Project page for our paper: Interpreting Adversarially Trained Convolutional Neural Networks
Code for our ICML'19 paper: Interpreting Adversarially Trained Convolutional Neural Networks, by Tianyuan Zhang, Zhanxing Zhu.

How to run

If you want to run code on your own, I only provide codes on Caltech-256. We do not upload the dataset and trainned networks due to the fact that they are storage consuming. Training(Adversarial Training) scripts in this repo is not well writen, I suugest you to use your own scripts, or scripts provided in this repo


The four most important python files for Caltech-256

They are all in /code/baseline/ :,,

  1. trains CNNs. It contains sufficient comments to understand how to customize your trainings.
  2. implements PGD and FGSM attackers.
  3. implements SmoothGrad
  4. implements Saturation and Patch-shuffle operation. For style transfer, you have to use code provided in
  5. in code/spatial-transform.adv.train/ implements Spatially transformed attack.

  1. Dowload the data from to /code/Caltech256/data
  2. cd data and run to generate training set and test set.
  3. cd code/baseline and run to train standard CNNs
  4. cd code/pgd.inf.eps8 and run to adversarially train CNNs against a $l_{\inf}$ -norm bounded PGD attacker. code in /code/Caltech256/code/pgd.l2.eps8 are for $l_2$ -norm bounded adversarial training .
  5. and in /code/Caltech256/code/baseline/ contains code to generate salience maps.

TinyImageNet & CIFAR-10

Code for TinyImageNet, and CIAFR-10 are similar to that for Caltech-256, important python files such as,, has the same name and functionallities

You still have to download the images from and put them to /code/TinyImageNet/data


  title={Interpreting Adversarially Trained Convolutional Neural Networks},
  author={Zhang, Tianyuan and Zhu, Zhanxing},
  journal={arXiv preprint arXiv:1905.09797},

Please contact tianyuanzhang if you get any question on this paper or the code. ) (^∀^)

