils.NormalizedModel
to wrap any normalization, such as mean subtraction.
See the "examples" folder for a python and a jupyter notebook example
The following commands were used to adversarially train the models:
MNIST:
python -m fast_adv.defenses.mnist --lr=0.01 --lrs=30 --adv=0 --max-norm=2.4 --sn=mnist_adv_2.4
CIFAR-10 (adversarial training starts at epoch 200):
python -m fast_adv.defenses.cifar10 -e=230 --adv=200 --max-norm=1 --sn=cifar10_wrn28-10_adv_1