Skip to content
A Toolbox for Adversarial Robustness Research
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
advertorch Update Apr 28, 2019
advertorch_examples fixing testing problem Apr 28, 2019
assets added logo and citation Feb 21, 2019
docs m Apr 20, 2019
external_tests resolve conflict with master Apr 15, 2019
.gitignore improve readthedocs Apr 2, 2019
.travis.yml add travis yml Mar 29, 2019
LICENSE first commit Dec 1, 2018
LICENSE.GPL including license in pypi Feb 17, 2019 Update Apr 29, 2019
pytest.ini first commit Dec 1, 2018 uploaded package to pypi Feb 16, 2019

advertorch logo

Build Status

advertorch text is a Python toolbox for adversarial robustness research. The primary functionalities are implemented in PyTorch. Specifically, AdverTorch contains modules for generating adversarial perturbations and defending against adversarial examples, also scripts for adversarial training.

Latest version (v0.1)


Installing AdverTorch itself

We developed AdverTorch under Python 3.6 and PyTorch 1.0.0 & 0.4.1. To install AdverTorch, simply run

pip install advertorch

or clone the repo and run

python install

To install the package in "editable" mode:

pip install -e .

Setting up the testing environments

Some attacks are tested against implementations in Foolbox or CleverHans to ensure correctness. Currently, they are tested under the following versions of related libraries.

conda install -c anaconda tensorflow-gpu==1.11.0
pip install git+
pip install Keras==2.2.2
pip install foolbox==1.3.2


# prepare your pytorch model as "model"
# prepare a batch of data and label as "cln_data" and "true_label"
# ...

from advertorch.attacks import LinfPGDAttack

adversary = LinfPGDAttack(
    model, loss_fn=nn.CrossEntropyLoss(reduction="sum"), eps=0.3,
    nb_iter=40, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0,

adv_untargeted = adversary.perturb(cln_data, true_label)

target = torch.ones_like(true_label) * 3
adversary.targeted = True
adv_targeted = adversary.perturb(cln_data, target)

For runnable examples see advertorch_examples/tutorial_attack_defense_bpda_mnist.ipynb for how to attack and defend; see advertorch_examples/ for how to adversarially train a robust model on MNIST.


The documentation webpage is on readthedocs

Coming Soon

AdverTorch is still under active development. We will add the following features/items down the road:

  • more examples
  • support for other machine learning frameworks, e.g. TensorFlow
  • more attacks, defenses and other related functionalities
  • support for other Python versions and future PyTorch versions
  • contributing guidelines
  • ...

Known issues

FastFeatureAttack and JacobianSaliencyMapAttack do not pass the tests against the version of CleverHans used. (They use to pass tests on a previous version of CleverHans.) This issue is being investigated. In the file, they are marked as "skipped" in pytest tests.


This project is licensed under the LGPL. The terms and conditions can be found in the LICENSE and LICENSE.GPL files.


If you use AdverTorch in your research, we kindly ask that you cite the following technical report:

  title={{AdverTorch} v0.1: An Adversarial Robustness Toolbox based on PyTorch},
  author={Ding, Gavin Weiguang and Wang, Luyu and Jin, Xiaomeng},
  journal={arXiv preprint arXiv:1902.07623},


You can’t perform that action at this time.