Inferensys

Glossary

Attack Success Rate

The primary metric for evaluating an adversarial attack, calculated as the percentage of generated adversarial examples that successfully cause the target model to misclassify.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
ADVERSARIAL METRIC

What is Attack Success Rate?

Attack Success Rate is the primary quantitative metric for evaluating the efficacy of an adversarial attack against a machine learning model.

Attack Success Rate (ASR) is defined as the percentage of generated adversarial examples that successfully cause the target model to output an incorrect prediction. It is calculated by dividing the number of successful adversarial inputs by the total number of attack attempts, providing a direct measure of a model's vulnerability to a specific attack algorithm.

A high ASR indicates a fragile decision boundary, while a low ASR against strong attacks like Projected Gradient Descent (PGD) suggests high robust accuracy. ASR is the standard benchmark metric in security research, used to compare the potency of attacks and the effectiveness of defenses such as adversarial training.

METRICS & MEASUREMENT

Key Characteristics of Attack Success Rate

Attack Success Rate (ASR) is the primary quantitative metric for evaluating adversarial attack efficacy. It measures the proportion of crafted inputs that achieve the attacker's objective, providing a standardized benchmark for comparing attack algorithms and assessing model vulnerability.

01

Core Definition & Formula

Attack Success Rate is calculated as the percentage of generated adversarial examples that successfully cause the target model to produce an incorrect output. The fundamental formula is:

  • ASR = (Number of Successful Attacks / Total Number of Attack Attempts) × 100%

A successful attack is defined by the attacker's objective:

  • Untargeted Attack: The model outputs any class other than the ground truth
  • Targeted Attack: The model outputs a specific, pre-chosen target class
  • LLM Jailbreak: The model complies with a harmful request it would normally refuse

An ASR of 95% indicates near-complete vulnerability, while an ASR of 5% suggests strong robustness against that specific attack vector.

0-100%
Standard Range
02

ASR vs. Perturbation Budget

ASR is intrinsically linked to the perturbation budget (ε), which defines the maximum allowed distortion under a given Lp-norm constraint. This relationship reveals the efficiency of an attack:

  • High ASR at low ε: Indicates a powerful, imperceptible attack that exploits genuine model weaknesses
  • High ASR only at high ε: Suggests the attack relies on obvious, easily detectable perturbations
  • L∞ norm (ε = 8/255): Standard budget for CIFAR-10 benchmarking, representing subtle pixel-level changes
  • L2 norm: Measures Euclidean distance, often used for perceptual similarity constraints

Attack algorithms like Carlini & Wagner are designed to find minimal perturbations that achieve high ASR, making them more dangerous and harder to defend against than brute-force methods.

ε = 8/255
Standard L∞ Budget
03

White-Box vs. Black-Box ASR

ASR varies dramatically based on the attacker's knowledge model:

  • White-Box ASR: Typically approaches 100% for iterative attacks like PGD, as the attacker has full access to gradients, architecture, and parameters. This represents the worst-case vulnerability scenario.
  • Black-Box ASR: Significantly lower, often 5-30% for naive query-based attacks. However, transfer-based black-box attacks can achieve 60-90% ASR by crafting adversarial examples on a surrogate model.
  • Score-Based vs. Decision-Based: Score-based attacks (access to confidence scores) achieve higher ASR than decision-based attacks (only hard labels), which require more queries.

The gap between white-box and black-box ASR is a critical measure of gradient masking versus genuine robustness. A large gap often indicates a false sense of security from obfuscated gradients.

~100%
White-Box ASR Ceiling
60-90%
Transfer Black-Box ASR
04

ASR in Language Models

For Large Language Models, ASR measures the rate at which adversarial prompts bypass safety alignment. Key considerations include:

  • Jailbreak ASR: The percentage of harmful queries that receive compliant responses after applying an adversarial suffix or prompt template
  • GCG Attack Benchmarking: The Greedy Coordinate Gradient attack on Llama 2 and Vicuna models typically achieves 50-90% ASR depending on the model's safety training intensity
  • Refusal Matching: Some metrics count a response as successful only if it provides genuinely harmful information, not just any non-refusal
  • HarmBench Evaluation: A standardized framework that reports ASR across multiple attack types (GCG, AutoDAN, PAIR) and harm categories

ASR in LLMs must account for semantic equivalence—a jailbreak that produces a refusal with caveats may still be considered partially successful in some taxonomies.

50-90%
GCG Jailbreak ASR
05

Robust Accuracy as the Inverse Metric

Robust Accuracy is the complementary metric to ASR, measuring the model's classification accuracy on an adversarially perturbed test set:

  • Robust Accuracy = 100% - ASR (for untargeted attacks on a perfectly clean baseline)
  • A model with 90% robust accuracy under PGD-20 has an ASR of only 10%
  • Adversarial Training aims to maximize robust accuracy by minimizing ASR during training
  • The robustness-accuracy trade-off: Increasing robust accuracy often decreases clean accuracy, a phenomenon formalized by TRADES

Robust accuracy is the standard metric reported in academic benchmarks like RobustBench, which maintains a leaderboard of state-of-the-art defended models ranked by their robust accuracy under AutoAttack.

~65%
SOTA Robust Accuracy (CIFAR-10)
06

Standardized Benchmarking Protocols

Rigorous ASR evaluation requires adherence to established protocols to prevent inflated claims:

  • AutoAttack: A parameter-free ensemble of diverse attacks (APGD-CE, APGD-DLR, FAB, Square Attack) that provides a reliable, standardized ASR evaluation without requiring manual tuning
  • RobustBench: A centralized leaderboard that enforces consistent threat models (L∞, ε=8/255) and evaluation methodologies across submissions
  • Threat Model Specification: Every ASR report must declare the perturbation norm, budget (ε), number of attack iterations, and number of restarts
  • Adaptive Attacks: The gold standard for defense evaluation—attacks that are specifically tailored to circumvent the defense mechanism, ensuring no gradient masking or obfuscation inflates robustness claims

Failure to use adaptive attacks has led to numerous defenses being broken shortly after publication, with ASR jumping from near-zero to near-100%.

AutoAttack
Gold Standard Evaluator
METRICS & MEASUREMENT

Frequently Asked Questions

Attack Success Rate is the fundamental metric for quantifying the efficacy of adversarial attacks. The following answers address the most common technical questions about its calculation, interpretation, and relationship to model robustness.

Attack Success Rate (ASR) is the primary metric for evaluating an adversarial attack, calculated as the percentage of generated adversarial examples that successfully cause the target model to misclassify. The formula is ASR = (Number of Successful Adversarial Examples / Total Number of Attack Attempts) * 100. A successful adversarial example is one where the model's prediction on the perturbed input differs from the ground truth label (for untargeted attacks) or matches a specific target label (for targeted attacks). For instance, if 850 out of 1,000 crafted inputs fool the model, the ASR is 85%. This metric is typically reported alongside the perturbation budget (e.g., epsilon in L-infinity norm) to contextualize the attack's strength.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.