Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Last Updated: Mar 27, 2024
Difficulty: Medium

Generating Adversarial Examples using PyTorch

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM


Hey, have you ever heard about Adversarial Examples or using PyTorch? Is it also possible to answer all your questions? This article will help you to get answers to all your question.

intro image

PyTorch is a  machine learning open-source python-based framework made from a combination of python programming language and Torch Library. A Torch Is also an open-source ML-based programming library that generates deep neural networks and uses Lua as a scripting language. Torch is also the most widely popular language for deep learning among all the other available languages and is thus widely used. 

PyTorch is also very similar and hence a popular ml library developed by Facebook's Ai research group for the training and development of deep learning neural network-based machine learning models.

What are Adversarial Examples?

An Adversarial Example is an input that is known for generating confusion in the deep learning neural network model, and the information is very similar and generally impossible to distinguish from the naked human eye; it can create a misclassification condition in the deep learning model, which something also leads to misclassification and prediction and can also affect the accuracy of the model, such an input which generally image type which is rarely distinguishable from the one accurate one. This effect also works on data-related texts, such as handwriting accuracy prediction or classification of handwritten textual data. 

Further in the Article, you will understand more about the security vulnerabilities of the ML models, and it will also provide insights into the important topics related to adversarial machine learning. There is also additional information related to imperceptible perturbations of images that can lead to causing a huge difference in the model's performance.

The perturbation(a disturbance in the regular motion) or changes in the state is intended to cause the machine learning model to predict false predictions. The primary purpose behind adversarial examples is to deceive the machine learning-trained model. 

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Various methods to create Adversarial Examples

There are various methods and techniques which can be considered for adversarial examples. Some methods generally deal with minimizing the distance between the given adversarial example and the instances selected for manipulation while shifting the predictions to the adversarial outcome. Some techniques involve the gradient machine learning model, like neural networks. Also, some methods are required to access the prediction function. Also, the below-mentioned techniques deal with an image classifier using deep neural networks as adversarial examples in image processing are given more attention, and many researchers are involved in exploring the visualization of adversarial example images as it is very beneficial from the educational point of view.

Below discussed are the methods of Adversarial Examples: 

Threat Model 

There can be many methods or categories in which Adversarial attacks can affect the machine learning and neural networks model. The goal for each attack may differ depending on the attacker's knowledge and perspective. Generally, the aim is to cause minimal perturbation to the data, which will be used as input and is expected to cause the desired misclassification. The attacker's generally considered the attacks depending on their knowledge, the black box and White-box. 

White box - The white-box attacks when the attacker has full idea and knowledge about the model, including all inputs, outputs, weight, and architecture. 

Black box - In this, the attackers are only aware of the input and output of the model and don't have any knowledge about the underlying architecture.

There are also other goals, like misclassification and source/target misclassification. 

Fast Gradient Sign Attack

The FGSM is the most popular and initial adversarial attack to date. Goodfellow et al. described this method in the Explaining and harnessing adversarial Examples. FGSA is very powerful and intuitive and was designed to attack deep-learning neural networks. The idea behind the FGSA is simple, directly attack inputs that maximize the loss based on the backpropagated gradients. It can also be framed as gradients of loss concerning the inputs and adjusting the inputs to maximize loss.


Ticking Neural Networks: Can be used to create your Adversarial Examples.

Adversarial examples as input in neural networks may result in incorrect output from the network. For instance, let’s consider a panda on the left of the image with 58% confidence that it's a ‘panda.’ The category of panda is the category with the highest confidence of all in the confidence of the other in all categories. But adding a small amount of noise in the machine learning model identifies the same panda model as “gibbon” with high accuracy of 99.3%. 


Targeted Vs. Non - Targeted Attack

  • Targeted Attack: The main aim behind the targeted adversarial attack is to modify the source image slightly in such a way that the image will classify as a target class by an unknown machine learning classifier 
  • Non-Targeted Attack: This is another type of attack known as an untargeted attack. This attack aims to modify the source image slightly so that any machine learning algorithm incorrectly classifies it.



Number of attackers



Number of targets 



The effort required for each attack 



The success probability of each attack 



Generating Adversarial examples using PyTorch

The implementation of Adversarial examples using PyTorch involves the following steps:

Step 1: Importing and installing the libraries required for implementing the PyTorch.

!pip3 install whl 
!pip3 install torchvision
!pip3 install --no-cache-dir -I pillow
#import required libs
import torch
#from torch.autograd. grad check import zero_gradients
import torch.nn.functional as F
import torchvision. Models as models
from PIL import Image
from torchvision import transforms
import NumPy as np
import  io,requests
import matplotlib. pyplot as plt
from torch. autograd import Variable
%matplotlib inline

Step 2: Downloading and loading the pre-trained inceptionv3 model 

The Inception v3 model is an image recognition model that can attain an accuracy of more than or nearly equal to 78.1% on any given image dataset. This model is a collection of various ideas as it was developed by many researchers in the past and is still working on increasing the accuracy of the model. This is also a pre-trained convolution neural network model.

inceptionv3m = models.inception_v3m(pretrained=True) #download and load pretrained inceptionv3m model

Step 3: Upload the image to classify and predict it into the correct category.

Image classification and training: Once the model predicts that the input image is of a panda which is only accurate at about ~58%, then the attack is done or can be said to the model. Then the model predicts the input image as "gibbon" with high accuracy of nearly 99.3%. 

Step 4: Imposing the attack and finding the results predicted by the machine learning model.


Benefits of Generating Adversarial Examples

  • Adversarial in machine learning gives an idea about how model learning can be attacked and fooled. Ultimately, this increases the developer's performance, stability, and understanding of the attacks, thus designing a safer model for such attacks. 
  • Adversarial Machine learning has made it possible and easy to avoid the situation of the crash of the machine learning model.
  • The adversarial examples and the inbuild neural networks naturalize the crash of the machine learning model with dealing with an unexpected outcome.
  • Understating the results or the cause of the attacks. Adversarial can give an overview of the model's suitability and why it cannot be used in commercial applications. 
  • Gaining the trust of the user and customer, a sense of stability and security with AI leads to a positive impression on the user.
  • Deployment Explainability is the motive to understand the reason behind an ML model and check the models' decision-making process more keenly. 

Frequently Asked Questions 

What are Adversarial Examples?

The Adversarial Examples are the inputs given to a machine learning training model to confuse a neural network. 

How will you find Adversarial Examples?

By looking at the inner workings of the neural networks or the inner convolutional layers of the network? Adversarial Examples can be detected.

Mention the reason behind applying the Adversarial Examples.

Adversarial examples are the inputs to the machine learning models that are meant to cause noise or harm the model's accuracy.

Name the parties involved in Adversarial Examples. 

The Adversarial system usually is the third party that is meant to interfere between the first two parties in the model-building process. i.e., the external party.

What does FGSM stand for?

The FGSM is a machine-learning model for the Fast Gradient Sign Method.


This Article discusses how  Adversarial Examples are helpful and give an understanding of how machine learning works and that it can be fooled easily, but some attacks on the model. Here are many other examples related to the understanding of machine learning, Deep learning, and PyTorch Tensorflow. Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enroll in our courses and refer to the mock test and problems available; take a look at the interview experiences and interview bundle for placement preparations.

Do upvote our blog to help other ninjas grow.

Merry Learning!

Topics covered
What are Adversarial Examples?
Various methods to create Adversarial Examples
Threat Model 
Fast Gradient Sign Attack
Ticking Neural Networks: Can be used to create your Adversarial Examples.
Targeted Vs. Non - Targeted Attack
Generating Adversarial examples using PyTorch
Benefits of Generating Adversarial Examples
Frequently Asked Questions 
What are Adversarial Examples?
How will you find Adversarial Examples?
Mention the reason behind applying the Adversarial Examples.
Name the parties involved in Adversarial Examples. 
What does FGSM stand for?