Aggregated Attack Library Documentation
Foolbox Attacks Library
Definition: A simple implementation of the fast gradient-based adversarial attack. Allows L2 and L∞ order of the norms.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Order of the Norm
Definition: Second-order gradient-based attack on the logits. 1 The attack calculates an untargeted adversarial perturbation by performing a approximated second order optimization step on the KL divergence between the unperturbed predictions and the predictions for the adversarial perturbation.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Order of the Norm
- Random Start
Definition: The basic iterative attack involves making small, incremental changes to the input data to create effective adversarial examples.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Order of the Norm
- Random Start
Definition: Samples gaussian noise with a fixed L2 size. Can include repeatedly adding to samples, clipping, or both.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Order of the Norm
- Attack Types
Definition: Samples uniform noise with a fixed order of the norm size. Can include repeatedly adding to samples, clipping, or both.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Order of the Norm
- Attack Types
Definition: Creates “negative images” by inverting the pixel values.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
Definition: Increases the amount of salt and pepper noise until the input is misclassified.
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
Definition: Reduces the contrast of the input using a linear/binary search to find the smallest adversarial. perturbation
Parameters:
- Epsilons
- Model Lower Bound
- Model Upper Bound
- Search Types
CleverHans Attacks Library:
Definition: Second-order gradient-based attack on the logits. 1 The attack calculates an untargeted adversarial perturbation by performing a approximated second order optimization step on the KL divergence between the unperturbed predictions and the predictions for the adversarial perturbation.
Parameters:
- Epsilons
- Order of the Norm
Definition: A technique for generating adversarial examples by iteratively perturbing input data along the gradient direction until reaching a point within a specified distance from the original data that maximizes the loss of a target model.
Parameters:
- Epsilons
- Epsilon Step Size
- Order of the Norm (L2, LInf)
- Attack Iterations
Definition: A technique for generating adversarial examples by iteratively applying small perturbations to input data in the direction of the gradient of the loss with respect to the input until reaching a point that maximizes the loss of a target model.
Parameters:
- Epsilon
- Epsilon Step Size
- Attack Iterations
- Order of the Norm
Definition: Momentum iterative method adversarial attack is a variant of the basic iterative method that uses a momentum term to smooth the update direction and accelerate convergence towards the optimal adversarial example.
Parameters:
- Epsilon
- Epsilon Step Size
- Attack Iterations
- Order of the Norm
- Decay Factor
Definition: Madry et al adversarial attack is a powerful variant of the projected gradient descent method that uses a stronger constraint on the size of the perturbation and trains the model using adversarial examples generated with this technique to improve its robustness against future attacks.
Parameters:
- Epsilon
- Epsilon Step Size
- Attack Iterations
- Order of the Norm
Definition: Simultaneous Perturbation Stochastic Approximation (SPSA) adversarial attack is a black-box attack technique that estimates the gradient of the loss function using noisy samples and updates the input data with a step size that is adaptively adjusted to maximize the loss of the target model.
Parameters:
- Epsilon
- Model Lower Bound
- Model Upper Bound
- Order of the Norm