2021 Call for Code Awards: Live from New York, with SNL’s Colin Jost! Learn more

Integrate adversarial attacks in a model training pipeline


Adversarial attacks pose a real threat to the deployment of AI systems in security-critical applications, and they present an asymmetrical challenge with respect to attackers and defenders. An attacker’s reward is a successful attack that doesn’t raise suspicion, while a defender wants to develop strategies that can guard against all known attacks and ideally for all possible inputs. This code pattern explains how to use a Jupyter Notebook to integrate the Fast Gradient Method (FGM) from the Adversarial Robustness Toolbox (ART) into a model training pipeline leveraging Fabric for Deep Learning (FfDL). The generated adversarial samples are then used to evaluate the robustness of the trained model.


Evaluating the robustness of machine learning models against adversarial attacks is becoming an integral step in machine learning pipelines. The Adversarial Robustness Toolbox (ART) is a library that is dedicated to adversarial machine learning. Its purpose is to allow rapid crafting and analysis of attack and defense methods for machine learning models with implementations for many state-of-the-art methods for attacking and defending classifiers.

Fabric for Deep Learning (FfDL, pronounced “fiddle”) provides a consistent way to run deep learning frameworks such as TensorFlow, PyTorch, Caffe, and Keras as a service on Kubernetes, hiding a lot of the complexities of setting up distributed deep learning training environments. Training machine learning models is also a very iterative process, and this is especially true when incorporating techniques for evaluating and hardening models against attacks by incorporating adversarial samples into the training data set. Jupyter Notebooks are a very popular tool for data scientists because they allow for interactive programming in a web application.

In this code pattern, we use a Jupyter Notebook with Python and Bash shell magics to launch training jobs on FfDL and the Adversarial Robustness Toolbox to detect model vulnerabilities. We explain how training jobs can be configured and started as well as how to follow running training jobs. We use the Keras and TensorFlow deep learning frameworks, and the Boto3 Python SDK to interact with an S3 cloud object storage instance that is required to store the training data and the trained model. From the Adversarial Robustness Toolbox, we run the Fast Gradient Method (FGM) to craft adversarial samples and generate metrics about the robustness of the trained model.



  1. After a FfDL cluster is deployed, install the required Python libraries in a virtual environment and start a local Jupyter Notebook server.
  2. In the Jupyter Notebook, download the Fashion-MNIST data set and upload it to the cloud object storage. Then create a Keras script for training a Convolutional Neural Network (CNN) along with a FfDL model manifest file. The manifest file contains different fields describing the model in FfDL, its object store information, its resource requirements, and several arguments (including hyperparameters) that are required for model execution during training and testing.
  3. Interact with the FfDL cluster using the FfDL CLI from within the Jupyter Notebook to deploy the FfDL model manifest file along with the model definition file and to launch the training job and monitors its progress.
  4. Download the trained model from the cloud object storage instance after the training job is complete and use ART to generate adversarial samples using the Fast Gradient Method. The generated adversarial samples are then used to test the robustness of the trained model showing robustness metrics. Some adversarial samples are visualized, and the original model is used to make predictions on the adversarial samples.


Ready to put this code pattern to use? Complete details on how to get started running and using this application are in the README.