Inferensys

Glossary

Adversarial Example

An adversarial example is a carefully crafted input designed to cause a machine learning model to make a high-confidence error, often through small, imperceptible perturbations.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL PROMPTING

What is an Adversarial Example?

An adversarial example is a strategically crafted input designed to cause a machine learning model to make a specific, often high-confidence error.

In machine learning, an adversarial example is an input—such as an image, text prompt, or audio clip—modified with small, often imperceptible perturbations to deliberately cause a model to misclassify or malfunction. Originating in computer vision, the concept is now central to adversarial prompting in AI security, where specially crafted text exploits vulnerabilities in language models. These inputs are not random noise but are optimized to find and exploit weaknesses in the model's decision boundaries.

For language models, an adversarial example is a jailbreak prompt or injected instruction engineered to bypass safety filters and elicit harmful, biased, or otherwise restricted outputs. This practice is a core technique in red teaming and boundary testing to evaluate model robustness. The creation of these examples often involves automated search methods, such as gradient-based attacks in white-box settings or iterative querying in black-box attacks, to find token sequences that maximally alter model behavior.

ADVERSARIAL PROMPTING

Key Characteristics of Adversarial Examples

Adversarial examples are inputs specifically engineered to exploit weaknesses in machine learning models, causing them to make confident errors. In the context of large language models, these are crafted prompts designed to subvert intended behavior.

01

Intentional Perturbation

An adversarial example is defined by a small, intentional modification to a standard input. In computer vision, this is often an imperceptible change to pixel values. For language models, this manifests as subtle alterations to prompt wording, structure, or encoding. The core characteristic is that the perturbation is purposefully designed, not random, to exploit specific model vulnerabilities. For instance, rephrasing a harmful request using benign synonyms or inserting special delimiter characters can constitute an adversarial perturbation in text.

02

High-Confidence Error

The primary objective is to induce a high-confidence error. The model does not merely become uncertain; it is fooled into providing an incorrect or harmful output with high-assurance. This differentiates adversarial examples from general model mistakes. Key aspects include:

  • Misclassification: The model assigns the wrong label with high probability (e.g., classifying a panda as a gibbon).
  • Policy Violation: For LLMs, the model complies with a request it is safety-aligned to refuse, often without typical refusal messages.
  • The error persists despite the input being semantically identical or nearly identical to a non-adversarial version from a human perspective.
03

Transferability

A critical and concerning property is transferability. An adversarial example crafted for one model often causes errors in other models, even those with different architectures or trained on different datasets. This occurs because many models learn similar decision boundaries in high-dimensional space. In practice, this means:

  • A jailbreak prompt effective on one LLM (e.g., GPT-4) may also work on another (e.g., Claude).
  • Transferability enables black-box attacks, where an attacker can use a surrogate model to develop adversarial prompts for a target model whose internals are unknown.
  • This property underscores the systemic nature of the vulnerability.
04

Non-Robust Features

Adversarial examples exploit a model's reliance on non-robust features. These are patterns in the data that are highly predictive during standard training but are not semantically meaningful to humans and are easily manipulated.

  • In an image, these could be specific high-frequency textures.
  • In text, these might be rare token combinations, syntactic structures, or embedding-space correlations that the model has learned to associate with certain outputs.
  • The adversarial perturbation strategically amplifies or injects these non-robust features to steer the model's prediction, while leaving the human-interpretable robust features (the core semantic content) largely unchanged.
05

Exploitation of Linearity

In deep neural networks, adversarial examples often exploit the piecewise linear nature of modern activation functions (like ReLU). In high-dimensional spaces, models can be surprisingly linear in the vicinity of data points. A small step in the direction of the gradient of the loss function with respect to the input can cause a large change in the output. This is formalized in attacks like the Fast Gradient Sign Method (FGSM). For LLMs, while the discrete nature of tokens complicates gradient-based attacks, the principle translates to searching for token sequences that create a similar linear "push" in the model's internal representations toward a desired (and often harmful) output.

06

Human-Model Mismatch

The existence of adversarial examples highlights a fundamental disconnect between human and model perception. Humans and models process information differently.

  • Humans perceive holistically and semantically.
  • Models process inputs as points in a high-dimensional geometric space (like embedding space) and make decisions based on statistical correlations.
  • An adversarial perturbation is significant in the model's geometric space but insignificant in human perceptual space. This mismatch is the root cause of the phenomenon and a major challenge for building robust and aligned AI. Defenses often aim to force models to base decisions on features that align more closely with human semantic understanding.
ADVERSARIAL PROMPTING

How Adversarial Examples Work in Language Models

An adversarial example is a carefully crafted input designed to exploit a model's vulnerabilities, causing it to make a high-confidence error. In language models, this manifests as adversarial prompts that bypass safety filters or elicit harmful outputs.

An adversarial example is an input with small, often imperceptible perturbations that cause a machine learning model to make an incorrect prediction with high confidence. Originally studied in computer vision, the concept has been extended to language models, where these perturbations are crafted sequences of tokens or characters designed to exploit weaknesses in the model's processing. The goal is to find inputs within the model's input space that are semantically similar to benign queries but lie in a region where the model's behavior diverges unexpectedly, often to violate its safety alignment.

Crafting these examples involves techniques like gradient-based optimization for white-box access or iterative query-based search for black-box models. Successful adversarial prompts often work by confusing the model's tokenization process, exploiting statistical priors, or creating a conflict between the system prompt and the injected instructions. This field is critical for red teaming and robustness testing, as discovering these vulnerabilities is essential for improving model safety and developing more resilient guardrail systems before deployment.

EXPLOITING VULNERABILITIES

Common Adversarial Prompting Techniques

These are specific prompt engineering methods used to discover and exploit weaknesses in language models, often to bypass safety filters or elicit unintended behaviors. Understanding these techniques is crucial for red teaming and building robust AI systems.

02

Prompt Injection

Prompt injection is an attack where malicious user input overrides or subverts the original system instructions. This can lead to goal hijacking, where the model performs a different task than intended.

  • Direct Injection: Malicious instructions are placed directly in the user query.
  • Indirect Injection: Instructions are hidden in external data (e.g., a retrieved webpage) that the model processes.
  • Impact: Can lead to data exfiltration, system prompt leaks, or unauthorized actions.
04

In-Context Attack

An in-context attack manipulates the few-shot examples within a prompt's context window to adversarially steer the model's response. This corrupts the in-context learning process.

  • Chain-of-Thought Poisoning: Injecting malicious or false reasoning steps into demonstration examples.
  • Impact: Causes the model to adopt incorrect premises or harmful reasoning patterns for the target task.
  • Challenge: Difficult to detect as the attack is embedded within seemingly legitimate demonstration data.
05

Delimiter & Encoding Attacks

These attacks exploit the technical parsing of prompts and input encoding to break instruction boundaries.

  • Delimiter Attacks: Using or manipulating special characters (e.g., ###, """) that separate system/user/assistant messages to inject instructions.
  • Unicode Exploits: Using homoglyphs, zero-width spaces, or other non-standard Unicode to obfuscate text and bypass simple keyword filters.
  • Token Manipulation: Altering input tokens at the embedding level to cause model misinterpretation.
06

Multi-Modal & Recursive Injection

Advanced techniques that target complex system architectures.

  • Multi-Modal Injection: Embedding adversarial instructions within non-text inputs (images, audio) to influence a multimodal model's text generation.
  • Recursive Injection: An initial injected instruction forces the model to generate further malicious prompts, creating a self-propagating chain.
  • RAG Jailbreak: Poisoning a retrieval-augmented generation system's knowledge base so that retrieved documents contain injectable instructions.
CORE MECHANISM COMPARISON

Adversarial Examples: Computer Vision vs. Language Models

This table contrasts the fundamental characteristics, attack methods, and defensive challenges of adversarial examples in computer vision and language models, highlighting the shift from continuous pixel perturbations to discrete token manipulations.

Feature / DimensionComputer Vision (CV)Language Models (LM)Core Implication

Primary Input Domain

Continuous (pixel values)

Discrete (tokens / text)

CV attacks optimize in continuous space; LM attacks must navigate discrete, combinatorial search.

Typical Perturbation

Small, imperceptible noise (ε-bound L_p norm)

Token insertion, deletion, substitution, or rephrasing

CV perturbations are often constrained to be visually undetectable; LM perturbations can be semantically meaningful.

Attack Objective

Cause misclassification (e.g., panda → gibbon)

Elicit refused content, leak data, or hijack goals

CV targets model accuracy; LM targets safety, alignment, and confidentiality.

Common Attack Methods

FGSM, PGD, CW attack (gradient-based)

Manual jailbreaks, greedy coordinate gradient, LLM-as-attacker

CV leverages model gradients; LM attacks often use black-box search or semantic social engineering.

Perturbation Visibility

Often imperceptible to humans

Often perceptible as unnatural or malicious text

Human detection is a key defense in CV but less reliable for sophisticated LM prompt injections.

Transferability

High across models with similar architectures

Low; highly sensitive to model, version, and prompting scheme

A CV adversarial example may fool many models; an LM jailbreak is often brittle and non-transferable.

Primary Defense Paradigms

Adversarial training, input denoising, certified robustness

Instruction hardening, output filtering, classifier-based safety layers

CV defenses focus on robustness to noise; LM defenses focus on instruction integrity and post-hoc filtering.

Automation Potential

High (gradient-based optimization is automatic)

Moderate (increasingly automated via LLM attackers, but less direct)

Automated red teaming is more mature in CV but rapidly evolving for LM security.

ADVERSARIAL EXAMPLE

Frequently Asked Questions

Adversarial examples are inputs crafted to exploit model vulnerabilities, causing high-confidence errors. This concept, originating in computer vision, is now critical in text-based AI security.

An adversarial example is an input to a machine learning model that has been intentionally perturbed with small, often imperceptible modifications to cause the model to make a high-confidence error. In the context of large language models (LLMs), this extends from pixel-level perturbations in images to subtle textual manipulations—such as adding specific characters, rephrasing, or using encoded instructions—designed to bypass safety filters and elicit harmful, biased, or otherwise unintended outputs. The core mechanism exploits the model's sensitivity to input features in its high-dimensional representation space, where a minor shift can lead to a drastically different classification or generation path.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.