CleverHans is a widely adopted open-source Python library developed primarily at the University of Toronto and Google Brain for benchmarking machine learning systems against adversarial examples. It provides a standardized, reproducible framework of reference implementations for both state-of-the-art attack algorithms, such as the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD), and corresponding defense strategies like adversarial training.
Glossary
CleverHans

What is CleverHans?
CleverHans is an open-source Python library for benchmarking the vulnerability of machine learning models to adversarial examples, providing standardized implementations of attack and defense algorithms.
The library is designed to facilitate rigorous adversarial robustness testing by offering a unified interface compatible with major deep learning frameworks, including TensorFlow, PyTorch, and JAX. By standardizing the evaluation methodology, CleverHans enables researchers and engineers to reliably compare the efficacy of different attacks and defenses, making it a foundational tool in the adversarial machine learning security domain.
Key Features of CleverHans
A foundational open-source Python library for benchmarking machine learning models against adversarial examples, providing standardized implementations of both attack and defense algorithms.
Standardized Attack Implementations
Provides canonical, reference-grade implementations of major adversarial attacks, enabling reproducible research and consistent benchmarking.
- Fast Gradient Sign Method (FGSM): Single-step white-box attack using the sign of the loss gradient
- Projected Gradient Descent (PGD): Iterative, multi-step variant considered a universal first-order adversary
- Carlini & Wagner (C&W): Optimization-based attack finding minimally distorted adversarial examples
- DeepFool: Iterative attack computing minimal perturbations to cross the decision boundary
- JSMA (Jacobian-based Saliency Map Attack): Greedy attack modifying the most salient pixels for a target class
Defense Mechanisms Library
Implements a comprehensive suite of defensive strategies to harden models against adversarial manipulation, allowing direct comparison of mitigation efficacy.
- Adversarial Training: Augments training data with on-the-fly generated adversarial examples to learn robust decision boundaries
- Ensemble Adversarial Training: Trains using adversarial examples crafted from multiple source models to improve transferability robustness
- Defensive Distillation: Uses soft probability vectors from a teacher model to smooth the loss landscape and reduce gradient magnitudes
Multi-Framework Backend Support
Designed with a modular architecture that abstracts attack and defense logic from the underlying deep learning framework, supporting the most widely used ecosystems.
- TensorFlow: Native and most mature backend with full feature parity
- PyTorch: Full support via
cleverhans.torchmodule for PyTorch-native workflows - JAX: Experimental support for high-performance, composable function transformations
- NumPy: Reference implementations for pedagogical and lightweight use cases
Robustness Benchmarking & Metrics
Includes utilities for systematic evaluation of model robustness using standardized metrics, enabling apples-to-apples comparisons across different defense proposals.
- Attack Success Rate: Percentage of adversarial examples that cause misclassification
- Robust Accuracy: Model accuracy evaluated on a fully perturbed test set
- Perturbation Magnitude: Measures the Lp-norm distance between original and adversarial inputs
- Report Generation: Tools to produce structured benchmarking reports for academic and industry use
Tutorials & Reproducible Research
Ships with extensive Jupyter notebook tutorials that walk through attack and defense concepts step-by-step, directly tied to published academic research.
- FGSM Tutorial: End-to-end walkthrough of generating and defending against fast gradient attacks on MNIST and CIFAR-10
- Adversarial Training Tutorial: Demonstrates PGD-based adversarial training to achieve measurable robustness gains
- C&W Attack Tutorial: Detailed explanation of the optimization formulation and hyperparameter tuning
- All tutorials are self-contained and designed to produce results matching published benchmarks
Community & Academic Provenance
Developed and maintained by the Google Brain team and the broader academic community, with contributions from leading adversarial ML researchers worldwide.
- Originated from the seminal paper "CleverHans v2.1.0: An Adversarial Machine Learning Library" by Papernot et al.
- Serves as the reference implementation for hundreds of peer-reviewed papers in top venues like NeurIPS, ICML, and ICLR
- Governed under the Linux Foundation's Adversarial Robustness Toolbox (ART) umbrella for long-term stewardship
Frequently Asked Questions
Common questions about the CleverHans adversarial machine learning library, its capabilities, and its role in security research.
CleverHans is an open-source Python library developed primarily by the Google Brain team and the University of Toronto for benchmarking the vulnerability of machine learning models to adversarial examples. It provides standardized, reference implementations of state-of-the-art attack algorithms (like FGSM, PGD, and C&W) and defense mechanisms (like adversarial training). Researchers and engineers use it to evaluate the robust accuracy of image classifiers, NLP models, and other neural networks against maliciously perturbed inputs. It serves as a common testing ground to ensure that security claims about a model's resilience are reproducible and comparable across different studies.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts, attack algorithms, and defensive frameworks that form the adversarial robustness landscape, with CleverHans serving as a foundational benchmarking library.
Adversarial Example
An input to a machine learning model that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect classification with high confidence. These perturbations are typically constrained within a small Lp-norm epsilon-ball around the original input.
- White-box attacks: Attacker has full access to model gradients
- Black-box attacks: Attacker only observes input-output pairs
- Physical attacks: Perturbations that survive real-world conditions like camera capture
Fast Gradient Sign Method (FGSM)
A single-step, white-box attack introduced by Goodfellow et al. that creates adversarial examples by adding a small perturbation in the direction of the gradient of the loss function with respect to the input. The perturbation magnitude is controlled by the hyperparameter epsilon.
- Computationally efficient: requires only one backward pass
- Formula:
x_adv = x + ε * sign(∇_x J(θ, x, y)) - Serves as a baseline for evaluating more sophisticated attacks
Projected Gradient Descent (PGD)
A powerful iterative white-box attack that repeatedly applies FGSM with a small step size and projects the result back onto an epsilon-ball around the original input. PGD is widely considered a first-order universal adversary and serves as the standard benchmark for evaluating adversarial robustness.
- Multi-step variant: applies FGSM
ktimes with step sizeα - Projection ensures perturbation stays within L∞ bounds
- Often used as the inner maximization step in adversarial training
Adversarial Training
A defensive technique that augments the training dataset with adversarial examples generated against the current model state, forcing the model to learn a more robust decision boundary. This is the most empirically effective defense against adversarial attacks.
- Min-max formulation: outer minimization on clean loss, inner maximization on adversarial loss
- PGD-based adversarial training is the de facto standard
- Trade-off: typically reduces clean accuracy while improving robust accuracy

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us