An evasion attack is an adversarial technique deployed exclusively during the inference phase of a model's lifecycle. The attacker crafts a perturbed input—often by adding visually imperceptible noise to an image or subtle modifications to a feature vector—that causes the target model to produce an incorrect output with high confidence. Unlike data poisoning, which corrupts the training pipeline, evasion attacks exploit the learned decision boundaries of an already-trained model without altering its parameters.
Glossary
Evasion Attack

What is an Evasion Attack?
An evasion attack is an adversarial technique deployed at inference time that modifies an input sample with imperceptible perturbations to cause a machine learning model to misclassify it.
In the context of federated model security, evasion attacks pose a significant threat because the global model is exposed to inference queries from multiple untrusted clients. Defenses such as adversarial training, defensive distillation, and certified robustness via randomized smoothing are critical countermeasures. These attacks are closely related to model extraction attacks, where repeated evasion queries can also be used to steal model functionality.
Core Characteristics of Evasion Attacks
Evasion attacks exploit a model's learned decision boundaries at inference time by applying imperceptible perturbations to input samples, causing targeted or untargeted misclassification without altering the model itself.
Inference-Time Exploitation
Unlike data poisoning or backdoor attacks, evasion attacks occur strictly during model inference. The attacker crafts an adversarial example by solving an optimization problem: finding the minimal perturbation δ that changes the model's prediction while keeping the input visually or semantically identical to a human observer. This temporal distinction is critical for security planning—defenses like adversarial training must harden the model's decision surface, not just filter training data.
Perturbation Budgets and Norms
Attack strength is bounded by a perturbation budget (ε), typically measured using Lp norms:
- L∞ (Chebyshev): Limits the maximum change to any single pixel or feature, producing uniform noise across the input
- L2 (Euclidean): Constrains the total magnitude of the perturbation vector, often yielding more natural-looking distortions
- L1 (Manhattan): Encourages sparse perturbations that modify only a few input dimensions
- L0: Restricts the number of altered features, simulating real-world constraints like physical sticker attacks
White-Box vs. Black-Box Attacks
White-box attacks assume full access to model architecture, parameters, and gradients. The Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) exploit gradient information directly. Black-box attacks operate with only query access, using techniques like:
- Score-based: Leveraging output probabilities to estimate gradients via finite differences
- Decision-based: Walking the decision boundary using only hard-label predictions
- Transfer attacks: Generating adversarial examples on a surrogate model and exploiting cross-model transferability
Targeted vs. Untargeted Misclassification
Untargeted attacks simply aim to cause any incorrect prediction—the adversary succeeds if the model outputs any class other than the ground truth. Targeted attacks force the model to output a specific attacker-chosen class. Targeted attacks are significantly harder to execute because they require navigating the model's decision boundary toward a precise region. In medical imaging, a targeted attack could force a diagnostic model to classify a malignant tumor as benign, representing a direct patient safety threat.
Physical-World Evasion
Evasion attacks extend beyond digital pixels into the physical domain. Researchers have demonstrated:
- Adversarial patches: Printed patterns that cause object detectors to ignore stop signs or misidentify persons
- Adversarial clothing: Specially designed textile patterns that evade person-detection models
- Sensor-domain attacks: Perturbations in LiDAR point clouds or audio waveforms Physical attacks must account for viewpoint variation, lighting, and sensor noise, making them more challenging but demonstrating real-world security implications for autonomous systems and surveillance.
Defense Mechanisms and the Arms Race
No single defense provides complete immunity. Key strategies include:
- Adversarial training: Augmenting training data with adversarial examples, particularly using PGD-based attacks
- Gradient masking: Obscuring model gradients through non-differentiable operations, though often defeated by Backward Pass Differentiable Approximation (BPDA)
- Certified defenses: Techniques like randomized smoothing provide mathematical guarantees of robustness within a specified L2 radius
- Feature squeezing: Reducing input dimensionality to remove adversarial perturbation space The field exhibits a persistent cat-and-mouse dynamic between attack and defense research.
Evasion Attack vs. Data Poisoning vs. Model Inversion
A comparative analysis of three distinct adversarial attack vectors targeting machine learning pipelines, differentiated by attack surface, timing, and objective.
| Feature | Evasion Attack | Data Poisoning | Model Inversion |
|---|---|---|---|
Attack Timing | Inference time | Training time | Post-training / Inference time |
Primary Objective | Misclassification | Model integrity corruption | Training data reconstruction |
Attacker Modifies | Input sample | Training dataset | Model queries |
Model Integrity Impact | |||
Training Data Confidentiality Impact | |||
Requires Training Data Access | |||
Requires Model Access | Black-box or White-box | Data pipeline access | API or White-box access |
Typical Mitigation | Adversarial training, Randomized smoothing | Robust aggregation, Data provenance checks | Differential privacy, Output perturbation |
Frequently Asked Questions
Explore the mechanics of inference-time adversarial attacks that manipulate model inputs to force misclassification, and understand the defensive strategies used to mitigate them.
An evasion attack is an adversarial technique executed at inference time where an attacker modifies an input sample with imperceptible perturbations to cause a machine learning model to misclassify it. Unlike data poisoning, which corrupts the training pipeline, evasion attacks target already-deployed models without altering their parameters. The attacker typically crafts an adversarial example by adding a small, carefully calculated noise vector to a legitimate input—such as subtly altering pixels in a medical scan to change a 'malignant' classification to 'benign.' The perturbation is often constrained by an L-p norm (e.g., L-infinity) to remain invisible to human observers. In healthcare federated learning, these attacks are particularly dangerous because a compromised local node could submit adversarial diagnostic inputs that bypass anomaly detection systems, leading to incorrect clinical decisions while appearing completely normal to a radiologist.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Evasion attacks exist within a broader ecosystem of adversarial threats and defenses. Understanding these adjacent concepts is critical for building a comprehensive security posture for federated models.
Adversarial Robustness
The quantified resilience of a model against evasion attacks. It measures the minimum perturbation magnitude required to change a prediction. Robustness is often evaluated using adversarial accuracy on benchmark attacks like Projected Gradient Descent (PGD) or AutoAttack. A model with high adversarial robustness maintains correct classification even when inputs are intentionally perturbed within a defined Lp-norm ball.
Gradient Leakage
An attack that reconstructs private local training data from shared model gradients. In federated learning, an honest-but-curious server can iteratively optimize dummy inputs to match observed gradients. Techniques like Deep Leakage from Gradients (DLG) can recover pixel-accurate images and text. This is distinct from evasion attacks, which target inference, but both exploit gradient information.
Federated Adversarial Training
A decentralized training process that incorporates adversarial examples into local client training to improve the global model's robustness against evasion attacks. Each client generates perturbations locally using methods like FGSM or PGD before updating. This distributes the computational cost of adversarial training while preserving data privacy.
Certified Robustness
A formal, mathematical guarantee that a model's prediction will remain constant for any input perturbation within a defined bound. Unlike empirical defenses, certified methods provide provable safety. Randomized smoothing is the most scalable approach, creating a smoothed classifier by aggregating predictions on noise-corrupted inputs. The certified radius quantifies the guaranteed safe region.
Model Extraction Attack
An attack where an adversary systematically queries a target model to reconstruct its functionality or steal learned parameters. While evasion attacks exploit a model, extraction attacks clone it. The attacker uses input-output pairs to train a substitute model. This is particularly dangerous for ML-as-a-Service APIs where query access is unrestricted.
Defensive Distillation
A robustness technique that trains a model on the soft probability outputs of another model rather than hard labels. The distilled model learns a smoother decision surface, reducing the amplitude of adversarial gradients. Originally proposed for neural network compression, it was later shown to provide some resistance to evasion attacks by masking gradient information.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us