Inferensys

Glossary

Evasion Attack

An evasion attack is a type of adversarial attack performed at inference time where the attacker modifies the input sample to cause misclassification without altering the underlying model.
Developer testing AI inference on mobile phone in hand, laptop with optimization code visible, casual tech review moment.
INFERENCE-TIME ADVERSARIAL THREAT

What is Evasion Attack?

An evasion attack is a type of adversarial attack performed at inference time where an attacker modifies the input sample to cause misclassification without altering the underlying model's parameters or training data.

An evasion attack is an adversarial technique executed during the inference phase of a machine learning pipeline. The attacker crafts a perturbed input—often by adding imperceptible noise calculated via methods like Projected Gradient Descent (PGD)—that causes a deployed model to output an incorrect prediction with high confidence. Critically, the model's weights and architecture remain untouched; the attack exploits blind spots in the learned decision boundary.

Unlike data poisoning or backdoor attacks, evasion attacks do not require access to the training pipeline. They are the most common threat in production systems, ranging from digital perturbations that fool image classifiers to physical adversarial attacks using stickers that cause autonomous agents to misperceive stop signs. Defenses include adversarial training and input preprocessing techniques like feature squeezing, though adaptive attacks designed with knowledge of these defenses remain a persistent challenge.

INFERENCE-TIME THREAT VECTOR

Key Characteristics of Evasion Attacks

Evasion attacks represent the most common deployment of adversarial machine learning, where an attacker manipulates the input query to a fixed, already-trained model to induce misclassification or erroneous agent action without altering the model's parameters or training data.

01

Inference-Time Manipulation

The defining characteristic of an evasion attack is that it occurs after model training is complete. The attacker does not require access to the training pipeline, poisoned data, or model weights. Instead, they craft a malicious input—often an adversarial example—that exploits the model's learned decision boundaries during prediction. This distinguishes evasion from data poisoning or backdoor attacks, which compromise the model before deployment. The model's parameters remain frozen; only the input is perturbed.

Inference
Attack Phase
Fixed
Model State
02

Imperceptible Perturbations

Evasion attacks typically rely on perturbations that are imperceptible or semantically meaningless to humans but catastrophic for model logic. In the visual domain, this involves adding a carefully calculated noise vector constrained by an Lp-norm budget (often L∞ or L2) so the image appears unchanged. For agent systems, this extends to acoustic adversarial examples that sound like normal audio, or subtle typographical changes in text prompts that bypass content filters. The core principle is exploiting the misalignment between human perception and model feature extraction.

L∞ ≤ 8/255
Common Visual Budget
04

Physical World Realizability

Evasion is not limited to the digital domain. Physical adversarial attacks manifest as tangible objects designed to fool real-world perception systems. Examples include:

  • Adversarial patches: Printed stickers placed on stop signs that cause an autonomous vehicle's detector to classify them as speed limit signs.
  • LiDAR spoofing: Firing precisely timed laser pulses to inject phantom 3D points or delete real obstacles from a point cloud.
  • Camouflage textures: 3D-printed objects with specific surface patterns that cause object detectors to fail under varying lighting and angles. These attacks leverage Expectation Over Transformation (EOT) to remain robust across viewpoint shifts.
EOT
Key Enabling Technique
05

Cross-Modal Transferability

In multimodal agent systems, evasion attacks can exploit inconsistencies across sensing modalities. A multimodal adversarial example is crafted to simultaneously fool vision, audio, and depth sensors, or to attack the fusion mechanism itself. For instance, an attacker might generate a visual perturbation that causes a Vision-Language-Action (VLA) model to misinterpret a scene, leading to an incorrect physical action. The attack surface expands dramatically when an agent's decision depends on the alignment of heterogeneous input streams.

VLA
Vulnerable Architecture
ADVERSARIAL THREAT TAXONOMY

Evasion Attack vs. Related Threat Vectors

A comparison of Evasion Attacks with other adversarial threat vectors that compromise model integrity at different stages of the machine learning lifecycle.

FeatureEvasion AttackData PoisoningBackdoor AttackModel Extraction

Attack Stage

Inference time

Training time

Training or fine-tuning time

Post-deployment querying

Model Modification

Attacker Goal

Cause misclassification on specific inputs

Degrade overall model accuracy

Trigger misclassification on inputs with secret pattern

Steal model functionality or parameters

Requires Training Data Access

Persistence

Transient; attack exists only in perturbed input

Permanent; model is corrupted until retrained

Persistent; trigger remains dormant until activated

N/A; attacker obtains a copy

Stealth Requirement

Perturbation must be imperceptible to humans

Poisoned samples must evade data validation

Trigger must be inconspicuous in normal use

Queries must appear legitimate to avoid rate limiting

Primary Defense

Adversarial training, certified robustness

Data provenance, anomaly detection on training data

Neural cleanse, spectral signature detection

Query rate limiting, differential privacy, API hardening

Typical Threat Model

White-box or black-box access to deployed model

Insider threat or compromised data pipeline

Supply chain attack or malicious fine-tuning

Black-box API access with unlimited queries

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Explore the mechanics of inference-time adversarial manipulation, where attackers perturb inputs to deceive machine learning models without altering the underlying parameters.

An evasion attack is a type of adversarial attack performed at inference time where an attacker modifies the input sample to cause misclassification without altering the underlying model's parameters or training data. Unlike data poisoning or backdoor attacks, evasion attacks do not require access to the training pipeline. The attacker starts with a legitimate input that the model correctly classifies, then applies a carefully calculated perturbation—often imperceptible to humans—that pushes the input across the model's decision boundary. For example, adding a specific noise pattern to an image of a stop sign might cause an autonomous vehicle's perception system to classify it as a speed limit sign. The core mechanism exploits the linear nature of neural network components in high-dimensional spaces, where small, accumulated changes in pixel values can produce large shifts in the output logits. Evasion attacks can be white-box (attacker has full knowledge of model architecture and gradients), black-box (attacker only observes input-output pairs), or physical (perturbations are realized as stickers or 3D objects in the real world).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.