An evasion attack is a security exploit where an adversary crafts a malicious input—an adversarial example—by adding imperceptible perturbations to a legitimate sample. The goal is to induce a targeted or untargeted misclassification during inference. Unlike data poisoning, this attack does not compromise the training pipeline; it exploits blind spots in the model's learned decision boundary by solving an optimization problem, typically constrained by an Lp-norm budget to ensure the perturbation remains invisible to human observers.
Glossary
Evasion Attack

What is an Evasion Attack?
An evasion attack is a test-time adversarial technique that modifies input data to cause a machine learning model to misclassify it, without altering the model's parameters or training data.
Defending against evasion attacks requires adversarial robustness evaluation using standardized benchmarks like AutoAttack. Common attack algorithms include Projected Gradient Descent (PGD) and Fast Gradient Sign Method (FGSM). Defenses such as adversarial training augment the training set with adversarial examples, while certified robustness methods like randomized smoothing provide mathematical guarantees against perturbation. A critical pitfall is gradient masking, a brittle defense that obscures gradients rather than removing the underlying vulnerability.
Key Characteristics of Evasion Attacks
Evasion attacks exploit the blind spots in a model's decision boundary at inference time. Unlike poisoning attacks, they do not alter the training data but instead craft malicious inputs that cause misclassification while appearing benign to human observers.
Inference-Time Manipulation
The defining characteristic of an evasion attack is that it occurs strictly during the test phase. The adversary modifies input samples after a model has been trained and deployed, leaving the underlying parameters and architecture untouched. This contrasts with data poisoning, which corrupts the training pipeline. The attacker crafts perturbations—often imperceptible to humans—that push the input across the model's decision boundary. For example, adding a carefully calculated noise layer to a 'stop' sign image causes an autonomous vehicle classifier to read it as a 'speed limit' sign, all while the physical sign looks normal to a human driver.
Imperceptible Perturbation Constraints
To remain covert, evasion attacks are typically constrained by an Lp-norm budget that mathematically limits the magnitude of the perturbation. Common constraints include:
- L∞ (Chebyshev distance): Limits the maximum change to any single pixel, ensuring no pixel is altered beyond a threshold (e.g., 8/255).
- L2 (Euclidean distance): Limits the overall magnitude of the perturbation vector, keeping the total distortion small.
- L0 (Hamming distance): Limits the number of pixels that can be altered, regardless of magnitude. These constraints ensure the adversarial example remains visually indistinguishable from the original input, defeating human inspection.
White-Box vs. Black-Box Access
Evasion attacks are categorized by the adversary's level of access to the target model:
- White-Box Attack: The attacker has full knowledge of the model architecture, parameters, and gradients. This enables direct optimization using techniques like Projected Gradient Descent (PGD) to craft highly effective adversarial examples.
- Black-Box Attack: The attacker can only query the model and observe outputs (scores or labels). Strategies include transfer attacks, where adversarial examples crafted on a local surrogate model are used to fool the remote target, exploiting the transferability property.
- Score-Based vs. Decision-Based: Score-based attacks use output probabilities to estimate gradients, while decision-based attacks use only the final hard-label prediction, requiring more queries.
Physical World Realizability
Advanced evasion attacks extend beyond the digital domain into the physical world. An adversary must ensure the perturbation survives real-world transformations like changes in lighting, viewing angle, and camera noise. Expectation over Transformation (EoT) is a technique that optimizes adversarial examples to remain effective across a distribution of simulated physical conditions. A classic example is the adversarial patch—a robust, localized perturbation printed on a physical object that reliably fools object detectors regardless of its orientation or distance from the camera.
Targeted vs. Untargeted Objectives
The adversary's goal defines the attack's objective:
- Untargeted Attack: The goal is simply to cause any misclassification—the model predicts any class other than the correct one. This is the easiest objective to achieve.
- Targeted Attack: The goal is to force the model to predict a specific, attacker-chosen class. This is significantly harder, as the perturbation must not only push the input out of its true class region but also guide it into the precise target class region. For example, forcing a facial recognition system to authenticate an unauthorized individual as a specific administrator.
Adaptive Attack Evaluation
A robust security evaluation must account for adaptive adversaries who know the defense mechanism in place. An adaptive attack is specifically designed to circumvent a known defense. For instance, if a model uses gradient masking (a brittle defense that obfuscates gradients), an adaptive attacker will use Backward Pass Differentiable Approximation (BPDA) to replace the non-differentiable layer with a smooth approximation during the attack. Standardized benchmarks like AutoAttack include an ensemble of adaptive and non-adaptive attacks to prevent inflated robustness claims from obfuscated gradients.
Evasion Attack vs. Data Poisoning vs. Model Inversion
A comparative analysis of three distinct adversarial attack vectors targeting machine learning systems, differentiated by their phase of execution, attacker goal, and required access.
| Feature | Evasion Attack | Data Poisoning | Model Inversion |
|---|---|---|---|
Attack Phase | Inference (Test Time) | Training Time | Inference (Post-Deployment) |
Model Integrity Impact | No modification to model | Model parameters corrupted | No modification to model |
Primary Goal | Cause misclassification | Implant backdoor or degrade accuracy | Reconstruct training data |
Attacker Access Required | Input query access | Training data or pipeline access | API query access to model |
Victim Model Knowledge | White-box or Black-box | Gray-box typically | Black-box typically |
Defense Strategy | Adversarial training, input sanitization | Data provenance, robust aggregation | Differential privacy, output perturbation |
Confidentiality Violation | |||
Integrity Violation |
Frequently Asked Questions
Clear, technical answers to the most common questions about how adversaries fool machine learning models at test time without altering the underlying system.
An evasion attack is a cybersecurity exploit that modifies input data at test time to cause a machine learning model to misclassify it, without altering the model's parameters or training data. The attacker crafts adversarial examples by adding small, often imperceptible perturbations to legitimate inputs—such as altering a few pixels in an image or injecting subtle noise into a network packet. These perturbations are calculated by solving an optimization problem that maximizes the model's prediction error while keeping the input distortion within a defined Lp-norm bound (e.g., L∞ or L2). For instance, an attacker might add carefully calculated noise to a stop sign image so that an autonomous vehicle's classifier sees it as a speed limit sign, all while the sign appears completely normal to a human observer. The attack exploits the model's learned decision boundaries, which often contain non-robust features that are highly predictive but semantically meaningless to humans.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding evasion attacks requires familiarity with the broader ecosystem of adversarial threats, defensive techniques, and evaluation methodologies that define modern AI security.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us