The Lp norm is a generalized distance metric defined as ( ||x||p = (\sum{i=1}^{n} |x_i|^p)^{1/p} ), which calculates the length of a vector from the origin. In adversarial machine learning, it functions as the primary perturbation budget constraint, mathematically bounding how much an attacker can modify an input to ensure the adversarial example remains semantically similar to the original while causing misclassification.
Glossary
Lp Norm

What is Lp Norm?
The Lp norm is a mathematical function that measures the magnitude of a vector in a specific space, serving as the fundamental constraint mechanism for quantifying and limiting the size of adversarial perturbations in machine learning security.
Common variants include the L0 norm, which counts the number of altered pixels and is used in sparse attacks like the Jacobian-based Saliency Map Attack; the L2 norm, which measures Euclidean distance and penalizes large individual deviations; and the L-infinity norm, which limits the maximum change to any single feature and is the constraint underlying Projected Gradient Descent (PGD) attacks. Selecting the appropriate Lp constraint directly shapes the threat model, defining the permissible manipulation space an adversary can exploit.
Key Variants of Lp Norms
The Lp norm defines the magnitude of an adversarial perturbation by measuring the distance between the original and perturbed inputs. Different p-values yield distinct geometric constraints, each with unique attack and defense implications.
L0 Norm: The Sparsity Constraint
Measures the count of altered pixels or features, irrespective of how much each is changed. An L0 attack aims to misclassify by modifying the fewest possible input dimensions.
- Geometric shape: A highly non-convex, cardinality-constrained set.
- Adversarial use: The Jacobian-based Saliency Map Attack (JSMA) iteratively alters the most salient pixel until misclassification.
- Defense challenge: Hard to defend against due to the combinatorial nature of pixel selection.
- Real-world analog: Changing a single word in a legal contract to invert its meaning.
L1 Norm: The Elastic Net
Computes the sum of absolute differences between original and perturbed vectors. It promotes sparsity while still accounting for perturbation magnitude.
- Geometric shape: A diamond-shaped convex polytope.
- Adversarial use: The Elastic-Net Attack (EAD) combines L1 and L2 penalties to generate sparse, minimally distorted adversarial examples.
- Key property: Balances the cardinality focus of L0 with the magnitude sensitivity of L2.
- Defense relevance: Often used as a regularizer in robust training to encourage feature selection.
L2 Norm: The Euclidean Constraint
Measures the straight-line Euclidean distance between the original and adversarial input. It penalizes large individual deviations while tolerating many small changes.
- Geometric shape: A hypersphere (epsilon-ball) centered on the original input.
- Adversarial use: The Carlini & Wagner (C&W) L2 attack is a powerful optimization-based method that minimizes this distance while achieving misclassification.
- Perceptual impact: Produces smooth, diffuse perturbations that are often less perceptible than L-infinity noise.
- Defense standard: Randomized Smoothing provides certified L2 robustness guarantees.
L∞ Norm: The Maximum Perturbation
Constrains the maximum absolute change to any single input dimension. Every pixel or feature can be altered, but none beyond the epsilon bound.
- Geometric shape: A hypercube (axis-aligned box) around the original input.
- Adversarial use: FGSM and PGD are explicitly designed under L∞ constraints, making this the most studied threat model.
- Perceptual impact: Produces a uniform, high-frequency noise pattern across the entire image.
- Defense standard: Adversarial Training with PGD is the de facto baseline for L∞ robustness.
Lp Norm Selection in Threat Modeling
The choice of p is a critical threat model parameter that encodes assumptions about the adversary's capabilities and the perceptual domain.
- L∞ dominates image benchmarks due to its mathematical convenience and alignment with pixel-level constraints.
- L0 and L1 are preferred for text and tabular data, where sparsity reflects real-world manipulation (e.g., altering a single transaction amount).
- L2 is common in audio and signal processing, where total energy deviation matters more than peak amplitude.
- Mismatched norms: A defense evaluated only under L∞ may catastrophically fail against an L0 or L2 attack.
Frequently Asked Questions
Clear, technical answers to the most common questions about Lp norms and their critical role in adversarial machine learning defense.
An Lp norm is a mathematical distance function that measures the magnitude of a vector in a finite-dimensional space, defined as ( |x|p = (\sum{i=1}^{n} |x_i|^p)^{1/p} ) for ( p \geq 1 ). In adversarial machine learning, it serves as the standard metric for constraining the size of an adversarial perturbation—the malicious noise added to a legitimate input to cause misclassification. By bounding the perturbation's Lp norm by a small constant ( \epsilon ), security engineers define the maximum allowable distortion an attacker can introduce, formalizing the threat model. The choice of ( p ) dictates the geometry of the epsilon-ball around the original sample and fundamentally shapes the attack strategy and the corresponding defense mechanism.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Lp norms requires familiarity with the attack algorithms that exploit them and the defensive training strategies that use them as constraints.
Fast Gradient Sign Method (FGSM)
A foundational white-box attack that leverages the L-infinity norm to generate adversarial examples in a single step. FGSM computes the sign of the gradient of the loss with respect to the input and multiplies it by a small epsilon value, effectively applying the maximum perturbation to every pixel simultaneously.
- Constraint: Explicitly bounded by L-infinity norm
- Perturbation: Uniform magnitude across all input dimensions
- Efficiency: Single-step attack, computationally cheap
- Use Case: Baseline for evaluating empirical robustness
Projected Gradient Descent (PGD) Attack
An iterative, multi-step extension of FGSM that remains constrained within an Lp epsilon-ball around the original input. At each iteration, PGD takes a small step maximizing the loss, then projects the perturbed input back onto the valid norm ball.
- Norm variants: Typically uses L-infinity or L2 constraints
- Random starts: Begins from a random point within the epsilon-ball to avoid gradient masking
- Gold standard: Considered the strongest first-order adversary
- Defense benchmark: Models that survive PGD are considered empirically robust
Adversarial Training
A defensive methodology that augments the training dataset with adversarial examples generated on-the-fly, typically bounded by a specific Lp norm constraint. The model learns to minimize the worst-case loss within the epsilon-ball.
- Min-max formulation: Inner maximization crafts attacks; outer minimization updates weights
- Norm specification: Training must match the threat model's Lp norm (L-infinity for patch attacks, L2 for subtle perturbations)
- Trade-off: Robustness gains often come at the cost of clean accuracy
- Standard implementation: PGD-based adversarial training with L-infinity constraint
Certified Robustness via Randomized Smoothing
A technique that provides a provable guarantee that a model's prediction will not change for any perturbation within a specified L2 radius. It constructs a smoothed classifier by adding Gaussian noise to inputs and returning the most probable prediction.
- Norm guarantee: Certifies robustness under the L2 norm specifically
- Mechanism: Relies on the Neyman-Pearson lemma for Gaussian distributions
- Radius: The certified radius is proportional to the margin between top class probabilities
- Limitation: Certification is conservative; empirical robustness is often higher
Adversarial Patch Attacks
A physically realizable attack that concentrates perturbation into a localized region rather than distributing it across the entire input. This violates the Lp norm constraint paradigm because the perturbation is sparse (low L0) but unbounded in magnitude within the patch.
- Norm violation: High L-infinity within patch, zero elsewhere
- Real-world threat: Printed patches can fool physical-world classifiers
- Defense challenge: Standard Lp-bounded adversarial training is insufficient
- Mitigation: Requires specialized attention-based or patch-detection defenses
AutoAttack Benchmark
A standardized, parameter-free ensemble of diverse attacks used to evaluate empirical robustness. AutoAttack combines multiple Lp norm constraints—including L-infinity and L2 variants—to provide a reliable and reproducible robustness evaluation.
- Ensemble composition: APGD-CE, APGD-DLR, FAB, and Square Attack
- Multi-norm: Tests defenses against both L-infinity and L2 threat models
- Standardization: Eliminates hyperparameter tuning bias in evaluations
- Adoption: Used by RobustBench for leaderboard rankings

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us