Inferensys

Glossary

Projected Gradient Descent (PGD)

A multi-step iterative variant of the Fast Gradient Sign Method that projects perturbations onto an Lp-norm ball, serving as a standard benchmark for evaluating empirical adversarial robustness.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
ADVERSARIAL ATTACK METHODOLOGY

What is Projected Gradient Descent (PGD)?

Projected Gradient Descent is a multi-step iterative attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method and projecting the result back onto an Lp-norm ball.

Projected Gradient Descent (PGD) is a white-box adversarial attack that iteratively maximizes a model's loss function while constraining the perturbation to an epsilon-bounded Lp-norm ball. Unlike the single-step Fast Gradient Sign Method (FGSM), PGD applies multiple small gradient steps, each followed by a projection operator that clips the perturbation back onto the allowed norm surface, creating a significantly more powerful and reliable evaluation of empirical robustness.

As the de facto standard benchmark for adversarial robustness evaluation, PGD is central to adversarial training defenses. The attack's strength derives from its ability to escape local maxima through random restarts and its formal guarantee that the perturbation remains within the defined threat model. A model's accuracy against PGD-perturbed inputs serves as a lower-bound estimate of its resilience to first-order gradient-based adversaries.

ADVERSARIAL ATTACK METHODOLOGY

Key Characteristics of PGD

Projected Gradient Descent (PGD) is the gold-standard iterative attack for evaluating empirical robustness. It refines the single-step FGSM by repeatedly applying gradient updates and projecting the result back onto an Lp-norm ball, creating a worst-case perturbation.

01

Iterative Multi-Step Refinement

Unlike single-step attacks, PGD applies the Fast Gradient Sign Method (FGSM) repeatedly with a small step size α. After each step, the perturbation is projected back onto the Lp-norm ball (typically L∞) to ensure the adversarial example stays within the allowed threat model.

  • Process: x_{t+1} = Π_{x+S} (x_t + α * sign(∇_x J(θ, x_t, y)))
  • Key Insight: This iterative process finds a much stronger local maximum of the loss function than single-step methods.
  • Standard Setting: Often uses 40 steps (PGD-40) with a step size of ε/10.
40 Steps
Standard Iterations
ε/10
Typical Step Size
02

Lp-Norm Projection Operator

The 'Projected' in PGD refers to the mathematical projection Π that constrains the perturbation. After each gradient step, if the perturbation δ exceeds the allowed budget ε, it is projected back onto the surface of the Lp-ball.

  • L∞ Norm: The most common constraint, limiting the maximum change to any single pixel to ε.
  • L2 Norm: Constrains the Euclidean distance of the perturbation.
  • L1 Norm: Used for sparse perturbations.
  • Purpose: Ensures the attack remains imperceptible or within a defined physical limit.
8/255
Common L∞ Budget (CIFAR-10)
4/255
Common L∞ Budget (ImageNet)
03

Random Initialization (Restarts)

A critical component of a strong PGD evaluation is random initialization. Instead of starting from the original input, the attack begins at a random point within the allowed ε-ball.

  • Avoiding Local Minima: This prevents the optimizer from getting stuck in a shallow local maximum of the loss landscape near the starting point.
  • Standard Practice: Multiple random restarts are performed, and the worst-case example is selected.
  • Gradient Masking Detection: If a defense fails against PGD with restarts but survives without them, it is a strong indicator of obfuscated gradients.
3-10
Typical Restarts
04

Universal First-Order Adversary

PGD is considered a universal first-order adversary, meaning it is the strongest possible attack using only first-order (gradient) information. If a model is robust against PGD, it is empirically robust against all gradient-based attacks.

  • Benchmark Standard: PGD is the primary attack used in RobustBench to rank defenses.
  • Adaptive Evaluation: Defenses must be tested against PGD with full knowledge of the defense mechanism (white-box) to be considered valid.
  • Relationship to Training: Adversarial training uses PGD to generate the training data, making it the de facto standard for building robust models.
~90%
Robust Accuracy Target (CIFAR-10)
05

Loss Maximization Objective

The core objective of PGD is to solve the constrained optimization problem: maximize the model's loss subject to the perturbation being within the allowed set S.

  • Formulation: max_{δ∈S} L(θ, x+δ, y) where S = {δ : ||δ||_p ≤ ε}.
  • Cross-Entropy: Typically maximizes the cross-entropy loss to push the model away from the correct class.
  • Targeted Variant: Can be adapted to minimize loss towards a specific target class, creating a targeted attack.
100%
Attack Success Rate Goal
06

Distinction from FGSM

While FGSM is a single, large step to the boundary of the ε-ball, PGD refines this over many small steps. This makes PGD a significantly stronger attack.

  • FGSM: x_adv = x + ε * sign(∇_x J(θ, x, y)) (one step).
  • PGD: Iterates FGSM with a smaller step size α < ε and projects.
  • Result: Defenses that block FGSM often fail catastrophically against PGD, a phenomenon known as gradient masking.
  • Computational Cost: PGD is k times more expensive than FGSM, where k is the number of iterations.
40x
Cost vs. FGSM
ADVERSARIAL ATTACK METHODOLOGIES

PGD vs. FGSM: A Comparison

A technical comparison of the single-step Fast Gradient Sign Method against the multi-step Projected Gradient Descent attack, highlighting differences in computational cost and empirical threat potency.

FeatureFGSMPGD

Attack Type

Single-Step

Multi-Step Iterative

Optimization Strategy

One large step in gradient direction

Multiple small steps with projection

Computational Cost

Low (1 forward/backward pass)

High (N forward/backward passes)

Perturbation Constraint

L-infinity ball (implicit)

L-p norm ball (explicit projection)

Empirical Attack Strength

Weak to Moderate

Strong (Standard Benchmark)

Gradient Masking Resistance

Random Restarts Utilized

Typical Step Count (N)

1

20-100

ADVERSARIAL ROBUSTNESS

Frequently Asked Questions

Explore the core concepts behind Projected Gradient Descent (PGD), the gold-standard iterative attack used to benchmark and harden machine learning models against adversarial manipulation.

Projected Gradient Descent (PGD) is a multi-step iterative adversarial attack that generates perturbations by repeatedly taking small steps in the direction of the loss gradient and then projecting the result back onto an Lp-norm ball to constrain the perturbation size. Unlike the single-step Fast Gradient Sign Method (FGSM), PGD initializes from a random starting point within the allowed epsilon-ball and performs multiple iterations, making it a significantly stronger and more reliable evaluation metric. The projection step ensures the final adversarial example remains within a mathematically defined distance from the original input, typically bounded by L∞ or L2 norms. This iterative optimization process effectively finds worst-case perturbations that maximize the model's loss, serving as the de facto standard for empirical robustness evaluation in security research.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.