Skip to content
Improving Transferability of Adversarial Examples with Input Diversity
Branch: master
Clone or download
Latest commit 10ffd9b May 1, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Create LICENSE Mar 19, 2018 Update Apr 30, 2019 revise the Mar 19, 2018
demo.png Add files via upload Mar 19, 2018
relationship.png Add files via upload Mar 19, 2018

Improving Transferability of Adversarial Examples with Input Diversity

This paper proposed to improve the transferability of adversarial examples by creating diverse input patterns ( Instead of only using the original images to generate adversarial examples, the proposed method, Diverse Input Iterative Fast Gradient Sign Method (DI2-FGSM), applies random transformations to the input images at each iteration. The generated adversarial examples are much more transferable than those generated by FGSM and I-FGSM. An example is shown below:



To improve the transferability further, we

By evaluating this enhanced attack w.r.t. the top 3 defense submissions and 3 official baselines from NIPS 2017 adversarial competition (, it reaches an average success rate of 73.0%, which outperforms the top 1 attack submission in the NIPS competition by a large margin of 6.6%. Please refer to the Table 3 in the paper for details.

Relationships between different attacks

Different attacks can be related via different parameter settings, as shown below:

Inception_v3 model


Citing this work

If you find this work is useful in your research, please consider citing:

    title={Improving Transferability of Adversarial Examples with Input Diversity},
    author={Xie, Cihang and Zhang, Zhishuai and Zhou, Yuyin and Bai, Song and Wang, Jianyu and Ren, Zhou and Yuille, Alan},
    Booktitle = {Computer Vision and Pattern Recognition},
You can’t perform that action at this time.