The Carlini-Wagner (C&W) attack is an optimization-based adversarial attack that generates minimally perturbed inputs to cause misclassification. Formulated by Nicholas Carlini and David Wagner, it solves an optimization problem that minimizes a distance metric—typically the L2 norm—subject to a constraint that the model classifies the perturbed input as a target class. Unlike simpler methods like Fast Gradient Sign Method (FGSM), the C&W attack directly optimizes for minimal distortion.
Glossary
Carlini-Wagner Attack (C&W)

What is Carlini-Wagner Attack (C&W)?
The Carlini-Wagner (C&W) attack is a powerful optimization-based adversarial attack that finds the minimal perturbation necessary to force a misclassification in a neural network.
The attack's objective function uses a margin-based loss, often implemented with a logit difference, to ensure the target class logit exceeds the original class logit by a confidence margin κ. By tuning κ, an attacker controls the confidence of the misclassification. The C&W attack is widely considered a benchmark for evaluating adversarial robustness because it consistently defeats defensive distillation and exposes gradient masking in poorly designed defenses.
C&W Attack vs. Other Adversarial Attacks
A technical comparison of the Carlini-Wagner (C&W) attack against other prominent adversarial example generation methods across key operational dimensions.
| Feature | C&W Attack | PGD | FGSM | DeepFool |
|---|---|---|---|---|
Optimization Objective | Lagrangian formulation minimizing Lp distance subject to misclassification constraint | Maximizes loss via iterative projected gradient steps within an epsilon-ball | Single-step gradient ascent on loss function with fixed epsilon perturbation | Iteratively projects input onto closest linearized decision hyperplane |
Perturbation Magnitude | Minimal (explicitly minimized) | Bounded by epsilon (fixed budget) | Fixed epsilon (large, non-minimal) | Minimal (approximated) |
Iterative | ||||
Targeted Attack Capability | ||||
Distance Metrics Supported | L0, L2, L∞ | L∞, L2 | L∞ | L2 |
Confidence Margin Control | ||||
Computational Cost | High (binary search + Adam optimizer) | Moderate (multiple gradient steps) | Very Low (single gradient step) | Moderate (iterative projections) |
Bypasses Defensive Distillation |
Key Characteristics of the C&W Attack
The Carlini-Wagner attack is a powerful optimization-based method for generating adversarial examples. It distinguishes itself by finding perturbations that are often orders of magnitude smaller than those produced by simpler gradient-based attacks, making it a critical benchmark for evaluating model robustness.
Optimization-Based Formulation
Unlike single-step methods like FGSM, the C&W attack is an iterative optimization process. It formulates the attack as minimizing a loss function with two competing objectives:
- Minimize Perturbation Size: Reduce the distance between the original and adversarial input, typically using an L2 norm.
- Induce Misclassification: Ensure the model's output satisfies a specific adversarial condition. This is solved using gradient descent, often with the Adam optimizer, allowing for precise control over the trade-off between perturbation visibility and attack success.
The Objective Function f(x')
A core innovation is the tailored objective function, f(x'), which defines the misclassification goal. It is designed to be zero only when the attack succeeds. Common formulations include:
- Targeted Attack:
f(x') = max(Z(x')_t - max_{i≠t} Z(x')_i, -κ). This forces the target classtlogit to exceed all others by a marginκ. - Untargeted Attack:
f(x') = max(Z(x')_o - max_{i≠o} Z(x')_i, -κ). This forces the original classologit to no longer be the maximum. The confidence parameterκcontrols how strongly the adversarial example is pushed past the decision boundary, with higher values creating more robust, transferable attacks.
Overcoming Gradient Masking
The C&W attack is notoriously effective at defeating defensive distillation and other defenses that cause gradient masking. It achieves this through key design choices:
- Logit-Space Optimization: Instead of operating on the softmax output probabilities, which can be saturated and yield near-zero gradients, the attack optimizes directly on the pre-softmax logits (Z).
- Change of Variables: To enforce pixel value constraints (e.g., 0-1 range), the attack uses a
tanhchange-of-variables. The optimizer works on an unconstrained variablew, wherex' = 0.5 * (tanh(w) + 1). This eliminates the need for clipping gradients, ensuring smooth optimization.
Multiple Distance Metrics (Lp Norms)
The C&W framework is flexible and can generate adversarial examples optimized for different perceptual similarity measures:
- L2 Attack: Minimizes the Euclidean distance between the original and adversarial image. This produces small, distributed perturbations across many pixels.
- L0 Attack: Minimizes the number of pixels that are altered. It iteratively uses the L2 attack to find unimportant pixels and fixes them, effectively creating a sparse perturbation.
- L∞ Attack: Minimizes the maximum change to any single pixel. It penalizes the largest individual pixel modification, ensuring no single pixel deviates too far from the original.
Benchmark for Robustness Evaluation
Due to its strength, the C&W attack has become a standard minimum bar for evaluating adversarial defenses. A defense is not considered credible unless it can withstand a high-confidence C&W attack.
- White-Box Standard: It is used as a primary white-box evaluation metric in academic papers to measure worst-case model robustness.
- Defense Validation: If a proposed defense achieves high accuracy against FGSM or PGD but fails against C&W, it is often a sign of gradient obfuscation rather than true robustness.
- Attack Baselines: Tools like IBM's Adversarial Robustness Toolbox (ART) include C&W implementations, solidifying its role as a foundational benchmark.
Computational Cost and Transferability
The primary drawback of the C&W attack is its high computational cost. It requires thousands of iterative optimization steps per sample, making it significantly slower than FGSM or PGD.
- Adversarial Training Limitation: This cost makes it impractical for on-the-fly data augmentation during adversarial training, where PGD is preferred for its speed.
- High Transferability: Despite being a white-box attack, the adversarial examples generated by C&W often exhibit strong black-box transferability. The high-confidence margin
κcreates examples that fool the source model so decisively that they frequently transfer to other independently trained models.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Carlini-Wagner attack, its mechanisms, and its implications for adversarial machine learning security.
The Carlini-Wagner (C&W) attack is an optimization-based adversarial attack that finds the minimal perturbation necessary to cause a misclassification in a neural network. Unlike simpler gradient-based methods, C&W formulates the attack as an optimization problem that minimizes a distance metric—typically the L2 norm—subject to a misclassification constraint. The attack introduces an auxiliary variable w where the perturbation is expressed as δ = 0.5 * (tanh(w) + 1) - x to enforce box constraints naturally. The objective function minimize ||δ||_p + c * f(x + δ) balances perturbation size against a loss function f that is satisfied only when the target misclassification occurs. A binary search over the constant c finds the smallest perturbation that achieves the adversarial goal. This formulation makes C&W one of the most powerful and reliable white-box attacks, consistently defeating defensively distilled networks that resisted earlier methods like FGSM and PGD.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding the Carlini-Wagner attack requires familiarity with the broader landscape of adversarial machine learning. The following concepts represent the key attack methodologies, defensive strategies, and mathematical frameworks that define this domain.
Gradient Masking
A phenomenon where a defense gives a false sense of security by producing obfuscated or useless gradients, preventing gradient-based attacks like C&W from converging. This is not true robustness. Attackers can bypass gradient masking using black-box attacks, transfer attacks, or by substituting a differentiable approximation of the model.
- Shattered gradients: Non-differentiable operations that break gradient flow.
- Stochastic gradients: Randomized defenses that produce noisy gradient estimates.
- C&W attacks often expose gradient masking by succeeding where FGSM fails.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us