Inferensys

Glossary

AutoAttack

A standardized, parameter-free ensemble of diverse white-box and black-box attacks used as a reliable benchmark for evaluating a model's empirical adversarial robustness.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
ADVERSARIAL ROBUSTNESS BENCHMARK

What is AutoAttack?

AutoAttack is a standardized, parameter-free ensemble of diverse white-box and black-box attacks used as a reliable benchmark for evaluating a model's empirical adversarial robustness.

AutoAttack is a standardized evaluation protocol that combines four complementary adversarial attacks—two white-box parameter-free variants of APGD (one targeting cross-entropy loss, the other targeting the DLR loss), a white-box FAB attack, and a black-box Square Attack—into a single, computationally efficient ensemble. By removing the need for hyperparameter tuning and step-size scheduling, it provides a reproducible, worst-case estimate of a model's empirical robustness against Lp-norm bounded perturbations.

Widely adopted as the default metric on the RobustBench leaderboard, AutoAttack addresses the common failure mode of gradient masking defenses that fool weaker, single-attack evaluations. Its sequential application of attacks with automatic step-size control ensures that if any vulnerability exists within the defined threat model, the ensemble is highly likely to find it, making it the de facto standard for comparing adversarial training methods and certified robustness claims.

BENCHMARKING ADVERSARIAL ROBUSTNESS

Key Features of AutoAttack

AutoAttack is a parameter-free, ensemble attack method that combines diverse white-box and black-box attacks to provide a reliable, standardized evaluation of a model's empirical adversarial robustness.

01

Parameter-Free Ensemble Design

AutoAttack eliminates the need for manual hyperparameter tuning by combining four diverse attacks: two white-box attacks (APGD-CE and APGD-DLR) and two black-box attacks (FAB and Square Attack). This ensemble automatically adapts to the defense, preventing gradient masking from fooling the evaluation. The parameter-free nature ensures reproducible and comparable results across different models and defenses, making it the standard for RobustBench leaderboard evaluations.

02

Auto-PGD (APGD) Variants

The core white-box component uses Auto-PGD, an improved Projected Gradient Descent that automatically adjusts the step size during the attack. It comes in two loss variants:

  • APGD-CE: Uses cross-entropy loss, effective against standard models
  • APGD-DLR: Uses the Difference of Logits Ratio loss, specifically designed to bypass defenses that rely on logit masking or label smoothing Both variants incorporate a momentum term and restart mechanism to escape local optima.
03

FAB Attack Integration

The Fast Adaptive Boundary (FAB) attack is a white-box method that minimizes the Lp norm of perturbations by iteratively projecting adversarial examples onto the decision boundary. In AutoAttack, FAB is used to generate minimally perturbed adversarial examples, complementing the fixed-epsilon APGD attacks. This combination ensures that defenses relying on obfuscated gradients or non-smooth loss surfaces are reliably evaluated and not incorrectly labeled as robust.

04

Square Attack for Black-Box Evaluation

The Square Attack is a query-efficient, score-based black-box attack that requires only the model's predicted class probabilities. It iteratively selects random square-shaped perturbations and accepts updates that improve the attack objective. Unlike gradient-based methods, Square Attack is immune to gradient masking defenses, making it essential for detecting false robustness claims. Its inclusion ensures AutoAttack evaluates true empirical robustness, not just gradient obfuscation.

05

Standardized Robustness Benchmarking

AutoAttack is the default evaluation protocol for RobustBench, the leading benchmark for adversarial robustness. It provides:

  • Reproducible evaluations with fixed attack parameters
  • Threat model specification using L-infinity or L2 norm constraints
  • Reliable ranking of defenses by measuring robust accuracy under the ensemble This standardization has exposed numerous defenses that relied on gradient masking rather than true robustness, advancing the field toward verifiable security claims.
06

Threat Model and Norm Constraints

AutoAttack operates under a defined threat model with specific perturbation constraints:

  • L-infinity norm: Bounded pixel-wise perturbations (e.g., epsilon = 8/255)
  • L2 norm: Bounded Euclidean distance perturbations
  • Standard version: Combines APGD-CE, APGD-DLR, FAB, and Square Attack
  • Rand version: Adds random restarts for stronger evaluation The choice of norm and epsilon defines the adversarial budget, and AutoAttack provides a reliable lower bound on model robustness within these constraints.
AUTOATTACK EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the AutoAttack benchmark, its mechanisms, and its role in evaluating adversarial robustness.

AutoAttack is a parameter-free, standardized ensemble of adversarial attacks used as a reliable benchmark for evaluating a model's empirical adversarial robustness. It works by sequentially executing a diverse set of four attacks—two white-box and two black-box—against a target model without requiring manual hyperparameter tuning. The ensemble includes an APGD (Auto-PGD) attack on the cross-entropy loss, an APGD attack on the DLR (Difference of Logits Ratio) loss, a FAB (Fast Adaptive Boundary) attack, and a Square Attack. By combining these complementary methods, AutoAttack provides a more thorough and trustworthy robustness evaluation than any single attack, eliminating the common pitfall of gradient masking defenses that appear robust against weak attacks but fail under stronger, diverse ones.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.