Inferensys

Glossary

AutoAttack

A standardized, parameter-free ensemble of adversarial attacks designed to reliably evaluate the empirical robustness of machine learning models against evasion attacks.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL ROBUSTNESS EVALUATION

What is AutoAttack?

A standardized, parameter-free ensemble of attacks used to reliably evaluate the empirical robustness of machine learning models against adversarial examples.

AutoAttack is a parameter-free ensemble of four diverse adversarial attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—designed to provide a reliable, standardized evaluation of a model's empirical adversarial robustness. It eliminates the common pitfall of gradient masking by combining white-box and black-box methods, serving as the default metric for benchmarks like RobustBench.

Unlike single-attack evaluations that can be defeated by obfuscated gradients, AutoAttack's adaptive and complementary attack suite provides a rigorous lower bound on model vulnerability. Its parameter-free nature removes human bias from the evaluation process, making it the gold standard for comparing defenses against Lp-norm bounded perturbations in academic and industrial security research.

MECHANICS

Key Features of AutoAttack

AutoAttack is a parameter-free, ensemble evaluation protocol that provides a reliable, standardized benchmark for empirical adversarial robustness, eliminating the common pitfalls of manual attack tuning and gradient masking.

01

Parameter-Free Ensemble Design

AutoAttack removes human bias from robustness evaluation by standardizing the attack pipeline. It combines four diverse attacks without requiring manual hyperparameter tuning:

  • APGD-CE: An adaptive Projected Gradient Descent variant using the cross-entropy loss with an automatic step-size scheduler.
  • APGD-DLR: An adaptive PGD attack using the Difference of Logits Ratio loss, targeting models where cross-entropy gradients are masked.
  • FAB-T: A targeted Fast Adaptive Boundary attack that minimizes perturbation norm against the true class.
  • Square Attack: A query-efficient black-box attack that relies on random square-shaped updates, bypassing gradient-based defenses entirely.
02

Standardized Threat Model

The standard evaluation protocol operates under a strict L∞-norm threat model with a perturbation budget of 8/255 for CIFAR-10 and 4/255 for ImageNet. This formal specification ensures:

  • Reproducible comparisons across different research papers and model architectures.
  • A clear definition of the adversary's capabilities, preventing inflated robustness claims from weak attacks.
  • Alignment with the RobustBench leaderboard, which uses AutoAttack as its primary ranking metric.
03

Reliable Detection of Gradient Masking

A core design goal is to expose obfuscated gradients, a brittle defense where models appear robust due to non-differentiable layers or shattered gradients. AutoAttack counters this by:

  • Including the Square Attack, which does not rely on gradient information and efficiently bypasses gradient masking.
  • Using adaptive step-size schedules in APGD that prevent the attack from stalling on loss plateaus.
  • Providing a clear diagnostic: a large gap between white-box PGD accuracy and AutoAttack accuracy strongly indicates a flawed defense.
05

Adaptive Attack Variants

For defenses that claim robustness beyond the standard L∞ threat model, AutoAttack supports extended evaluation modes:

  • AutoAttack+: Incorporates additional attacks like the RayS black-box method for L2-norm evaluation.
  • Custom threat models: Allows specification of different perturbation budgets and norms.
  • Adaptive evaluation: Researchers can integrate custom attacks tailored to specific defense mechanisms, ensuring the evaluation always matches the threat model.
06

Computational Efficiency

Despite its ensemble nature, AutoAttack is optimized for practical evaluation:

  • Early stopping: Halts attacks on samples once a successful adversarial example is found, reducing total queries.
  • Batch processing: Leverages GPU parallelism for efficient gradient computation across multiple inputs.
  • Fixed budget: Operates within a defined query limit, making evaluation costs predictable and comparable across hardware configurations.
AutoAttack

Frequently Asked Questions

Answers to common questions about the standardized, parameter-free adversarial robustness benchmark.

AutoAttack is a parameter-free ensemble of adversarial attacks designed to provide a reliable, standardized evaluation of a machine learning model's empirical robustness. It works by sequentially applying four diverse attack methods: an APGD (Auto-PGD) attack on the cross-entropy loss, an APGD attack on the Difference of Logits Ratio (DLR) loss, a targeted FAB (Fast Adaptive Boundary) attack, and a black-box Square Attack. Crucially, AutoAttack requires no manual tuning of step sizes or hyperparameters; it automatically adjusts its internal parameters based on the model's behavior. If any single attack in the ensemble finds a valid adversarial example, the model is considered defeated for that input. This ensemble approach prevents defenses that rely on gradient masking or obfuscation from achieving a false sense of security, making it the gold standard for evaluating defenses published in top-tier conferences.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.