A targeted adversarial attack method, which won the NIPS 2017 targeted adversarial attacks competition
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
nets codes Oct 9, 2017
LICENSE codes Oct 9, 2017
README.md Update README.md May 29, 2018
metadata.json codes Oct 9, 2017
target_attack.py codes Oct 9, 2017




This repository contains the code for the top-1 submission to NIPS 2017: Targeted Adversarial Attacks Competition.


We use the momentum iterative method to generate adversarial examples. We summarize our algorithm in Boosting Adversarial Attacks with Momentum (CVPR 2018, Spotlight).

We notice that targeted attacks have little transferability. The finding is drawn not only from our experiments but also from other submissions to this competition. We think that it's hard to find transferable adversarial examples for the ImageNet dataset with a large number of classes (i.e., 1000), because the decision boundary between two classes may not exhibit the same properties for different models.


If you use momentum iterative method for attacks in your research, please consider citing

  title={Boosting Adversarial Attacks with Momentum},
  author={Dong, Yinpeng and Liao, Fangzhou and Pang, Tianyu and Su, Hang and Zhu, Jun and Hu, Xiaolin and Li, Jianguo},
  booktitle={Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition},



The models can be downloaded here.

If you want to attack other models, you can replace the model definition part to your own models.


We also implement this method in Cleverhans.

Non-targered Attacks

Please find the non-targeted attacks at https://github.com/dongyp13/Non-Targeted-Adversarial-Attacks.