Inferensys

Glossary

Projected Gradient Descent (PGD)

Projected Gradient Descent (PGD) is a powerful iterative white-box attack method that generates adversarial examples by taking multiple small gradient steps and projecting the perturbation back onto an epsilon-ball constraint.
Developer reviewing multi-agent chat interface on laptop, agent conversation logs visible, casual coding session at WeWork desk.
ADVERSARIAL ATTACK METHODOLOGY

What is Projected Gradient Descent (PGD)?

Projected Gradient Descent (PGD) is a powerful iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size and projecting the result back onto an epsilon-ball constraint.

Projected Gradient Descent (PGD) is a multi-step variant of the Fast Gradient Sign Method (FGSM) that solves a constrained optimization problem to find the strongest possible adversarial perturbation within a specified Lp-norm budget. Starting from a random initialization within the allowed epsilon-ball, PGD iteratively takes gradient steps in the direction that maximizes the model's loss, followed by a projection operation that clips the perturbation back onto the feasible set. This max_{||δ||_p ≤ ε} L(f(x+δ), y) formulation makes PGD a universal first-order adversary, widely considered the benchmark for evaluating adversarial robustness.

The attack's strength derives from its random restart capability and iterative refinement, which mitigates the risk of converging to poor local maxima. By using a step size α smaller than the total epsilon budget ε, PGD systematically explores the loss landscape within the constraint boundary. Models trained adversarially against PGD—a process known as PGD-based adversarial training—exhibit empirical robustness against a wide range of other first-order attacks, making it the de facto standard for min-max optimization in robust model development.

ADVERSARIAL ATTACK MECHANICS

Key Characteristics of PGD

Projected Gradient Descent (PGD) is the de facto standard for evaluating adversarial robustness. It operationalizes the min-max threat model by iteratively maximizing loss while enforcing an Lp-norm constraint.

01

Iterative Multi-Step Optimization

Unlike single-step methods like FGSM, PGD solves the inner maximization problem through multiple gradient ascent steps. Starting from a random initialization within the epsilon-ball, it repeatedly computes the gradient of the loss with respect to the input and takes a small step in that direction. Each step is followed by a projection operator that snaps the perturbation back onto the feasible set, ensuring the adversarial example remains within the allowed L∞ or L2 budget. This iterative refinement finds significantly stronger adversaries than one-shot attacks.

02

Random Initialization Strategy

A critical component of PGD is the random start before iterative optimization begins. Rather than starting from the original clean input, PGD initializes the perturbation uniformly within the epsilon-ball. This prevents the optimizer from getting stuck in shallow local maxima near the decision boundary. Multiple random restarts are often employed to increase attack success rates, making PGD a reliable lower bound for worst-case empirical robustness.

03

Projection onto the Epsilon-Ball

The 'Projected' in PGD refers to the constraint enforcement mechanism. After each gradient step, the perturbed input is projected back onto the Lp-norm ball of radius epsilon centered at the original input. For L∞ attacks, this is a simple clipping operation that bounds each pixel's perturbation independently. For L2 attacks, the perturbation vector is rescaled to have a norm no greater than epsilon. This projection guarantees the adversarial example remains imperceptible or within the threat model's defined budget.

04

Universal First-Order Adversary

Madry et al. (2018) demonstrated that PGD is a universal adversary among first-order attacks—if a model is robust against PGD, it is empirically robust against all gradient-based attacks. This insight established PGD as the primary benchmark for adversarial training. The attack leverages only first-order gradient information, making it computationally tractable for deep networks while still exposing vulnerabilities that gradient-masking defenses attempt to hide.

05

Step Size and Iteration Scheduling

PGD's effectiveness depends on two hyperparameters: step size (alpha) and number of iterations (k). The step size is typically set as a fraction of epsilon (e.g., alpha = epsilon / 4), balancing convergence speed with granularity. The iteration count controls the attack budget—more steps yield stronger adversaries but increase compute cost. Common configurations include PGD-20 (20 steps) for evaluation and PGD-7 or PGD-10 for adversarial training, representing a trade-off between attack strength and training throughput.

06

Role in Adversarial Training

PGD serves as the canonical attack for adversarial training, where models are trained on PGD-generated examples rather than clean data. This min-max procedure—minimizing model loss against a PGD adversary that maximizes it—produces state-of-the-art empirical robustness. Models trained with PGD adversarial training exhibit flattened loss landscapes and smoother decision boundaries, making them resistant to a wide family of first-order attacks beyond the specific PGD configuration used during training.

WHITE-BOX ATTACK TAXONOMY

PGD vs. Other Adversarial Attacks

Comparative analysis of Projected Gradient Descent against other canonical gradient-based and optimization-based adversarial attack methodologies.

FeatureProjected Gradient Descent (PGD)Fast Gradient Sign Method (FGSM)Carlini-Wagner (C&W) L2

Attack Category

Iterative Gradient-Based

Single-Step Gradient-Based

Optimization-Based

Iterative Steps

Multiple (k-step)

Single (1-step)

Multiple (convergence-driven)

Perturbation Constraint

L∞-norm (epsilon-ball projection)

L∞-norm (no explicit projection)

L2-norm (penalized in objective)

Computational Cost

Moderate (k forward/backward passes)

Low (single forward/backward pass)

High (per-sample optimization loop)

Attack Strength (Empirical)

High (strongest first-order attack)

Low to Moderate

Very High (near-minimal perturbation)

Gradient Masking Resistance

Typical Use Case

Adversarial training benchmark

Baseline vulnerability assessment

Minimal perturbation discovery

Misclassification Target

Untargeted or Targeted

Untargeted

Targeted

PROJECTED GRADIENT DESCENT

Frequently Asked Questions

Clear, technical answers to the most common questions about the PGD attack algorithm, its implementation, and its role in adversarial robustness research.

Projected Gradient Descent (PGD) is a powerful iterative white-box adversarial attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) in small steps and projecting the result back onto an epsilon-ball constraint. The algorithm initializes a perturbation, often randomly within the allowed L∞-norm ball, and then iteratively computes the gradient of the loss function with respect to the input. At each step, it takes a small step in the direction that maximizes the loss, and crucially, projects the perturbed input back onto the valid constraint set to ensure the perturbation magnitude never exceeds the specified epsilon threshold. This projection step is what distinguishes PGD from simpler iterative methods and makes it the de facto standard for evaluating worst-case adversarial robustness. The multi-step nature allows PGD to find stronger adversarial examples than single-step methods like FGSM by effectively climbing the loss landscape within the constrained region.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.