An evasion attack targets the inference phase of a model's lifecycle. The adversary crafts an adversarial perturbation—a subtle, often imperceptible modification to a malicious transaction or identity profile—that causes the model to misclassify it as legitimate. Unlike a poisoning attack, which corrupts the training pipeline, evasion attacks exploit blind spots in the model's learned decision boundary without requiring any access to or modification of the underlying model weights or architecture.
Glossary
Evasion Attack

What is Evasion Attack?
An evasion attack is a type of adversarial attack where a malicious actor modifies a fraudulent sample at inference time to bypass a deployed machine learning detection model without altering the model's internal parameters or training data.
In financial fraud detection, an evasion attack might involve slightly altering transaction amounts, timestamps, or merchant categories to fall below a risk threshold. Defenses include adversarial training, which augments training data with adversarial examples, and adversarial detection mechanisms that flag suspicious inputs before inference. Robustness against evasion is evaluated using standardized benchmarks like AutoAttack, which tests a model's resilience against an ensemble of adaptive, white-box attack strategies.
Key Characteristics of Evasion Attacks
Evasion attacks exploit the blind spots in a model's decision boundary at inference time. Unlike poisoning, the adversary does not alter the training data; they craft a malicious payload that is deliberately structured to appear benign to the detector.
Inference-Time Manipulation
The defining characteristic of an evasion attack is that it occurs exclusively during inference. The model's learned parameters and architecture remain untouched. The adversary modifies the input sample—such as a transaction amount, a user agent string, or a sequence of API calls—to cross a decision boundary. In financial fraud, this often manifests as feature value perturbation, where a high-risk transaction is subtly restructured to mimic a legitimate one without changing the underlying malicious intent.
Adversarial Perturbation Crafting
Attackers generate adversarial perturbations—minimal, often imperceptible noise added to the feature vector. In tabular financial data, this might involve slightly adjusting a transaction frequency or rounding a dollar amount to a statistically common value. The goal is to maximize the model's loss function while minimizing the distance between the original and perturbed sample. Techniques like the Fast Gradient Sign Method (FGSM) or Projected Gradient Descent (PGD) are used to compute these perturbations, exploiting the model's local linearity.
White-Box vs. Black-Box Access
Evasion attacks are categorized by the adversary's knowledge level. White-box attacks assume full access to the model's architecture, gradients, and parameters, enabling precise gradient-based perturbation. Black-box attacks rely solely on query access, observing output scores or decisions. In a black-box financial scenario, an attacker might probe a fraud scoring API with thousands of slightly modified transactions to map the decision boundary, a technique known as a score-based attack or decision-based attack.
Transferability Across Models
A critical property of adversarial examples is transferability. An evasion sample crafted to fool a surrogate model—perhaps a locally trained fraud detector—often succeeds against a different, remote target model. This occurs because both models learn similar decision boundaries from the underlying data distribution. Attackers exploit this by training a substitute model on synthetically labeled data obtained via API queries, then launching a transfer attack against the production system.
Physical and Digital Realizability
Evasion attacks must respect domain-specific constraints to remain valid. In financial systems, a perturbed transaction cannot violate business logic—it must still pass basic schema validation and maintain a valid account structure. This is the financial equivalent of an adversarial patch in computer vision. The attacker operates within a feasible feature space, often using Expectation over Transformation (EOT) to ensure the malicious sample remains effective despite preprocessing steps like normalization or feature binning.
Adaptive Attack Resilience
The most dangerous evasion attacks are adaptive, meaning they are designed with full knowledge of the defense mechanisms in place. If a fraud model uses gradient masking or input preprocessing as a defense, an adaptive attacker will use Backward Pass Differentiable Approximation (BPDA) to circumvent it. True robustness can only be measured against an adversary who tailors their attack strategy to the specific defense, making adaptive evaluation the gold standard for security testing.
Frequently Asked Questions
Clear, technical answers to the most common questions about how adversaries bypass machine learning fraud detection systems at inference time without altering the underlying model.
An evasion attack is an adversarial technique where a malicious actor modifies a fraudulent sample at inference time to cause a trained machine learning model to misclassify it as legitimate, without altering the model's internal parameters or training data. In financial fraud detection, this typically involves manipulating transaction features—such as amount, timing, geolocation, or merchant category—to slip past a deployed anomaly scoring system. Unlike poisoning attacks that corrupt the training pipeline, evasion attacks exploit blind spots in the model's learned decision boundary. The attacker iteratively probes the model's response, applying small, often imperceptible perturbations until the fraudulent activity is classified as benign. This makes evasion attacks particularly dangerous for real-time fraud scoring pipelines where models are exposed to public-facing APIs or where adversaries can infer decision thresholds through repeated querying.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts for understanding how adversaries bypass fraud detection models and the defensive techniques used to harden systems against them.
Adversarial Perturbation
A carefully crafted, often imperceptible modification to an input sample designed to cause a machine learning model to misclassify it. In financial fraud, this could mean subtly altering transaction features—such as amount, timing, or merchant category—to slip past a detection threshold.
- Lp-norm constraints bound perturbation magnitude
- Can be targeted (force specific misclassification) or untargeted (any wrong class)
- Feature-space attacks modify derived attributes rather than raw inputs
Adversarial Training
A defensive technique that augments the training dataset with adversarial examples to improve a model's robustness against evasion attacks. The model learns to correctly classify both clean and perturbed samples by solving a min-max optimization problem.
- Projected Gradient Descent (PGD) is the standard attack used during training
- Trades off natural accuracy for adversarial robustness
- TRADES loss balances this trade-off via KL divergence regularization
Gradient Masking
A defensive phenomenon where a model's gradients are useless for generating attacks, often providing a false sense of security against adaptive adversaries. This occurs when defenses create shattered gradients (non-smooth loss surfaces), stochastic gradients, or vanishing gradients.
- Not a genuine robustness property
- Easily circumvented by black-box transfer attacks
- BPDA (Backward Pass Differentiable Approximation) bypasses non-differentiable components
Adaptive Attack
A white-box attack methodology specifically designed with full knowledge of a defense mechanism to circumvent it. The gold standard for robustness evaluation—if a defense fails against an adaptive attack, it provides no real security.
- Assumes attacker knows all defense parameters
- Modifies attack algorithm to account for preprocessing, detection, and randomization
- AutoAttack provides a standardized, parameter-free ensemble for reliable benchmarking
Certified Robustness
A formal, mathematical guarantee that a model's prediction will remain constant for any input perturbation within a defined radius. Unlike empirical defenses, certification provides provable worst-case bounds against all possible attacks.
- Randomized smoothing constructs a smoothed classifier with probabilistic guarantees
- Interval bound propagation propagates input bounds through the network
- Certification radius is typically measured in L2 or L-infinity norms
Black-Box Attack
An attack that relies solely on querying a model to observe its output decisions or scores without any knowledge of its internal architecture or parameters. Highly practical against fraud detection APIs where model internals are proprietary.
- Score-based attacks use confidence scores to estimate gradients via finite differences
- Decision-based attacks use only hard label predictions (e.g., blocked/approved)
- Transfer attacks generate examples on a surrogate model and apply them to the target

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us