Targeted Attack

The defining feature of a targeted attack is the adversary's precise goal. Instead of causing any misclassification, the attacker aims to steer the model toward a specific, incorrect output class. For example, causing an autonomous vehicle's vision system to classify a stop sign as a 'yield' sign, or a financial fraud detector to label a fraudulent transaction as 'legitimate'. This requires more sophisticated perturbation crafting than untargeted attacks, as the adversarial example must not only cross a decision boundary but land within a specific, often distant, region of the output space.

Targeted attacks are generally more computationally complex and require larger perturbations than their untargeted counterparts. This is because the optimization problem is more constrained: the adversarial example must maximize the probability of the target class while simultaneously minimizing the probability of the true class and all other classes. Algorithms like the Carlini & Wagner (C&W) attack are explicitly designed for this purpose, formulating it as a minimization problem with a custom loss function that penalizes any output other than the desired target.

Targeted attacks are often framed as a constrained optimization. The adversary seeks a minimal perturbation δ added to a clean input x such that:

• f(x + δ) = y_target (model predicts the target class)
• ||δ||_p ≤ ε (perturbation is small under a p-norm, e.g., L₂ or L_∞) This formulation is central to white-box attacks like C&W and Projected Gradient Descent (PGD) when configured for a target. The objective function directly encodes the distance to the target class's decision region, making the attack's success measurable and reproducible for benchmarking adversarial robustness.

In red-teaming and security audits, targeted attacks are a critical stress test. They simulate a worst-case scenario where an adversary has a concrete, harmful objective. Successfully executing a targeted attack against a model reveals deeper vulnerabilities than an untargeted one. Evaluating a model's robust accuracy against targeted attacks provides a stringent measure of its reliability in high-stakes applications like content moderation (forcing a harmful post to be classified as 'safe') or medical diagnosis (forcing a malignant scan to be classified as 'benign').

Targeted attacks share conceptual ground with backdoor attacks, but operate at different phases. A backdoor attack is a poisoning attack executed during training, where a model learns to associate a trigger pattern with a specific target label. At inference, any input containing the trigger causes the targeted misclassification. In contrast, a standard targeted attack is an evasion attack at inference time on a clean model. Both aim for a specific incorrect output, making the analysis of a model's susceptibility to targeted perturbations a key part of defending against potential backdoors.

Adversarial examples crafted for a targeted attack on one model are generally less transferable to other models than those from untargeted attacks. This is because the precise perturbations needed to reach a specific class in one model's high-dimensional feature space are often highly specific to that model's unique weight geometry. While transfer attacks are possible, targeted transferability is a weaker phenomenon, making black-box targeted attacks more challenging and often requiring extensive query-based attack strategies to approximate the target model's decision boundaries.

An adversarial attack where the adversary's sole objective is to cause the model to output any incorrect prediction, without specifying a particular wrong class. This is a broader, less constrained goal than a targeted attack.

• Primary Goal: Cause misclassification, not control the specific error.
• Evaluation Use: Often used as a baseline for measuring a model's general vulnerability to perturbation.
• Example: Modifying an image of a cat just enough so the model calls it a 'dog', 'car', or any other label besides 'cat'.

An adversarial attack executed at inference time, where a malicious input is crafted to bypass a deployed model's detection or classification. Both targeted and untargeted attacks are subtypes of evasion attacks.

• Phase of Operation: Post-deployment, during model inference.
• Contrast with Poisoning: Differs from data poisoning, which occurs during the training phase.
• Real-World Context: The most direct threat to production AI systems, such as fooling a content filter or biometric scanner.

A powerful, optimization-based white-box attack method designed to generate adversarial examples with minimal perturbation. It is particularly effective for executing precise targeted attacks.

• Methodology: Formulates attack generation as an optimization problem, minimizing perturbation subject to the constraint of causing the target misclassification.
• Key Use Case: A standard benchmark for evaluating the strength of adversarial defenses and distillation techniques.
• Precision: Excels at finding the smallest possible changes needed to achieve a targeted misclassification.

A strong, iterative white-box attack and the cornerstone for modern adversarial training. PGD applies the Fast Gradient Sign Method (FGSM) multiple times with a small step size, projecting perturbations back to a valid norm ball after each step.

• Strength: Considered a universal first-order adversary; a model robust to PGD is often robust to many other attacks.
• Role in Training: Adversarial training using PGD-generated examples is a leading defense technique.
• Versatility: Can be easily configured for both targeted and untargeted attack objectives.

An attack where an adversarial example crafted against one model (the surrogate model) is also effective against a different, potentially black-box, target model. This property enables practical black-box targeted attacks.

• Mechanism: Relies on the transferability of adversarial perturbations between models trained on similar data.
• Black-Box Application: An adversary can train their own surrogate model, craft a targeted attack against it, and often have it transfer to the unknown target.
• Security Implication: Means that even without internal model access, targeted attacks are feasible.

A model's classification accuracy measured on a test set that includes adversarial examples. It provides a more comprehensive measure of real-world reliability than standard accuracy.

• Key Metric: The primary benchmark for evaluating a model's defense against evasion attacks, including targeted ones.
• Calculation: Typically reported as accuracy under attack from a specific threat model (e.g., "PGD robust accuracy").
• Trade-off: Often exists between standard accuracy and robust accuracy; improving one can reduce the other.