Inferensys

Glossary

Evasion Attack

An attack type where an adversary modifies a malicious sample at inference time to bypass a detection model without altering the model's internal parameters.
Developer testing AI inference on mobile phone in hand, laptop with optimization code visible, casual tech review moment.
ADVERSARIAL THREAT VECTOR

What is Evasion Attack?

An evasion attack is a type of adversarial attack where a malicious actor modifies a fraudulent sample at inference time to bypass a deployed machine learning detection model without altering the model's internal parameters or training data.

An evasion attack targets the inference phase of a model's lifecycle. The adversary crafts an adversarial perturbation—a subtle, often imperceptible modification to a malicious transaction or identity profile—that causes the model to misclassify it as legitimate. Unlike a poisoning attack, which corrupts the training pipeline, evasion attacks exploit blind spots in the model's learned decision boundary without requiring any access to or modification of the underlying model weights or architecture.

In financial fraud detection, an evasion attack might involve slightly altering transaction amounts, timestamps, or merchant categories to fall below a risk threshold. Defenses include adversarial training, which augments training data with adversarial examples, and adversarial detection mechanisms that flag suspicious inputs before inference. Robustness against evasion is evaluated using standardized benchmarks like AutoAttack, which tests a model's resilience against an ensemble of adaptive, white-box attack strategies.

ATTACK TAXONOMY

Key Characteristics of Evasion Attacks

Evasion attacks exploit the blind spots in a model's decision boundary at inference time. Unlike poisoning, the adversary does not alter the training data; they craft a malicious payload that is deliberately structured to appear benign to the detector.

01

Inference-Time Manipulation

The defining characteristic of an evasion attack is that it occurs exclusively during inference. The model's learned parameters and architecture remain untouched. The adversary modifies the input sample—such as a transaction amount, a user agent string, or a sequence of API calls—to cross a decision boundary. In financial fraud, this often manifests as feature value perturbation, where a high-risk transaction is subtly restructured to mimic a legitimate one without changing the underlying malicious intent.

02

Adversarial Perturbation Crafting

Attackers generate adversarial perturbations—minimal, often imperceptible noise added to the feature vector. In tabular financial data, this might involve slightly adjusting a transaction frequency or rounding a dollar amount to a statistically common value. The goal is to maximize the model's loss function while minimizing the distance between the original and perturbed sample. Techniques like the Fast Gradient Sign Method (FGSM) or Projected Gradient Descent (PGD) are used to compute these perturbations, exploiting the model's local linearity.

03

White-Box vs. Black-Box Access

Evasion attacks are categorized by the adversary's knowledge level. White-box attacks assume full access to the model's architecture, gradients, and parameters, enabling precise gradient-based perturbation. Black-box attacks rely solely on query access, observing output scores or decisions. In a black-box financial scenario, an attacker might probe a fraud scoring API with thousands of slightly modified transactions to map the decision boundary, a technique known as a score-based attack or decision-based attack.

04

Transferability Across Models

A critical property of adversarial examples is transferability. An evasion sample crafted to fool a surrogate model—perhaps a locally trained fraud detector—often succeeds against a different, remote target model. This occurs because both models learn similar decision boundaries from the underlying data distribution. Attackers exploit this by training a substitute model on synthetically labeled data obtained via API queries, then launching a transfer attack against the production system.

05

Physical and Digital Realizability

Evasion attacks must respect domain-specific constraints to remain valid. In financial systems, a perturbed transaction cannot violate business logic—it must still pass basic schema validation and maintain a valid account structure. This is the financial equivalent of an adversarial patch in computer vision. The attacker operates within a feasible feature space, often using Expectation over Transformation (EOT) to ensure the malicious sample remains effective despite preprocessing steps like normalization or feature binning.

06

Adaptive Attack Resilience

The most dangerous evasion attacks are adaptive, meaning they are designed with full knowledge of the defense mechanisms in place. If a fraud model uses gradient masking or input preprocessing as a defense, an adaptive attacker will use Backward Pass Differentiable Approximation (BPDA) to circumvent it. True robustness can only be measured against an adversary who tailors their attack strategy to the specific defense, making adaptive evaluation the gold standard for security testing.

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about how adversaries bypass machine learning fraud detection systems at inference time without altering the underlying model.

An evasion attack is an adversarial technique where a malicious actor modifies a fraudulent sample at inference time to cause a trained machine learning model to misclassify it as legitimate, without altering the model's internal parameters or training data. In financial fraud detection, this typically involves manipulating transaction features—such as amount, timing, geolocation, or merchant category—to slip past a deployed anomaly scoring system. Unlike poisoning attacks that corrupt the training pipeline, evasion attacks exploit blind spots in the model's learned decision boundary. The attacker iteratively probes the model's response, applying small, often imperceptible perturbations until the fraudulent activity is classified as benign. This makes evasion attacks particularly dangerous for real-time fraud scoring pipelines where models are exposed to public-facing APIs or where adversaries can infer decision thresholds through repeated querying.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.