Inferensys

Glossary

Lp Norm

A mathematical distance metric used to constrain the magnitude of an adversarial perturbation, with common variants including L0, L2, and L-infinity norms.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
ADVERSARIAL CONSTRAINT METRIC

What is Lp Norm?

The Lp norm is a mathematical function that measures the magnitude of a vector in a specific space, serving as the fundamental constraint mechanism for quantifying and limiting the size of adversarial perturbations in machine learning security.

The Lp norm is a generalized distance metric defined as ( ||x||p = (\sum{i=1}^{n} |x_i|^p)^{1/p} ), which calculates the length of a vector from the origin. In adversarial machine learning, it functions as the primary perturbation budget constraint, mathematically bounding how much an attacker can modify an input to ensure the adversarial example remains semantically similar to the original while causing misclassification.

Common variants include the L0 norm, which counts the number of altered pixels and is used in sparse attacks like the Jacobian-based Saliency Map Attack; the L2 norm, which measures Euclidean distance and penalizes large individual deviations; and the L-infinity norm, which limits the maximum change to any single feature and is the constraint underlying Projected Gradient Descent (PGD) attacks. Selecting the appropriate Lp constraint directly shapes the threat model, defining the permissible manipulation space an adversary can exploit.

DISTANCE METRICS

Key Variants of Lp Norms

The Lp norm defines the magnitude of an adversarial perturbation by measuring the distance between the original and perturbed inputs. Different p-values yield distinct geometric constraints, each with unique attack and defense implications.

01

L0 Norm: The Sparsity Constraint

Measures the count of altered pixels or features, irrespective of how much each is changed. An L0 attack aims to misclassify by modifying the fewest possible input dimensions.

  • Geometric shape: A highly non-convex, cardinality-constrained set.
  • Adversarial use: The Jacobian-based Saliency Map Attack (JSMA) iteratively alters the most salient pixel until misclassification.
  • Defense challenge: Hard to defend against due to the combinatorial nature of pixel selection.
  • Real-world analog: Changing a single word in a legal contract to invert its meaning.
1-2%
Typical pixel alteration rate
02

L1 Norm: The Elastic Net

Computes the sum of absolute differences between original and perturbed vectors. It promotes sparsity while still accounting for perturbation magnitude.

  • Geometric shape: A diamond-shaped convex polytope.
  • Adversarial use: The Elastic-Net Attack (EAD) combines L1 and L2 penalties to generate sparse, minimally distorted adversarial examples.
  • Key property: Balances the cardinality focus of L0 with the magnitude sensitivity of L2.
  • Defense relevance: Often used as a regularizer in robust training to encourage feature selection.
03

L2 Norm: The Euclidean Constraint

Measures the straight-line Euclidean distance between the original and adversarial input. It penalizes large individual deviations while tolerating many small changes.

  • Geometric shape: A hypersphere (epsilon-ball) centered on the original input.
  • Adversarial use: The Carlini & Wagner (C&W) L2 attack is a powerful optimization-based method that minimizes this distance while achieving misclassification.
  • Perceptual impact: Produces smooth, diffuse perturbations that are often less perceptible than L-infinity noise.
  • Defense standard: Randomized Smoothing provides certified L2 robustness guarantees.
0.5-3.0
Typical epsilon range (CIFAR-10)
04

L∞ Norm: The Maximum Perturbation

Constrains the maximum absolute change to any single input dimension. Every pixel or feature can be altered, but none beyond the epsilon bound.

  • Geometric shape: A hypercube (axis-aligned box) around the original input.
  • Adversarial use: FGSM and PGD are explicitly designed under L∞ constraints, making this the most studied threat model.
  • Perceptual impact: Produces a uniform, high-frequency noise pattern across the entire image.
  • Defense standard: Adversarial Training with PGD is the de facto baseline for L∞ robustness.
8/255
Standard epsilon (ImageNet)
PGD-40
Benchmark attack iteration
05

Lp Norm Selection in Threat Modeling

The choice of p is a critical threat model parameter that encodes assumptions about the adversary's capabilities and the perceptual domain.

  • L∞ dominates image benchmarks due to its mathematical convenience and alignment with pixel-level constraints.
  • L0 and L1 are preferred for text and tabular data, where sparsity reflects real-world manipulation (e.g., altering a single transaction amount).
  • L2 is common in audio and signal processing, where total energy deviation matters more than peak amplitude.
  • Mismatched norms: A defense evaluated only under L∞ may catastrophically fail against an L0 or L2 attack.
LP NORM ESSENTIALS

Frequently Asked Questions

Clear, technical answers to the most common questions about Lp norms and their critical role in adversarial machine learning defense.

An Lp norm is a mathematical distance function that measures the magnitude of a vector in a finite-dimensional space, defined as ( |x|p = (\sum{i=1}^{n} |x_i|^p)^{1/p} ) for ( p \geq 1 ). In adversarial machine learning, it serves as the standard metric for constraining the size of an adversarial perturbation—the malicious noise added to a legitimate input to cause misclassification. By bounding the perturbation's Lp norm by a small constant ( \epsilon ), security engineers define the maximum allowable distortion an attacker can introduce, formalizing the threat model. The choice of ( p ) dictates the geometry of the epsilon-ball around the original sample and fundamentally shapes the attack strategy and the corresponding defense mechanism.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.