Fast Gradient Sign Method (FGSM)

FGSM generates adversarial noise by calculating the gradient of the model's loss function with respect to the input. It does not use an iterative optimization process. Instead, it takes a single, large step in the direction that maximizes the loss, using only the sign of the gradient components.

• Core Mechanism: Perturbation = ε * sign(∇_x J(θ, x, y))
• ε (Epsilon): A small scalar hyperparameter that controls the magnitude of the perturbation, constraining it within an L∞ norm ball.
• Sign Function: Using only the sign (+1 or -1) of each gradient component makes the attack computationally trivial and ensures the maximum change per pixel within the epsilon bound.

Unlike iterative methods like Projected Gradient Descent (PGD), FGSM is a one-shot attack. It computes the gradient once and applies the full perturbation in a single step. This makes it extremely fast but often less potent than multi-step attacks against robust models.

• Speed vs. Strength: Its primary advantage is computational efficiency, requiring only one forward and backward pass through the model.
• Linear Approximation: This approach assumes the model's decision boundary is roughly linear within the epsilon neighborhood of the input, which is often a valid assumption for standard, non-robust models.

FGSM constrains the adversarial perturbation using the L∞ norm (also called the max norm). This ensures no single pixel is changed by more than the epsilon value, making the perturbation small and often imperceptible to humans when applied to image data.

• Mathematical Formulation: ||δ||_∞ ≤ ε, where δ is the perturbation.
• Visual Stealth: By limiting the maximum change per pixel, the adversarial example appears visually identical to the original input, which is a hallmark of effective digital attacks.
• Contrast with L2: Other attacks like Carlini & Wagner (C&W) often use L2 norm constraints, which minimize the total squared perturbation across all pixels, resulting in a different noise pattern.

FGSM is a white-box attack, meaning it requires full knowledge of the target model's architecture and parameters to compute the exact gradient. This access is typical in security evaluations where the defender is testing their own model.

• Prerequisite Access: Requires the model's weights (θ) and the ability to perform backpropagation.
• Evaluation Use Case: Its primary value is in adversarial training and benchmarking intrinsic model robustness, not in simulating real-world black-box threats.
• Foundation for Black-Box: Due to the transferability of adversarial examples, FGSM examples crafted on a surrogate model can sometimes attack a black-box target.

The standard formulation of FGSM is an untargeted attack. Its objective is to increase the loss for the true label, causing misclassification to any incorrect class, rather than a specific target class.

• Loss Function: Typically uses cross-entropy loss J(θ, x, y_true). The perturbation is designed to make J larger.
• Targeted Variant: A simple modification exists: Perturbation = -ε * sign(∇_x J(θ, x, y_target)). This pushes the input toward the decision region of a specified target class y_target.
• Simplicity of Goal: The untargeted objective makes the attack easier to execute and is sufficient for demonstrating basic model vulnerability.

FGSM is not just an attack; it is a cornerstone technique for defense. Adversarial training uses FGSM-generated examples during model training to improve adversarial robustness.

• Training Objective: Minimizes loss on both clean and adversarially perturbed examples: θ' = argmin_θ E_(x,y) [J(θ, x, y) + J(θ, x + δ_fgsm, y)].
• Computational Trade-off: Using fast, single-step FGSM makes adversarial training computationally feasible compared to using stronger but slower iterative attacks.
• PGD as Stronger Alternative: While foundational, FGSM-based training can lead to gradient masking. Modern robust training often uses multi-step PGD as a stronger adversary to avoid this pitfall.

Projected Gradient Descent (PGD) is a powerful, iterative white-box attack and the cornerstone of modern adversarial training. It extends the basic FGSM by applying it multiple times with a small step size (ε_step). After each step, the perturbation is projected back onto an ε-sized L_p norm ball (commonly L∞), ensuring it remains within the allowed threat model. This multi-step, constrained optimization makes PGD a much stronger attack than single-step FGSM, providing a more rigorous benchmark for evaluating model robustness. It is considered a universal first-order adversary.

Adversarial training is the primary defensive technique for improving a model's adversarial robustness. It involves augmenting the standard training process by including adversarial examples in the training dataset. A common and effective approach is to use PGD-generated examples during training, forcing the model to learn from its own worst-case mistakes. This creates a min-max optimization problem: the inner maximization generates strong adversarial examples, while the outer minimization updates model parameters to minimize loss on those examples. It is computationally expensive but essential for security-critical applications.

These terms define the attacker's assumed level of access to the target model:

• White-Box Attack: The attacker has full knowledge of the model's architecture, parameters, and gradients. FGSM and PGD are classic white-box attacks, leveraging gradient information directly to craft perturbations.
• Black-Box Attack: The attacker has no internal model knowledge, relying solely on querying the model's input-output API. Attacks are often based on transferability (using a surrogate model) or query-based optimization. Understanding this distinction is crucial for threat modeling and selecting appropriate defensive strategies, as defenses effective against white-box attacks may not stop all black-box methods.

Adversarial robustness is the property of a model that measures its ability to maintain correct predictions under adversarial perturbation. It is quantitatively measured by robust accuracy—the model's classification accuracy on a test set of adversarial examples (e.g., those generated by PGD). This metric is distinct from and often much lower than standard accuracy on clean data. A key challenge in the field is the robustness-accuracy trade-off, where increasing robustness via techniques like adversarial training can sometimes reduce standard performance on benign inputs.

The Carlini & Wagner attack is a powerful, optimization-based white-box attack designed to find the minimal adversarial perturbation required to cause misclassification. Formulated as a constrained optimization problem, it uses a custom loss function and advanced optimizers (like Adam) to search for perturbations that are often smaller and less perceptible than those from FGSM or PGD. It was famously used to break early defensive techniques like defensive distillation, demonstrating that defenses must be evaluated against a suite of strong, diverse attacks. It is computationally more intensive than gradient-sign methods.

A universal adversarial perturbation is a single, input-agnostic noise vector that, when added to most natural images from a data distribution, causes a model to misclassify them. This contrasts with FGSM and PGD, which compute a unique perturbation for each input. The existence of such universal perturbations reveals geometric correlations in the model's decision boundaries across data points. They pose a significant security risk, as a single, fixed perturbation could be applied to many inputs without needing to recompute it, enabling scalable physical-world attacks.