Image classification is an important part of image processing and has been widely used in various fields. Using deep neural networks developed in recent years to perform image classification has been proved to be efficient, which results in relatively high classification accuracy. However, deep neural networks are vulnerable to adversarial examples. These adversarial examples can interfere with the classifier by adding some imperceptible disturbances and finally mislead the classifiers. Predecessors have proposed several attack methods to craft adversarial examples. In this article, we first study the effectiveness of gradient-based attack methods (BIM, MI-FGSM, DI-FGSM, and TI-FGSM), under different perturbation and models (VGG16, ResNet18, ResNet50, Inception_V3, and DenseNet121). Then, we use the adversarial examples obtained in the first experiment (ϵ= 16) to test their transferability under different models. The results in the first experiment show that the effectiveness of all attack methods increases with the augment of perturbation ε. When ε = 2, ResNet18 misclassifies the most, followed by ResNet50 and then DenseNet121 and VGG16, while Inception_V3 misclassifies the least, which proves that InceptionV3 and VGG16 are less sensitive to disturbances than other models. Besides, in the second experiment, the results show that the success classification accuracy among the above five models using BIM is the highest, followed by MI-FGSM, DI-FGSM, and the success classification accuracy using TI-FGSM is the lowest, which proves that the generated adversarial example using TI-FGSM has the best transferability; while the generated adversarial example using BIM has the poorest transferability.