Adversarial AI Attacks: Techniques and Defenses
Adversarial AI attacks encompass a family of techniques that deliberately manipulate machine learning models by exploiting structural vulnerabilities in how those models process and classify data. This page covers the principal attack categories, the mechanical operations behind them, the causal conditions that enable them, and the defensive frameworks that practitioners and regulators reference. The subject intersects with US federal AI governance, NIST standards for AI risk management, and the broader AI Cyber Authority directory of cybersecurity service providers operating in this domain.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
Definition and scope
Adversarial AI attacks are deliberate inputs or modifications engineered to cause machine learning (ML) systems to produce incorrect, manipulated, or unintended outputs. The NIST AI Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology in January 2023, classifies adversarial threats as a primary subcategory of AI trustworthiness failures, placing them alongside data poisoning, model extraction, and inference attacks (NIST AI RMF 1.0).
The scope of adversarial attacks extends across image recognition, natural language processing (NLP), autonomous vehicle perception systems, financial fraud detection models, and medical diagnostic AI. Attacks may target models at inference time (evasion attacks), at training time (poisoning attacks), or at the model access layer (extraction and inversion attacks). The MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) matrix, maintained by MITRE Corporation, catalogs over 70 discrete adversarial ML tactics, techniques, and procedures (TTPs) as of its publicly available release versions (MITRE ATLAS).
Federal regulatory attention has grown with Executive Order 14110 (October 2023), which directed multiple agencies — including NIST, the Department of Homeland Security (DHS), and the Department of Defense (DoD) — to develop standards for adversarial testing and red-teaming of frontier AI models. The scope of regulated AI systems under this order includes those deployed in critical infrastructure, national security contexts, and consumer-facing applications with significant societal impact.
Core mechanics or structure
Adversarial attacks operate by identifying and exploiting the decision boundaries of ML models. A trained neural network partitions input space into regions corresponding to output classes. Adversarial inputs are crafted to sit near or cross those boundaries while remaining perceptually or functionally indistinguishable from legitimate inputs.
Evasion attacks — the most studied category — apply small perturbations to inputs at inference time. The Fast Gradient Sign Method (FGSM), introduced in Goodfellow et al. (2014), calculates the gradient of the loss function with respect to the input and shifts pixel values by a single step in the direction that maximizes loss. This produces adversarial images that fool classifiers with perturbations as small as ε = 0.007 in normalized pixel space, a quantity imperceptible to human observers.
Projected Gradient Descent (PGD) attacks, formalized by Madry et al. (2017) and referenced in NIST IR 8269, iterate FGSM multiple times within a constrained perturbation budget, producing stronger adversarial examples. PGD is widely used as the baseline attack for evaluating adversarial robustness in academic and government testing protocols.
Poisoning attacks inject malicious samples into training datasets. Backdoor poisoning embeds a trigger pattern — a specific pixel arrangement, phrase, or signal artifact — that causes the model to misclassify any input containing that trigger at inference time. Clean-label attacks achieve the same effect without mislabeling training data, making detection substantially harder.
Model extraction attacks use repeated queries to reconstruct a functionally equivalent copy of a target model without accessing its weights. Researchers demonstrated in Tramèr et al. (2016) that logistic regression and shallow neural networks can be extracted with fewer than 1,000 API queries.
Model inversion and membership inference attacks reconstruct training data or determine whether specific records were used in training, raising direct privacy implications under frameworks such as HIPAA (45 CFR §164) for health AI and the FTC Act Section 5 for consumer AI fairness and deception.
Causal relationships or drivers
Three structural conditions drive the practical feasibility of adversarial attacks on deployed ML systems.
Model overparameterization — the use of neural networks with tens of millions to hundreds of billions of parameters trained on finite datasets — creates a high-dimensional input space in which adversarial directions are abundant. Research published in proceedings of NeurIPS and ICML consistently demonstrates that adversarial vulnerability is a function of model dimensionality, not dataset size alone.
Transferability is a second enabling factor. Adversarial examples crafted against one model architecture frequently transfer to different architectures trained on the same task, enabling black-box attacks where the attacker has no direct model access. This property was documented in Papernot et al. (2016) and has direct operational implications for deployed API-based AI services.
Data supply chain opacity enables training-time attacks. When ML pipelines incorporate scraped web data, third-party datasets, or crowd-sourced labeling, the provenance and integrity of training samples are frequently unverifiable. NIST SP 800-218A (Secure Software Development Framework for AI/ML), published in 2024, identifies data provenance validation as a critical control gap in the majority of surveyed ML deployment pipelines (NIST SP 800-218A).
Classification boundaries
Adversarial attacks are classified along three primary axes: attack timing, adversary knowledge, and attack goal.
Attack timing distinguishes training-time attacks (poisoning, backdoor insertion) from inference-time attacks (evasion, model extraction). These require different defensive architectures — training-time defenses include data auditing and provenance controls, while inference-time defenses include input preprocessing and anomaly detection.
Adversary knowledge separates white-box attacks (full access to model weights and architecture) from gray-box attacks (partial access, e.g., confidence scores) and black-box attacks (output labels only). The difficulty of mounting an attack scales with decreasing knowledge, though transferability partially collapses this gradient.
Attack goal separates targeted attacks (cause misclassification to a specific wrong class) from untargeted attacks (cause any misclassification). Targeted attacks on safety-critical systems — such as stop sign misclassification in autonomous vehicles — carry significantly higher operational risk than untargeted evasion.
The MITRE ATLAS matrix organizes these distinctions into a structured taxonomy consistent with ATT&CK conventions, allowing security teams to map adversarial ML threats against existing enterprise security workflows. The AI Cyber Authority resource index provides structural guidance on navigating service providers aligned to these threat categories.
Tradeoffs and tensions
Robustness vs. accuracy. Adversarial training — augmenting training data with adversarial examples — is the most empirically validated defense method, referenced in NIST AI RMF Playbook actions AI-MT-1.1 through AI-MT-1.3. However, robust models consistently exhibit reduced accuracy on clean inputs. Madry et al. documented accuracy drops of 3–10 percentage points on CIFAR-10 when training with PGD-based augmentation. This creates a deployment tension in regulated sectors where both classification accuracy and adversarial robustness carry compliance implications.
Detection vs. concealment. Perturbation detection methods — including statistical tests such as Feature Squeezing and JPEG compression preprocessing — can flag adversarial inputs but are susceptible to adaptive attacks that specifically minimize detection signatures. Oblivious defenses (those not accounting for adversary adaptation) are routinely defeated by adaptive adversaries, a point formalized in Carlini and Wagner (2017), a paper frequently cited in NIST and DHS adversarial AI guidance.
Open publication vs. operational security. Publication of attack methods in academic literature accelerates both offensive capability and defensive research simultaneously. The DHS Cybersecurity and Infrastructure Security Agency (CISA) AI Roadmap (2023) acknowledges this dual-use tension and frames it as a coordination challenge for the AI security community (CISA AI Roadmap 2023).
Common misconceptions
Misconception: Adversarial vulnerabilities are a laboratory artifact. Demonstrated deployments in physical-world conditions — including 3D-printed adversarial objects and printed stop sign patches — have been documented in peer-reviewed research and replicated by multiple independent teams. Physical-world attacks are an operational risk, not a theoretical one.
Misconception: Input filtering eliminates adversarial risk. Filtering approaches such as JPEG compression and spatial smoothing provide partial mitigation against specific attack families. Adaptive adversaries who know the filter architecture routinely bypass these controls, as documented in the Carlini and Wagner (2017) analysis of 10 published defenses, all of which were defeated under adaptive threat models.
Misconception: Only neural networks are vulnerable. Support vector machines, decision trees, and ensemble methods such as gradient-boosted trees are all susceptible to adversarial manipulation. NIST IR 8269 explicitly covers adversarial risk across classical ML architectures, not only deep learning.
Misconception: Model complexity determines adversarial robustness. Larger models are not inherently more robust. Adversarial robustness requires explicit training procedures — certified defenses (randomized smoothing, interval bound propagation) or adversarial augmentation — rather than scale alone.
Checklist or steps
The following phases represent the standard adversarial ML assessment workflow as structured in NIST AI RMF Playbook MEASURE and MANAGE functions and MITRE ATLAS evaluation protocols. This is a descriptive sequence of professional assessment practice, not prescriptive operational advice.
Phase 1 — Threat modeling
- Identify ML components in the system and their roles in decision-making
- Classify each component by attack surface: training pipeline, inference API, model storage
- Map applicable adversarial TTPs from MITRE ATLAS to identified components
- Determine adversary knowledge assumptions (white-box, gray-box, black-box)
Phase 2 — Attack surface enumeration
- Document all data ingestion points in training pipelines
- Enumerate external query interfaces available to unauthenticated or low-privilege callers
- Identify model outputs exposed to end users (class labels, confidence scores, embeddings)
Phase 3 — Adversarial testing
- Execute evasion attack baselines (FGSM, PGD, C&W) under white-box conditions
- Execute black-box transfer attacks using surrogate model construction
- Execute data poisoning simulation on training pipeline copies
- Apply membership inference probes to model API endpoints
Phase 4 — Defense evaluation
- Apply adversarial training and measure clean accuracy degradation
- Test input preprocessing defenses under adaptive adversary conditions
- Evaluate certified defenses (randomized smoothing) for certification radius coverage
- Document residual risk per NIST AI RMF GOVERN function requirements
Phase 5 — Documentation and governance
- Produce adversarial risk register entries linked to system risk tier
- Align findings to applicable regulatory frameworks (CISA guidelines, OMB Memorandum M-24-10 for federal AI)
- Schedule recurring red-team exercises per NIST AI RMF continuous improvement cadence
The AI Cyber Authority directory scope page describes the professional service categories — red team operators, adversarial ML researchers, and AI security auditors — that execute these assessment phases.
Reference table or matrix
| Attack Category | Timing | Adversary Knowledge | Primary Target | MITRE ATLAS Coverage | Key Defense Mechanism |
|---|---|---|---|---|---|
| FGSM / PGD Evasion | Inference | White-box | Image, NLP classifiers | AML.T0043 | Adversarial training |
| Carlini-Wagner (C&W) | Inference | White-box | Deep neural networks | AML.T0043 | Certified defenses |
| Backdoor / Trojan | Training | White-box / Black-box | Image, NLP, malware classifiers | AML.T0020 | Data provenance auditing |
| Clean-label Poisoning | Training | Black-box | Supervised classifiers | AML.T0020 | Training data filtering |
| Model Extraction | Inference | Black-box | API-served models | AML.T0024 | Query rate limiting, output perturbation |
| Membership Inference | Inference | Black-box | Models trained on sensitive data | AML.T0024.001 | Differential privacy, output confidence suppression |
| Model Inversion | Inference | Gray-box / White-box | Generative and classification models | AML.T0024.002 | Confidence score masking |
| Physical-world Adversarial | Inference | Gray-box | Vision systems, autonomous vehicles | AML.T0043.001 | Sensor fusion, ensemble robustness |
References
- NIST AI Risk Management Framework (AI RMF 1.0) — National Institute of Standards and Technology, January 2023
- NIST SP 800-218A: Secure Software Development Framework for AI/ML — NIST, 2024
- MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems — MITRE Corporation
- CISA 2023–2024 Roadmap for Artificial Intelligence — Cybersecurity and Infrastructure Security Agency
- NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning — NIST
- Executive Order 14110 on Safe, Secure, and Trustworthy AI — The White House, October 2023
- OMB Memorandum M-24-10: Advancing Governance, Innovation, and Risk Management for Agency Use of AI — Office of Management and Budget
- ATT&CK Framework — MITRE Corporation — Foundational taxonomy referenced in ATLAS construction