Inferensys

Glossary

Evasion Attack

An evasion attack is a cybersecurity threat where an adversary modifies input data at test time to cause a machine learning model to misclassify it, without altering the model's parameters or training data.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL ROBUSTNESS

What is an Evasion Attack?

An evasion attack is a test-time adversarial technique that modifies input data to cause a machine learning model to misclassify it, without altering the model's parameters or training data.

An evasion attack is a security exploit where an adversary crafts a malicious input—an adversarial example—by adding imperceptible perturbations to a legitimate sample. The goal is to induce a targeted or untargeted misclassification during inference. Unlike data poisoning, this attack does not compromise the training pipeline; it exploits blind spots in the model's learned decision boundary by solving an optimization problem, typically constrained by an Lp-norm budget to ensure the perturbation remains invisible to human observers.

Defending against evasion attacks requires adversarial robustness evaluation using standardized benchmarks like AutoAttack. Common attack algorithms include Projected Gradient Descent (PGD) and Fast Gradient Sign Method (FGSM). Defenses such as adversarial training augment the training set with adversarial examples, while certified robustness methods like randomized smoothing provide mathematical guarantees against perturbation. A critical pitfall is gradient masking, a brittle defense that obscures gradients rather than removing the underlying vulnerability.

ADVERSARIAL TAXONOMY

Key Characteristics of Evasion Attacks

Evasion attacks exploit the blind spots in a model's decision boundary at inference time. Unlike poisoning attacks, they do not alter the training data but instead craft malicious inputs that cause misclassification while appearing benign to human observers.

01

Inference-Time Manipulation

The defining characteristic of an evasion attack is that it occurs strictly during the test phase. The adversary modifies input samples after a model has been trained and deployed, leaving the underlying parameters and architecture untouched. This contrasts with data poisoning, which corrupts the training pipeline. The attacker crafts perturbations—often imperceptible to humans—that push the input across the model's decision boundary. For example, adding a carefully calculated noise layer to a 'stop' sign image causes an autonomous vehicle classifier to read it as a 'speed limit' sign, all while the physical sign looks normal to a human driver.

Test Phase
Attack Window
Unmodified
Model Integrity
02

Imperceptible Perturbation Constraints

To remain covert, evasion attacks are typically constrained by an Lp-norm budget that mathematically limits the magnitude of the perturbation. Common constraints include:

  • L∞ (Chebyshev distance): Limits the maximum change to any single pixel, ensuring no pixel is altered beyond a threshold (e.g., 8/255).
  • L2 (Euclidean distance): Limits the overall magnitude of the perturbation vector, keeping the total distortion small.
  • L0 (Hamming distance): Limits the number of pixels that can be altered, regardless of magnitude. These constraints ensure the adversarial example remains visually indistinguishable from the original input, defeating human inspection.
8/255
Common L∞ Budget
L0, L2, L∞
Norm Families
03

White-Box vs. Black-Box Access

Evasion attacks are categorized by the adversary's level of access to the target model:

  • White-Box Attack: The attacker has full knowledge of the model architecture, parameters, and gradients. This enables direct optimization using techniques like Projected Gradient Descent (PGD) to craft highly effective adversarial examples.
  • Black-Box Attack: The attacker can only query the model and observe outputs (scores or labels). Strategies include transfer attacks, where adversarial examples crafted on a local surrogate model are used to fool the remote target, exploiting the transferability property.
  • Score-Based vs. Decision-Based: Score-based attacks use output probabilities to estimate gradients, while decision-based attacks use only the final hard-label prediction, requiring more queries.
Full Gradient
White-Box Access
Query-Only
Black-Box Access
04

Physical World Realizability

Advanced evasion attacks extend beyond the digital domain into the physical world. An adversary must ensure the perturbation survives real-world transformations like changes in lighting, viewing angle, and camera noise. Expectation over Transformation (EoT) is a technique that optimizes adversarial examples to remain effective across a distribution of simulated physical conditions. A classic example is the adversarial patch—a robust, localized perturbation printed on a physical object that reliably fools object detectors regardless of its orientation or distance from the camera.

EoT
Robustness Method
Physical
Attack Domain
05

Targeted vs. Untargeted Objectives

The adversary's goal defines the attack's objective:

  • Untargeted Attack: The goal is simply to cause any misclassification—the model predicts any class other than the correct one. This is the easiest objective to achieve.
  • Targeted Attack: The goal is to force the model to predict a specific, attacker-chosen class. This is significantly harder, as the perturbation must not only push the input out of its true class region but also guide it into the precise target class region. For example, forcing a facial recognition system to authenticate an unauthorized individual as a specific administrator.
Any Class
Untargeted Goal
Specific Class
Targeted Goal
06

Adaptive Attack Evaluation

A robust security evaluation must account for adaptive adversaries who know the defense mechanism in place. An adaptive attack is specifically designed to circumvent a known defense. For instance, if a model uses gradient masking (a brittle defense that obfuscates gradients), an adaptive attacker will use Backward Pass Differentiable Approximation (BPDA) to replace the non-differentiable layer with a smooth approximation during the attack. Standardized benchmarks like AutoAttack include an ensemble of adaptive and non-adaptive attacks to prevent inflated robustness claims from obfuscated gradients.

AutoAttack
Standard Benchmark
BPDA
Adaptive Technique
ADVERSARIAL THREAT TAXONOMY

Evasion Attack vs. Data Poisoning vs. Model Inversion

A comparative analysis of three distinct adversarial attack vectors targeting machine learning systems, differentiated by their phase of execution, attacker goal, and required access.

FeatureEvasion AttackData PoisoningModel Inversion

Attack Phase

Inference (Test Time)

Training Time

Inference (Post-Deployment)

Model Integrity Impact

No modification to model

Model parameters corrupted

No modification to model

Primary Goal

Cause misclassification

Implant backdoor or degrade accuracy

Reconstruct training data

Attacker Access Required

Input query access

Training data or pipeline access

API query access to model

Victim Model Knowledge

White-box or Black-box

Gray-box typically

Black-box typically

Defense Strategy

Adversarial training, input sanitization

Data provenance, robust aggregation

Differential privacy, output perturbation

Confidentiality Violation

Integrity Violation

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about how adversaries fool machine learning models at test time without altering the underlying system.

An evasion attack is a cybersecurity exploit that modifies input data at test time to cause a machine learning model to misclassify it, without altering the model's parameters or training data. The attacker crafts adversarial examples by adding small, often imperceptible perturbations to legitimate inputs—such as altering a few pixels in an image or injecting subtle noise into a network packet. These perturbations are calculated by solving an optimization problem that maximizes the model's prediction error while keeping the input distortion within a defined Lp-norm bound (e.g., L∞ or L2). For instance, an attacker might add carefully calculated noise to a stop sign image so that an autonomous vehicle's classifier sees it as a speed limit sign, all while the sign appears completely normal to a human observer. The attack exploits the model's learned decision boundaries, which often contain non-robust features that are highly predictive but semantically meaningless to humans.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.