Inferensys

Glossary

Evasion Attack

An attack vector where an adversary modifies a malicious input sample at test time to cause misclassification by a trained model, effectively evading a security or classification boundary.
Engineer reviewing vector database search results on laptop, embeddings visualization on screen, home office coding session.
ADVERSARIAL THREAT VECTOR

What is Evasion Attack?

An evasion attack is a test-time adversarial technique where an attacker subtly modifies a malicious input sample to bypass a machine learning model's detection boundary, causing misclassification without altering the model itself.

An evasion attack is an adversarial manipulation executed during the inference phase, where an attacker crafts a perturbed input—such as a malware binary or spam email—designed to cross a model's decision boundary. Unlike data poisoning, which corrupts the training pipeline, evasion attacks exploit blind spots in a fixed, already-trained classifier to evade security controls.

The attacker operates within a defined perturbation budget, typically bounded by an Lp-norm constraint, to ensure the malicious payload remains functionally viable while appearing benign to the model. Defenses against this threat vector include adversarial training, feature squeezing, and certified robustness techniques like randomized smoothing to harden the decision surface.

ADVERSARIAL THREAT VECTORS

Key Characteristics of Evasion Attacks

Evasion attacks exploit the blind spots in a model's decision boundary at inference time. Unlike poisoning attacks that corrupt training data, these attacks manipulate the input sample itself to slip past a classifier without triggering an alert.

01

Test-Time Manipulation

The defining characteristic of an evasion attack is that it occurs strictly during inference, not training. The adversary modifies a malicious sample—such as a malware binary, a spam email, or a network packet—by adding carefully calculated noise or transformations. The underlying model weights remain untouched. The attacker's goal is to cross the decision boundary into a benign class, effectively making the model blind to the threat without ever accessing the training pipeline.

Inference-Only
Attack Phase
02

Gradient-Based Optimization

In white-box settings, the attacker computes the gradient of the model's loss function with respect to the input features. By moving the input in the direction that minimizes the loss for the target class, the adversary finds the minimal perturbation required to flip the label. Common algorithms include:

  • Fast Gradient Sign Method (FGSM): A single-step attack using the sign of the gradient.
  • Projected Gradient Descent (PGD): An iterative, multi-step variant that finds stronger adversarial examples.
  • Carlini & Wagner (C&W): An optimization-based attack that minimizes distortion while achieving misclassification.
03

Imperceptibility Constraints

To remain stealthy, the perturbation must stay within an imperceptibility threshold—the point at which a human auditor cannot distinguish the adversarial sample from a legitimate one. This is enforced mathematically using Lp-norm constraints (typically L-infinity or L2). The perturbation budget (epsilon) defines the maximum allowed change per pixel or feature. Attacks that exceed this budget become visible and are easily detected by human review or statistical anomaly detectors.

L∞ ≤ 8/255
Typical Image Budget
04

Transferability Across Models

A critical property that makes evasion attacks dangerous in black-box scenarios is adversarial example transferability. An adversary can train a local surrogate model, craft adversarial examples against it, and then deploy those same examples against a remote target model with a different architecture. This works because the vulnerabilities often stem from shared, high-dimensional geometric properties of the decision boundary rather than specific architectural flaws. The attack succeeds without any query access to the production model.

05

Physical World Realizability

Evasion is not confined to the digital domain. Physical adversarial attacks involve printing a perturbed image or fabricating a 3D object, then presenting it to a camera-based classifier. The perturbation must survive lighting changes, viewpoint shifts, and sensor noise. Techniques like Expectation over Transformation (EOT) optimize the perturbation over a distribution of physical transformations, ensuring the attack remains robust when captured by a real-world sensor rather than a lossless digital pipeline.

06

Feature Space Exploitation

Evasion attacks succeed by targeting the specific features the model relies on. An adversarial saliency map reveals which input dimensions most influence the classification decision. The attacker then applies minimal energy to those high-saliency features. In high-dimensional spaces, models often exhibit locally non-smooth decision boundaries—sharp, unpredictable curves that allow a small Lp-norm perturbation to cross a classification boundary that should be distant. This geometric fragility is the root cause of adversarial vulnerability.

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Explore the fundamental mechanics, threat models, and defensive strategies surrounding evasion attacks, the most common adversarial technique used to fool deployed machine learning models at inference time.

An evasion attack is an adversarial technique where a malicious actor modifies an input sample at test time to cause a trained machine learning model to misclassify it, effectively evading a security or classification boundary. Unlike data poisoning, which corrupts the training pipeline, evasion attacks target the model after deployment. The adversary crafts a perturbation—often imperceptible to humans—by solving an optimization problem that maximizes the model's prediction error while keeping the input distortion within a defined perturbation budget (e.g., an L-infinity epsilon-ball). For example, a spammer might subtly alter the text of a phishing email so that a spam filter classifies it as legitimate, or an attacker might place small stickers on a stop sign to cause an autonomous vehicle's vision system to classify it as a speed limit sign. The core vulnerability exploited is the model's reliance on non-robust features—patterns in the data that are predictive but brittle and easily flipped by small input changes.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.