Fix formatting of paper references in attack documentation

docs/index.md

@@ -48,7 +48,7 @@ pip install torchattack
 
     Learn how to use abstractions of pre-trained victim models, attack creations, and evaluations.
 
-    :material-arrow-right: [Usage](./usage.md)
+    :material-arrow-right: [Usage](./usage/index.md)
 
 - :material-sword-cross:{ .middle } **Attacks**
 
@@ -64,7 +64,7 @@ pip install torchattack
 
     On how to install dependencies, run tests, and build documentation.
 
-    :material-arrow-right: [Development](./development/index.md)
+    :material-arrow-right: [Development](./development.md)
 
 </div>
 

torchattack/admix.py

@@ -10,8 +10,8 @@
 class Admix(Attack):
     """The Admix attack.
 
-    From the paper 'Admix: Enhancing the Transferability of Adversarial Attacks',
-    https://arxiv.org/abs/2102.00436
+    From the paper: [Admix: Enhancing the Transferability of Adversarial
+    Attacks](https://arxiv.org/abs/2102.00436).
 
     Args:
         model: The model to attack.
@@ -23,7 +23,7 @@ class Admix(Attack):
         decay: Decay factor for the momentum term. Defaults to 1.0.
         portion: Portion for the mixed image. Defaults to 0.2.
         size: Number of randomly sampled images. Defaults to 3.
-        num_classes: Number of classes of the dataset used. Defaults to 1001.
+        num_classes: Number of classes of the dataset used. Defaults to 1000.
         clip_min: Minimum value for clipping. Defaults to 0.0.
         clip_max: Maximum value for clipping. Defaults to 1.0.
         targeted: Targeted attack if True. Defaults to False.

torchattack/bia.py

@@ -50,8 +50,8 @@ class BIAWeights(GeneratorWeightsEnum):
 class BIA(Attack):
     """Beyond ImageNet Attack (BIA).
 
-    From the paper 'Beyond ImageNet Attack: Towards Crafting Adversarial Examples for
-    Black-box Domains', https://arxiv.org/abs/2201.11528
+    From the paper: [Beyond ImageNet Attack: Towards Crafting Adversarial Examples for
+    Black-box Domains](https://arxiv.org/abs/2201.11528).
 
     Args:
         device: Device to use for tensors. Defaults to cuda if available.

torchattack/cda.py

@@ -26,8 +26,7 @@ class CDAWeights(GeneratorWeightsEnum):
 class CDA(Attack):
     """Cross-domain Attack (CDA).
 
-    From the paper 'Cross-Domain Transferability of Adversarial Perturbations',
-    https://arxiv.org/abs/1905.11736
+    From the paper: [Cross-Domain Transferability of Adversarial Perturbations](https://arxiv.org/abs/1905.11736).
 
     Args:
         device: Device to use for tensors. Defaults to cuda if available.

torchattack/decowa.py

@@ -10,9 +10,8 @@
 class DeCoWA(Attack):
     """The DeCoWA (Deformation-Constrained Warping Attack) attack.
 
-    From the paper 'Boosting Adversarial Transferability across Model Genus by
-    Deformation-Constrained Warping',
-    https://arxiv.org/abs/2402.03951
+    From the paper: [Boosting Adversarial Transferability across Model Genus by
+    Deformation-Constrained Warping](https://arxiv.org/abs/2402.03951).
 
     Args:
         model: The model to attack.

torchattack/deepfool.py

@@ -10,8 +10,8 @@
 class DeepFool(Attack):
     """The DeepFool attack.
 
-    From the paper 'DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks'
-    https://arxiv.org/abs/1511.04599
+    From the paper: [DeepFool: A Simple and Accurate Method to Fool Deep Neural
+    Networks](https://arxiv.org/abs/1511.04599).
 
     Args:
         model: The model to attack.

torchattack/difgsm.py

@@ -11,8 +11,8 @@
 class DIFGSM(Attack):
     """The DI-FGSM (Diverse-input Iterative FGSM) attack.
 
-    From the paper 'Improving Transferability of Adversarial Examples with Input
-    Diversity' https://arxiv.org/abs/1803.06978
+    From the paper: [Improving Transferability of Adversarial Examples with Input
+    Diversity](https://arxiv.org/abs/1803.06978).
 
     Note:
         Key parameters include `resize_rate` and `diversity_prob`, which defines the

torchattack/dr.py

@@ -11,8 +11,8 @@
 class DR(Attack):
     """The DR (Dispersion Reduction) attack.
 
-    From the paper 'Enhancing Cross-Task Black-Box Transferability of Adversarial
-    Examples With Dispersion Reduction', https://arxiv.org/abs/1911.11616
+    From the paper: [Enhancing Cross-Task Black-Box Transferability of Adversarial
+    Examples With Dispersion Reduction](https://arxiv.org/abs/1911.11616).
 
     Args:
         model: The model to attack.

torchattack/eval/dataset.py

@@ -9,7 +9,7 @@
 class NIPSDataset(Dataset):
     """The NIPS 2017 Adversarial Learning Challenge dataset (derived from ImageNet).
 
-    https://www.kaggle.com/datasets/google-brain/nips-2017-adversarial-learning-development-set
+    <https://www.kaggle.com/datasets/google-brain/nips-2017-adversarial-learning-development-set>
     """
 
     def __init__(
@@ -37,7 +37,7 @@ def __init__(
         Args:
             image_root: Path to the folder containing the images.
             pairs_path: Path to the csv file containing the image names and labels.
-            normalize: An optional transform to apply to the images. Defaults to None.
+            transform: An optional transform to apply to the images. Defaults to None.
             max_samples: Maximum number of samples to load. Defaults to None.
         """
 
@@ -83,6 +83,16 @@ def __getitem__(self, index: int) -> tuple[Any, int, str]:
 class NIPSLoader(DataLoader):
     """A custom dataloader for the NIPS 2017 dataset.
 
+    Args:
+        root: Path to the root folder containing the images and CSV file.
+        image_root: Path to the folder containing the images. Defaults to None.
+        pairs_path: Path to the csv file containing the image names and labels. Defaults to None.
+        transform: An optional transform to apply to the images. Defaults to None.
+        batch_size: Batch size for the dataloader. Defaults to 1.
+        max_samples: Maximum number of samples to load. Defaults to None.
+        num_workers: Number of workers for the dataloader. Defaults to 4.
+        shuffle: Whether to shuffle the dataset. Defaults to False.
+
     Example:
         The dataloader reads image and label pairs (CSV file) from `{path}/images.csv`
         by default, and loads the images from `{path}/images/`.
@@ -106,11 +116,11 @@ def __init__(
         root: str | None,
         image_root: str | None = None,
         pairs_path: str | None = None,
-        batch_size: int = 1,
-        shuffle: bool = False,
-        num_workers: int = 4,
         transform: Callable[[torch.Tensor | Image.Image], torch.Tensor] | None = None,
+        batch_size: int = 1,
         max_samples: int | None = None,
+        num_workers: int = 4,
+        shuffle: bool = False,
     ):
         # Specifing a custom image root directory is useful when evaluating
         # transferability on a generated adversarial examples folder

torchattack/fgsm.py

@@ -10,8 +10,7 @@
 class FGSM(Attack):
     """Fast Gradient Sign Method (FGSM).
 
-    From the paper 'Explaining and Harnessing Adversarial Examples',
-    https://arxiv.org/abs/1412.6572
+    From the paper: [Explaining and Harnessing Adversarial Examples](https://arxiv.org/abs/1412.6572).
 
     Args:
         model: A torch.nn.Module network model.

torchattack/fia.py

@@ -11,8 +11,8 @@
 class FIA(Attack):
     """The FIA (Feature Importance-aware) Attack.
 
-    From the paper 'Feature Importance-aware Transferable Adversarial Attacks'.
-    https://arxiv.org/abs/2107.14185
+    From the paper: [Feature Importance-aware Transferable Adversarial
+    Attacks](https://arxiv.org/abs/2107.14185).
 
     Args:
         model: The model to attack.

torchattack/geoda.py

@@ -80,8 +80,8 @@ class GeoDA(Attack):
         This attack does not fully support batch inputs. Batch size of more than 1 will
         generate adversarial perturbations with incorrect magnitude.
 
-    From the paper 'GeoDA: a geometric framework for black-box adversarial attacks'
-    https://arxiv.org/abs/2003.06468
+    From the paper: [GeoDA: a geometric framework for black-box adversarial
+    attacks](https://arxiv.org/abs/2003.06468).
     """
 
     def __init__(

torchattack/ilpd.py

@@ -11,8 +11,8 @@
 class ILPD(Attack):
     """The ILPD (Intermediate-level Perturbation Decay) Attack.
 
-    From the paper 'Improving Adversarial Transferability via Intermediate-level
-    Perturbation Decay'. https://arxiv.org/abs/2304.13410
+    From the paper: [Improving Adversarial Transferability via Intermediate-level
+    Perturbation Decay](https://arxiv.org/abs/2304.13410).
 
     Args:
         model: The model to attack.

torchattack/ltp.py

@@ -29,8 +29,8 @@ class LTPWeights(GeneratorWeightsEnum):
 class LTP(Attack):
     """LTP Attack (Learning Transferable Adversarial Perturbations).
 
-    From the paper 'Learning Transferable Adversarial Perturbations',
-    https://proceedings.neurips.cc/paper/2021/hash/7486cef2522ee03547cfb970a404a874-Abstract.html
+    From the paper: [Learning Transferable Adversarial
+    Perturbations](https://proceedings.neurips.cc/paper/2021/hash/7486cef2522ee03547cfb970a404a874-Abstract.html).
 
     Args:
         device: Device to use for tensors. Defaults to cuda if available.

torchattack/mifgsm.py

@@ -10,8 +10,7 @@
 class MIFGSM(Attack):
     """The MI-FGSM (Momentum Iterative FGSM) attack.
 
-    From the paper 'Boosting Adversarial Attacks with Momentum',
-    https://arxiv.org/abs/1710.06081
+    From the paper: [Boosting Adversarial Attacks with Momentum](https://arxiv.org/abs/1710.06081).
 
     Args:
         model: The model to attack.

torchattack/naa.py

@@ -11,7 +11,7 @@
 class NAA(Attack):
     """The NAA (Neuron Attribution-based) Attack.
 
-    From the paper [Improving Adversarial Transferability via Neuron Attribution-Based
+    From the paper: [Improving Adversarial Transferability via Neuron Attribution-Based
     Attacks](https://arxiv.org/abs/2204.00008).
 
     Args:

torchattack/nifgsm.py

@@ -14,8 +14,8 @@ class NIFGSM(Attack):
         This attack does not apply the scale-invariant method. For the original attack
         proposed in the paper (SI-NI-FGSM), see `torchattack.sinifgsm.SINIFGSM`.
 
-    From the paper 'Nesterov Accelerated Gradient and Scale Invariance for Adversarial
-    Attacks' https://arxiv.org/abs/1908.06281
+    From the paper: [Nesterov Accelerated Gradient and Scale Invariance for Adversarial
+    Attacks](https://arxiv.org/abs/1908.06281).
 
     Args:
         model: The model to attack.

torchattack/pgd.py

@@ -10,8 +10,8 @@
 class PGD(Attack):
     """The Projected Gradient Descent (PGD) attack.
 
-    From the paper 'Towards Deep Learning Models Resistant to Adversarial Attacks'
-    https://arxiv.org/abs/1706.06083
+    From the paper: [Towards Deep Learning Models Resistant to Adversarial
+    Attacks](https://arxiv.org/abs/1706.06083).
 
     Args:
         model: The model to attack.

torchattack/pgdl2.py

@@ -12,8 +12,8 @@
 class PGDL2(Attack):
     """The Projected Gradient Descent (PGD) attack, with L2 constraint.
 
-    From the paper 'Towards Deep Learning Models Resistant to Adversarial Attacks',
-    https://arxiv.org/abs/1706.06083
+    From the paper: [Towards Deep Learning Models Resistant to Adversarial
+    Attacks](https://arxiv.org/abs/1706.06083).
 
     Args:
         model: The model to attack.

torchattack/pna_patchout.py

@@ -12,8 +12,8 @@
 class PNAPatchOut(Attack):
     """PNA-PatchOut attack for ViTs (Pay no attention & PatchOut).
 
-    From the paper: 'Towards Transferable Adversarial Attacks on Vision Transformers'
-    https://arxiv.org/abs/2109.04176
+    From the paper: [Towards Transferable Adversarial Attacks on Vision
+    Transformers](https://arxiv.org/abs/2109.04176).
 
     Args:
         model: The model to attack.

torchattack/sinifgsm.py

@@ -10,8 +10,8 @@
 class SINIFGSM(Attack):
     """The SI-NI-FGSM (Scale-invariant Nesterov-accelerated Iterative FGSM) attack.
 
-        From the paper 'Nesterov Accelerated Gradient and Scale Invariance for Adversarial
-        Attacks' https://arxiv.org/abs/1908.06281
+    From the paper: [Nesterov Accelerated Gradient and Scale Invariance for Adversarial
+    Attacks](https://arxiv.org/abs/1908.06281).
 
     Args:
         model: The model to attack.

torchattack/ssa.py

@@ -11,8 +11,8 @@
 class SSA(Attack):
     """The SSA - Spectrum Simulation (S^2_I-FGSM) attack.
 
-    From the paper 'Frequency Domain Model Augmentation for Adversarial Attack',
-    https://arxiv.org/abs/2207.05382
+    From the paper: [Frequency Domain Model Augmentation for Adversarial
+    Attack](https://arxiv.org/abs/2207.05382).
 
     N.B.: This is implemented with momentum applied, i.e., on top of MI-FGSM.
 

torchattack/ssp.py

@@ -34,8 +34,8 @@ def __repr__(self) -> str:
 class SSP(Attack):
     """The Self-supervised (SSP) attack.
 
-    From the paper 'A Self-supervised Approach for Adversarial Robustness'
-    https://arxiv.org/abs/2006.04924
+    From the paper: [A Self-supervised Approach for Adversarial
+    Robustness](https://arxiv.org/abs/2006.04924).
 
     Args:
         model: The model to attack.

torchattack/tgr.py

@@ -13,9 +13,8 @@
 class TGR(Attack):
     """TGR attack for ViTs (Token Gradient Regularization).
 
-    From the paper: 'Transferable Adversarial Attacks on Vision Transformers with Token
-    Gradient Regularization'
-    https://arxiv.org/abs/2303.15754
+    From the paper: [Transferable Adversarial Attacks on Vision Transformers with Token
+    Gradient Regularization](https://arxiv.org/abs/2303.15754).
 
     Args:
         model: The model to attack.

torchattack/tifgsm.py

@@ -12,8 +12,8 @@
 class TIFGSM(Attack):
     """The TI-FGSM (Translation-invariant Iterative FGSM) attack.
 
-    From the paper 'Evading Defenses to Transferable Adversarial Examples by
-    Translation-Invariant Attacks' https://arxiv.org/abs/1904.02884
+    From the paper: [Evading Defenses to Transferable Adversarial Examples by
+    Translation-Invariant Attacks](https://arxiv.org/abs/1904.02884).
 
     Note:
         Key parameters include `kernel_len` and `n_sig`, which defines the size and

torchattack/vdc.py

@@ -13,9 +13,8 @@
 class VDC(Attack):
     """VDC (Virtual Dense Connection) attack for ViTs.
 
-    From the paper: 'Improving the Adversarial Transferability of Vision Transformers
-    with Virtual Dense Connection'
-    https://ojs.aaai.org/index.php/AAAI/article/view/28541
+    From the paper: [Improving the Adversarial Transferability of Vision Transformers
+    with Virtual Dense Connection](https://ojs.aaai.org/index.php/AAAI/article/view/28541).
 
     Args:
         model: The model to attack.

torchattack/vmifgsm.py

@@ -10,9 +10,8 @@
 class VMIFGSM(Attack):
     """The VMI-FGSM (Variance-tuned Momentum Iterative FGSM) attack.
 
-    From the paper
-    'Enhancing the Transferability of Adversarial Attacks through Variance Tuning'
-    https://arxiv.org/abs/2103.15571
+    From the paper: [Enhancing the Transferability of Adversarial Attacks through
+    Variance Tuning](https://arxiv.org/abs/2103.15571).
 
     Note:
         Key parameters are `n` and `beta`, where `n` is the number of sampled

torchattack/vnifgsm.py

@@ -10,8 +10,8 @@
 class VNIFGSM(Attack):
     """The VNI-FGSM (Variance-tuned Nesterov Iterative FGSM) attack.
 
-    From the paper 'Enhancing the Transferability of Adversarial Attacks through
-    Variance Tuning' https://arxiv.org/abs/2103.15571
+    From the paper: [Enhancing the Transferability of Adversarial Attacks through
+    Variance Tuning](https://arxiv.org/abs/2103.15571).
 
     Note:
         Key parameters are `n` and `beta`, where `n` is the number of sampled