An evasion attack is an adversarial technique executed during the inference phase of a machine learning pipeline. The attacker crafts a perturbed input—often by adding imperceptible noise calculated via methods like Projected Gradient Descent (PGD)—that causes a deployed model to output an incorrect prediction with high confidence. Critically, the model's weights and architecture remain untouched; the attack exploits blind spots in the learned decision boundary.
Glossary
Evasion Attack

What is Evasion Attack?
An evasion attack is a type of adversarial attack performed at inference time where an attacker modifies the input sample to cause misclassification without altering the underlying model's parameters or training data.
Unlike data poisoning or backdoor attacks, evasion attacks do not require access to the training pipeline. They are the most common threat in production systems, ranging from digital perturbations that fool image classifiers to physical adversarial attacks using stickers that cause autonomous agents to misperceive stop signs. Defenses include adversarial training and input preprocessing techniques like feature squeezing, though adaptive attacks designed with knowledge of these defenses remain a persistent challenge.
Key Characteristics of Evasion Attacks
Evasion attacks represent the most common deployment of adversarial machine learning, where an attacker manipulates the input query to a fixed, already-trained model to induce misclassification or erroneous agent action without altering the model's parameters or training data.
Inference-Time Manipulation
The defining characteristic of an evasion attack is that it occurs after model training is complete. The attacker does not require access to the training pipeline, poisoned data, or model weights. Instead, they craft a malicious input—often an adversarial example—that exploits the model's learned decision boundaries during prediction. This distinguishes evasion from data poisoning or backdoor attacks, which compromise the model before deployment. The model's parameters remain frozen; only the input is perturbed.
Imperceptible Perturbations
Evasion attacks typically rely on perturbations that are imperceptible or semantically meaningless to humans but catastrophic for model logic. In the visual domain, this involves adding a carefully calculated noise vector constrained by an Lp-norm budget (often L∞ or L2) so the image appears unchanged. For agent systems, this extends to acoustic adversarial examples that sound like normal audio, or subtle typographical changes in text prompts that bypass content filters. The core principle is exploiting the misalignment between human perception and model feature extraction.
Physical World Realizability
Evasion is not limited to the digital domain. Physical adversarial attacks manifest as tangible objects designed to fool real-world perception systems. Examples include:
- Adversarial patches: Printed stickers placed on stop signs that cause an autonomous vehicle's detector to classify them as speed limit signs.
- LiDAR spoofing: Firing precisely timed laser pulses to inject phantom 3D points or delete real obstacles from a point cloud.
- Camouflage textures: 3D-printed objects with specific surface patterns that cause object detectors to fail under varying lighting and angles. These attacks leverage Expectation Over Transformation (EOT) to remain robust across viewpoint shifts.
Cross-Modal Transferability
In multimodal agent systems, evasion attacks can exploit inconsistencies across sensing modalities. A multimodal adversarial example is crafted to simultaneously fool vision, audio, and depth sensors, or to attack the fusion mechanism itself. For instance, an attacker might generate a visual perturbation that causes a Vision-Language-Action (VLA) model to misinterpret a scene, leading to an incorrect physical action. The attack surface expands dramatically when an agent's decision depends on the alignment of heterogeneous input streams.
Evasion Attack vs. Related Threat Vectors
A comparison of Evasion Attacks with other adversarial threat vectors that compromise model integrity at different stages of the machine learning lifecycle.
| Feature | Evasion Attack | Data Poisoning | Backdoor Attack | Model Extraction |
|---|---|---|---|---|
Attack Stage | Inference time | Training time | Training or fine-tuning time | Post-deployment querying |
Model Modification | ||||
Attacker Goal | Cause misclassification on specific inputs | Degrade overall model accuracy | Trigger misclassification on inputs with secret pattern | Steal model functionality or parameters |
Requires Training Data Access | ||||
Persistence | Transient; attack exists only in perturbed input | Permanent; model is corrupted until retrained | Persistent; trigger remains dormant until activated | N/A; attacker obtains a copy |
Stealth Requirement | Perturbation must be imperceptible to humans | Poisoned samples must evade data validation | Trigger must be inconspicuous in normal use | Queries must appear legitimate to avoid rate limiting |
Primary Defense | Adversarial training, certified robustness | Data provenance, anomaly detection on training data | Neural cleanse, spectral signature detection | Query rate limiting, differential privacy, API hardening |
Typical Threat Model | White-box or black-box access to deployed model | Insider threat or compromised data pipeline | Supply chain attack or malicious fine-tuning | Black-box API access with unlimited queries |
Frequently Asked Questions
Explore the mechanics of inference-time adversarial manipulation, where attackers perturb inputs to deceive machine learning models without altering the underlying parameters.
An evasion attack is a type of adversarial attack performed at inference time where an attacker modifies the input sample to cause misclassification without altering the underlying model's parameters or training data. Unlike data poisoning or backdoor attacks, evasion attacks do not require access to the training pipeline. The attacker starts with a legitimate input that the model correctly classifies, then applies a carefully calculated perturbation—often imperceptible to humans—that pushes the input across the model's decision boundary. For example, adding a specific noise pattern to an image of a stop sign might cause an autonomous vehicle's perception system to classify it as a speed limit sign. The core mechanism exploits the linear nature of neural network components in high-dimensional spaces, where small, accumulated changes in pixel values can produce large shifts in the output logits. Evasion attacks can be white-box (attacker has full knowledge of model architecture and gradients), black-box (attacker only observes input-output pairs), or physical (perturbations are realized as stickers or 3D objects in the real world).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Evasion attacks are one of the most critical threats to production machine learning systems. Understanding the broader taxonomy of adversarial techniques is essential for building robust defenses.
Adversarial Example
The fundamental output of an evasion attack: an input sample intentionally perturbed in a way imperceptible to humans that causes a model to make a high-confidence misclassification. The perturbation is typically constrained by an Lp-norm budget (e.g., L∞ ≤ ε) to ensure the modification remains invisible. These examples expose the fragility of neural network decision boundaries and transfer surprisingly well between different model architectures.
Projected Gradient Descent (PGD)
The gold-standard white-box iterative attack for evaluating adversarial robustness. PGD repeatedly takes a small step in the direction of the loss gradient and projects the result back onto an epsilon-ball around the original input. It is widely considered the strongest first-order adversary and serves as the benchmark for adversarial training defenses. The multi-step nature makes it significantly more powerful than single-step methods like the Fast Gradient Sign Method.
Black-Box Attack
An attack executed without access to model internals—no gradients, architecture, or training data. The adversary relies solely on query access to observe input-output pairs. Key strategies include:
- Transfer attacks: Crafting adversarial examples on a surrogate model and hoping they transfer to the target.
- Score-based attacks: Using output probabilities to estimate gradients via finite differences.
- Decision-based attacks: Walking the decision boundary using only hard-label predictions.
Adversarial Training
The most empirically robust defense against evasion attacks. The training dataset is augmented with adversarially perturbed examples labeled with their ground-truth class, forcing the model to learn smooth decision boundaries. This is formulated as a min-max optimization problem: the inner maximization generates the strongest possible attack, while the outer minimization trains the model to resist it. PGD-based adversarial training remains the standard for state-of-the-art robustness.
Gradient Masking
A false sense of security where a defense produces non-useful or zero gradients, preventing gradient-based attacks from optimizing. This is not true robustness—the model remains vulnerable to black-box transfer attacks or attacks that use a differentiable surrogate. Gradient masking often arises unintentionally from non-differentiable preprocessing layers, stochastic defenses, or shattered gradients. Proper evaluation always includes testing against adaptive attackers who circumvent the mask.
Physical Adversarial Attack
An attack that creates adversarial perturbations in the physical world—such as stickers on stop signs, 3D-printed objects, or altered textures on clothing. These must remain effective under varying lighting, angles, and distances. The Expectation Over Transformation (EOT) technique optimizes the perturbation over a distribution of real-world transformations to ensure robustness. Physical attacks pose a direct threat to autonomous vehicles, surveillance systems, and embodied agents.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us