Inferensys

Glossary

Evasion Attack

An adversarial attack at inference time that modifies an input sample with imperceptible perturbations to cause a model to misclassify it.
Developer testing AI inference on mobile phone in hand, laptop with optimization code visible, casual tech review moment.
ADVERSARIAL THREAT

What is an Evasion Attack?

An evasion attack is an adversarial technique deployed at inference time that modifies an input sample with imperceptible perturbations to cause a machine learning model to misclassify it.

An evasion attack is an adversarial technique deployed exclusively during the inference phase of a model's lifecycle. The attacker crafts a perturbed input—often by adding visually imperceptible noise to an image or subtle modifications to a feature vector—that causes the target model to produce an incorrect output with high confidence. Unlike data poisoning, which corrupts the training pipeline, evasion attacks exploit the learned decision boundaries of an already-trained model without altering its parameters.

In the context of federated model security, evasion attacks pose a significant threat because the global model is exposed to inference queries from multiple untrusted clients. Defenses such as adversarial training, defensive distillation, and certified robustness via randomized smoothing are critical countermeasures. These attacks are closely related to model extraction attacks, where repeated evasion queries can also be used to steal model functionality.

ADVERSARIAL TAXONOMY

Core Characteristics of Evasion Attacks

Evasion attacks exploit a model's learned decision boundaries at inference time by applying imperceptible perturbations to input samples, causing targeted or untargeted misclassification without altering the model itself.

01

Inference-Time Exploitation

Unlike data poisoning or backdoor attacks, evasion attacks occur strictly during model inference. The attacker crafts an adversarial example by solving an optimization problem: finding the minimal perturbation δ that changes the model's prediction while keeping the input visually or semantically identical to a human observer. This temporal distinction is critical for security planning—defenses like adversarial training must harden the model's decision surface, not just filter training data.

02

Perturbation Budgets and Norms

Attack strength is bounded by a perturbation budget (ε), typically measured using Lp norms:

  • L∞ (Chebyshev): Limits the maximum change to any single pixel or feature, producing uniform noise across the input
  • L2 (Euclidean): Constrains the total magnitude of the perturbation vector, often yielding more natural-looking distortions
  • L1 (Manhattan): Encourages sparse perturbations that modify only a few input dimensions
  • L0: Restricts the number of altered features, simulating real-world constraints like physical sticker attacks
03

White-Box vs. Black-Box Attacks

White-box attacks assume full access to model architecture, parameters, and gradients. The Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) exploit gradient information directly. Black-box attacks operate with only query access, using techniques like:

  • Score-based: Leveraging output probabilities to estimate gradients via finite differences
  • Decision-based: Walking the decision boundary using only hard-label predictions
  • Transfer attacks: Generating adversarial examples on a surrogate model and exploiting cross-model transferability
04

Targeted vs. Untargeted Misclassification

Untargeted attacks simply aim to cause any incorrect prediction—the adversary succeeds if the model outputs any class other than the ground truth. Targeted attacks force the model to output a specific attacker-chosen class. Targeted attacks are significantly harder to execute because they require navigating the model's decision boundary toward a precise region. In medical imaging, a targeted attack could force a diagnostic model to classify a malignant tumor as benign, representing a direct patient safety threat.

05

Physical-World Evasion

Evasion attacks extend beyond digital pixels into the physical domain. Researchers have demonstrated:

  • Adversarial patches: Printed patterns that cause object detectors to ignore stop signs or misidentify persons
  • Adversarial clothing: Specially designed textile patterns that evade person-detection models
  • Sensor-domain attacks: Perturbations in LiDAR point clouds or audio waveforms Physical attacks must account for viewpoint variation, lighting, and sensor noise, making them more challenging but demonstrating real-world security implications for autonomous systems and surveillance.
06

Defense Mechanisms and the Arms Race

No single defense provides complete immunity. Key strategies include:

  • Adversarial training: Augmenting training data with adversarial examples, particularly using PGD-based attacks
  • Gradient masking: Obscuring model gradients through non-differentiable operations, though often defeated by Backward Pass Differentiable Approximation (BPDA)
  • Certified defenses: Techniques like randomized smoothing provide mathematical guarantees of robustness within a specified L2 radius
  • Feature squeezing: Reducing input dimensionality to remove adversarial perturbation space The field exhibits a persistent cat-and-mouse dynamic between attack and defense research.
ADVERSARIAL THREAT TAXONOMY

Evasion Attack vs. Data Poisoning vs. Model Inversion

A comparative analysis of three distinct adversarial attack vectors targeting machine learning pipelines, differentiated by attack surface, timing, and objective.

FeatureEvasion AttackData PoisoningModel Inversion

Attack Timing

Inference time

Training time

Post-training / Inference time

Primary Objective

Misclassification

Model integrity corruption

Training data reconstruction

Attacker Modifies

Input sample

Training dataset

Model queries

Model Integrity Impact

Training Data Confidentiality Impact

Requires Training Data Access

Requires Model Access

Black-box or White-box

Data pipeline access

API or White-box access

Typical Mitigation

Adversarial training, Randomized smoothing

Robust aggregation, Data provenance checks

Differential privacy, Output perturbation

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Explore the mechanics of inference-time adversarial attacks that manipulate model inputs to force misclassification, and understand the defensive strategies used to mitigate them.

An evasion attack is an adversarial technique executed at inference time where an attacker modifies an input sample with imperceptible perturbations to cause a machine learning model to misclassify it. Unlike data poisoning, which corrupts the training pipeline, evasion attacks target already-deployed models without altering their parameters. The attacker typically crafts an adversarial example by adding a small, carefully calculated noise vector to a legitimate input—such as subtly altering pixels in a medical scan to change a 'malignant' classification to 'benign.' The perturbation is often constrained by an L-p norm (e.g., L-infinity) to remain invisible to human observers. In healthcare federated learning, these attacks are particularly dangerous because a compromised local node could submit adversarial diagnostic inputs that bypass anomaly detection systems, leading to incorrect clinical decisions while appearing completely normal to a radiologist.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.