An adversarial example is a deliberately modified input designed to deceive a machine learning model. By adding a tiny, often invisible perturbation—such as subtle pixel-level noise to an image—an attacker can force a state-of-the-art classifier to confidently mistake a panda for a gibbon. This vulnerability exposes a fundamental gap between human perception and the brittle, high-dimensional decision boundaries learned by neural networks.
Glossary
Adversarial Example

What is an Adversarial Example?
An adversarial example is an input to a machine learning model that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect classification with high confidence.
These attacks are categorized by the attacker's knowledge: white-box attacks like the Fast Gradient Sign Method (FGSM) require full access to the model's gradients, while black-box attacks rely on querying the target model to infer its weaknesses. The existence of adversarial examples has driven critical research into defenses like adversarial training and formal robustness certification, making them a cornerstone of AI security evaluation.
Core Characteristics of Adversarial Examples
Adversarial examples are not random noise but carefully engineered inputs that exploit the high-dimensional geometry of a model's decision boundary. Their defining characteristics make them a persistent and transferable threat.
Imperceptible Perturbation
The defining feature of an adversarial example is that the added perturbation is imperceptible to the human visual or auditory system. The modification is constrained by an Lp-norm distance metric (often L∞ or L2) to ensure the adversarial input appears identical to the original clean sample. For instance, changing a pixel value by a magnitude of 1/255th on an 8-bit image scale is invisible to a human but can drastically alter a neural network's feature activation map.
High-Confidence Misclassification
An adversarial example does not merely cause a random error; it forces the model to output a specific, incorrect class with extremely high confidence. A 'stop sign' adversarial example might cause a classifier to output 'speed limit 80 mph' with 99.9% probability. This high confidence indicates the input has crossed a decision boundary into a region the model strongly associates with the target class, making simple thresholding defenses ineffective.
Cross-Model Transferability
Adversarial examples exhibit the property of transferability, where a perturbation generated to fool one model (the surrogate) often fools another independently trained model (the victim) with a different architecture. This occurs because different models learn similar decision boundary geometries when trained on the same task. This property enables practical black-box attacks where the attacker has no direct access to the target model's gradients or parameters.
Linear Behavior in High Dimensions
The phenomenon is largely explained by the linear nature of neural networks in high-dimensional input spaces. As articulated by Goodfellow et al., a small perturbation multiplied by the high dimensionality of the input (e.g., millions of pixels) can accumulate to create a massive change in the output logit. The model's local linearity makes it susceptible to perturbations precisely aligned with the sign of the cost function's gradient.
Physical World Realizability
Adversarial examples are not confined to the digital domain. Robust physical perturbations can be manufactured and deployed in the real world. Researchers have demonstrated that printed adversarial patches or carefully crafted 3D-printed objects can consistently fool real-world classifiers under varying lighting conditions, angles, and camera distances, proving the threat extends to autonomous systems and physical security.
Non-Robust Feature Exploitation
Adversarial examples exploit non-robust features—patterns in the data that are highly predictive for the model but are incomprehensible and uncorrelated with the true class for humans. The model latches onto these subtle, brittle statistical correlations in the pixel space. An adversarial perturbation effectively flips the value of these non-robust features to the target class's distribution while leaving the robust, human-perceptible features unchanged.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about adversarial examples, their creation, and their impact on machine learning model security.
An adversarial example is an input to a machine learning model that has been intentionally perturbed in a way imperceptible to humans, causing the model to make an incorrect classification with high confidence. These perturbations are typically crafted by solving an optimization problem that maximizes the model's prediction error while constraining the perturbation's magnitude under a specific Lp-norm distance metric. For instance, adding a carefully calculated layer of noise to an image of a panda can cause a state-of-the-art classifier to misidentify it as a gibbon with over 99% confidence, even though the two images look identical to a human observer. This phenomenon exposes fundamental vulnerabilities in the decision boundaries learned by deep neural networks.
Related Terms
Understanding adversarial examples requires familiarity with the core attack methodologies used to generate them, the defensive strategies employed to mitigate them, and the formal frameworks used to measure resilience.
Black-box Attack
An attack executed with no knowledge of the target model's architecture, parameters, or training data. The attacker relies solely on querying the model to observe input-output pairs. Key strategies include:
- Score-based: Using output probabilities to estimate gradients via finite differences.
- Decision-based: Using only the hard-label prediction to walk the decision boundary.
- Transfer-based: Crafting examples on a local surrogate model and exploiting transferability to fool the target.
Robustness Certification
The process of formally proving that a model's prediction for a given input is invariant to any perturbation within a defined Lp-norm ball. Unlike empirical defenses, certification provides a mathematical guarantee. Key methods include:
- Randomized Smoothing: A probabilistic certification that constructs a provably robust classifier by adding Gaussian noise and taking a majority vote.
- Abstract Interpretation: Propagating symbolic bounds through the network to verify output stability.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us