Skip to content


Repository files navigation

Update: From Logan Engstrom - this repository has been modified to fit the API for the project.


Update: this repository is out of date. It contains strictly less
useful code than the repository at the following URL:

In particular, do not use the l0 attack in this repository; it is
only good at breaking defensive distillation (not other attacks).


Defensive Distillation was recently proposed as a defense to
adversarial examples.

Unfortunately, distillation is not secure. We show this in our paper, at
We strongly believe that research should be reproducible, and so our
releasing the code required to train a baseline model on MNIST, train
a defensively distilled model on MNIST, and attack the defensively
distilled model.

To run the code, you will need Python 3.x with TensorFlow. It will be slow
unless you have a GPU to train on.

Begin by running and; that will
create three model files, two of which are useful. They should report
final accuracy around 99.3% +/-0.2%.

To construct adversarial examples, run passing as argument
either models/baseline models/distilled. This will run the modified l0
adversary on the given model. The success probability should be ~95%
modifying ~35 pixels.


No description, website, or topics provided.







No releases published


No packages published