Skip to content
Switch branches/tags
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This repository contains code for reproducing our NeurIPS 2020 paper "DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles".


Create the conda environment called dverge containing all the dependencies by running

conda env create -f environment.yml

We were using PyTorch 1.4.0 for all the experiments. You may want to install other versions of PyTorch according to the cuda version of your computer/server. The code is run and tested on a single TITAN Xp GPU. Running on multiple GPUs with parallelism may need adjustments.

Data and pre-trained models

The pre-trained models and generated black-box transfer adversarial examples can be accessed via this link. Specifically, the pre-trained models are stored in the folder named checkpoints. Download and put checkpoints under this repo.

The black-box transfer adversarial examples (refer to the paper for more details) are stored in Make a folder named data under this repo. Download the zip file, unzip it, and put the extracted folder transfer_adv_examples/ under data/. Then one can evaluate the black-box transfer robustness of ensembles.


Examples of training and evaluation scripts can be found in scripts/ and scripts/

Note that for now we extract models' intermediate features in a very naive way which may only support the ResNet20 architecture. One can implement a more robust feature extraction with the help of forward hook of Pytorch.

Also, you may observe a high variation in results when training DVERGE, which we suspect is due to the random layer sampling for distillation. Please refer to Appendix C.5 of the paper for a discussion on the layer effects.


The training code of ADP (Adaptive Diversity Promoting Regularizer) is adapted from the official repo, which is originally written in TensorFlow and we turned it into Pytorch here.


Pytorch implementation of our NeurIPS'20 paper "DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles"