Inferensys

Glossary

AutoAttack

A standardized, parameter-free ensemble of diverse adversarial attacks used as a reliable benchmark for evaluating empirical adversarial robustness.
Finance professional using AI FP&A copilot on laptop, board presentation visible on screen, home office work session.
ADVERSARIAL ROBUSTNESS BENCHMARK

What is AutoAttack?

AutoAttack is a standardized, parameter-free ensemble of diverse adversarial attacks used as a reliable benchmark for evaluating empirical adversarial robustness.

AutoAttack is a parameter-free ensemble of four diverse adversarial attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—designed to provide a standardized, reliable evaluation of a model's empirical adversarial robustness. By combining both white-box and black-box attacks without requiring manual tuning, it eliminates the common pitfall of gradient masking defenses that produce misleadingly high accuracy scores against weak, poorly configured attacks.

Developed by Francesco Croce and Matthias Hein, AutoAttack has become the default metric in RobustBench, a widely recognized leaderboard for adversarial defenses. Its adaptive, ensemble nature ensures that a model's reported robustness is not an artifact of a single attack's failure, making it the gold standard for comparing adversarial training techniques and certified robustness methods in financial fraud detection and other security-critical domains.

BENCHMARKING STANDARD

Key Features of AutoAttack

A parameter-free, ensemble-based attack framework that serves as the most reliable and widely-adopted standard for evaluating empirical adversarial robustness in machine learning models.

01

Parameter-Free Ensemble Design

AutoAttack combines four diverse attack algorithms into a single, standardized evaluation protocol that requires no manual tuning. The ensemble includes:

  • APGD-CE: Auto-PGD on the cross-entropy loss
  • APGD-DLR: Auto-PGD on the difference of logits ratio loss
  • FAB-T: Fast Adaptive Boundary attack, targeted variant
  • Square Attack: A query-efficient black-box attack This diversity prevents defenses from overfitting to a single attack type, ensuring a holistic robustness assessment.
02

Automatic Step-Size Scheduling

Unlike standard PGD attacks that require manual step-size tuning, AutoAttack's APGD component dynamically adjusts the step size during optimization based on the optimization trajectory. It uses a momentum-based update rule and automatically halves the step size when the loss plateaus, ensuring convergence without human intervention. This eliminates the common pitfall of gradient masking defenses exploiting poorly tuned attacks.

03

Reliable Robustness Evaluation

AutoAttack has become the de facto standard for evaluating defenses on benchmarks like RobustBench. Its reliability stems from:

  • No hyperparameter tuning: Eliminates human bias in attack configuration
  • Complementary attack types: White-box gradient attacks + black-box query attacks
  • Adaptive evaluation: Designed to counter common obfuscated gradient defenses A defense that withstands AutoAttack is considered genuinely robust, not just resilient to a specific, poorly-configured attack.
04

Standard Threat Models

AutoAttack supports two canonical evaluation settings:

  • L∞ (L-infinity): Bounded perturbations where each pixel or feature can change by at most ε, typically ε = 8/255 for CIFAR-10
  • L2: Euclidean distance-bounded perturbations, typically ε = 0.5 for CIFAR-10 Both settings use a fixed budget across all samples, enabling fair, apples-to-apples comparisons between different defense mechanisms published in the literature.
05

Integration with RobustBench

AutoAttack is the official evaluation engine behind RobustBench, the leading leaderboard for adversarial robustness research. RobustBench enforces a strict protocol:

  • Defenses are evaluated exclusively with AutoAttack
  • Results are reproducible with standardized threat models
  • Leaderboard rankings are based on robust accuracy under AutoAttack This integration has driven the community toward more honest and comparable robustness claims since 2020.
06

Adaptive Attack Readiness

AutoAttack is designed to counter gradient masking and obfuscated gradients, a class of defenses that appear robust only because gradient-based attacks fail. The inclusion of Square Attack, a score-based black-box method that does not rely on gradients, ensures that defenses relying on shattered or stochastic gradients are still thoroughly tested. This makes AutoAttack a strong proxy for an adaptive adversary with full knowledge of the defense.

AUTOATTACK EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the AutoAttack benchmark, its components, and its role in evaluating adversarial robustness.

AutoAttack is a standardized, parameter-free ensemble of four diverse adversarial attacks used as a reliable benchmark for evaluating the empirical adversarial robustness of machine learning models. It works by sequentially applying a suite of complementary attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—against a target model without requiring manual tuning. The framework automatically adjusts its internal step sizes and runs until a convergence criterion is met, producing a final robust accuracy score that has become the de facto standard in the research community. Because it requires no hyperparameter optimization from the evaluator, AutoAttack eliminates the common pitfall of gradient masking defenses appearing robust simply because the attack was poorly configured.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.