An adversarial example is a maliciously crafted input designed to deceive a machine learning model. By applying a small, carefully calculated perturbation—often constrained by an Lp-norm perturbation budget to remain invisible to the human eye—an attacker can force a high-confidence misclassification. This exposes a fundamental disconnect between human perception and the model's learned decision boundary.
Glossary
Adversarial Example

What is an Adversarial Example?
An adversarial example is an input to a machine learning model that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect prediction with high confidence.
These vulnerabilities arise from the linear nature of components like ReLU activations in deep neural networks, which can amplify tiny input variations. An attacker using a white-box attack computes the gradient of the loss with respect to the input to generate the perturbation. The resulting example often exhibits adversarial example transferability, fooling other independently trained models and posing a significant security risk to deployed systems.
Core Characteristics of Adversarial Examples
Adversarial examples are not random noise; they are precisely engineered perturbations that exploit the high-dimensional geometry of a model's decision boundary. Understanding their core characteristics is essential for diagnosing vulnerabilities and building robust defenses.
Imperceptibility Constraint
The defining characteristic of an adversarial example is that the perturbation is imperceptible to a human observer while completely altering the model's prediction. This is enforced by an Lp-norm perturbation budget—typically L-infinity—which caps the maximum pixel-level change. The attack must remain within this imperceptibility threshold to be considered stealthy.
- L-infinity norm: Limits the maximum change to any single pixel (e.g., ±8/255).
- L2 norm: Constrains the Euclidean distance of the perturbation vector.
- L0 norm: Restricts the total number of pixels that can be altered.
High-Confidence Misclassification
Adversarial examples do not simply cause a model to guess incorrectly; they force a high-confidence misclassification to an attacker-chosen target class. The model outputs a probability distribution that is sharply peaked on the wrong label, often with >99% confidence. This reveals that the vulnerability is not a boundary case but a structural blind spot in the learned feature space.
- Targeted attack: Forces classification to a specific incorrect class.
- Untargeted attack: Causes any misclassification away from the true label.
- Confidence gap: The model's certainty on the adversarial input often exceeds its certainty on clean inputs.
Cross-Model Transferability
A critical and dangerous property: an adversarial example crafted to fool Model A will often fool Model B, even if Model B has a different architecture or was trained on a disjoint dataset. This adversarial example transferability enables black-box attacks where the attacker has no direct access to the target model's weights or gradients.
- Intra-architecture transfer: Examples transfer between models with the same design.
- Inter-architecture transfer: Examples crafted on a CNN fool a Vision Transformer.
- Attack proxy: Attackers train a local substitute model to generate transferable perturbations.
Geometric Vulnerability
Adversarial examples arise from the linear nature of neural networks in high-dimensional space. The decision boundary is not smooth; it contains sharp, non-robust features that are highly sensitive to small input variations. Loss landscape visualization reveals steep cliffs where a single gradient step can cross the boundary. This is a consequence of the model learning spurious correlations rather than robust, generalizable features.
- Sharp curvature: High local Lipschitz constant near data points.
- Non-robust features: Patterns predictive on the training distribution but meaningless to humans.
- Boundary tilting: The decision surface is nearly orthogonal to the perturbation direction.
Physical World Realizability
Adversarial examples are not confined to the digital domain. Physical adversarial attacks demonstrate that perturbations can survive printing, camera capture, and varying lighting conditions to fool real-world systems. An adversarial patch—a localized, highly visible sticker—can cause a stop sign to be classified as a speed limit sign, posing a direct threat to autonomous vehicles and surveillance systems.
- Robust physical perturbations: Designed to survive the image capture pipeline.
- Adversarial patch attacks: Localized perturbations that dominate the model's attention.
- Environmental invariance: Effective across angles, distances, and lighting conditions.
Gradient-Based Construction
The most efficient adversarial examples are constructed by exploiting the model's own loss gradient. The Fast Gradient Sign Method (FGSM) takes a single step in the direction that maximizes the loss. More powerful iterative methods like Projected Gradient Descent (PGD) apply multiple small steps, projecting back onto the epsilon-ball after each iteration to find the strongest perturbation within the budget.
- FGSM: Single-step, computationally cheap, lower attack success.
- PGD: Multi-step, gold-standard for evaluating empirical robustness.
- C&W Attack: Optimization-based, finds minimal-distortion perturbations.
Frequently Asked Questions
Core questions about the nature, creation, and implications of inputs designed to deceive machine learning models.
An adversarial example is a model input that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect prediction with high confidence. The mechanism exploits the model's learned decision boundary, which often contains non-linear, sharp geometric features in high-dimensional space. By adding a precisely calculated perturbation vector—typically constrained by an Lp-norm like L-infinity—the input crosses a decision boundary into an incorrect class region while remaining within an imperceptibility threshold for human observers. This reveals that the model relies on brittle, non-robust features rather than the high-level semantic concepts humans use for classification.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the core concepts surrounding adversarial examples, from attack methodologies and defensive strategies to the formal verification of model robustness.
Evasion Attack
An attack vector executed at test time where an adversary modifies a malicious input sample to cause misclassification. Unlike poisoning attacks that corrupt training data, evasion attacks exploit the model's learned decision boundary directly. The attacker crafts a perturbation—often constrained by an Lp-norm budget—that flips the label while remaining imperceptible. This is the primary delivery mechanism for an adversarial example in production systems.
Adversarial Training
A defensive technique that injects adversarial examples into the training dataset with their correct labels. By exposing the model to worst-case perturbations during learning, the optimizer flattens the loss landscape around data points. This is widely considered the most empirically robust defense against Projected Gradient Descent (PGD) attacks, though it incurs a computational cost and can slightly reduce accuracy on clean data.
Gradient Masking
A phenomenon where a defense causes the model's gradients to become useless or misleading to an attacker, creating a false sense of security. This often occurs when a model is non-differentiable or saturates its outputs, preventing gradient-based attacks from finding effective perturbations. Security engineers must distinguish true robustness from gradient masking, as black-box attacks or transfer-based attacks can easily bypass these obfuscated gradients.
Robustness Certificate
A formal, verifiable guarantee that a model's prediction will remain constant for any perturbation within a specified Lp-norm radius. Unlike empirical defenses that can be broken by a stronger attack, certified defenses provide a provable lower bound on robustness. Techniques like Randomized Smoothing construct a smoothed classifier by adding Gaussian noise and aggregating predictions, yielding a statistical certificate against L2-norm adversaries.
Adversarial Example Transferability
The property by which an adversarial example crafted to fool one model also causes misclassification in other independently trained models. This cross-model vulnerability enables black-box attacks: an adversary trains a local surrogate model, generates white-box attacks against it, and deploys them against a remote target API. Transferability is driven by shared geometric features in the decision boundaries learned from similar data distributions.
Physical Adversarial Attack
An attack that remains effective after being printed and captured by a camera in the physical world. This demonstrates that adversarial vulnerabilities are not merely digital artifacts. Researchers have shown that adversarial patches—localized, highly visible perturbations—can cause a stop sign classifier to read 'Speed Limit 45' or make a person invisible to a detector, posing real-world risks for autonomous systems.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us