Skip to main content
TopAIThreats home TOP AI THREATS
Technical Attack

Adversarial Perturbation

A carefully calculated modification to an input — often imperceptible to humans — that causes a machine learning model to produce an incorrect or attacker-chosen output. Adversarial perturbations exploit the mathematical properties of neural network decision boundaries rather than flaws in traditional software logic.

Security & Cyber

Definition

An adversarial perturbation is a deliberate, often minimal modification to an input that causes a machine learning model to misclassify or produce incorrect outputs. In the image domain, this might be pixel-level changes invisible to the human eye that cause a classifier to mistake a stop sign for a speed limit sign. In the text domain, perturbations include character substitutions, synonym replacements, or sentence restructuring that changes a model’s sentiment classification or toxicity score. In the audio domain, inaudible modifications can cause speech recognition systems to transcribe attacker-chosen text. The perturbation is calculated using knowledge of the model’s gradient, decision boundary, or observed input-output behaviour.

How It Relates to AI Threats

Adversarial perturbations are the technical mechanism behind adversarial evasion attacks within the Security and Cyber Threats domain. When AI systems are deployed for safety-critical decisions — autonomous driving, medical diagnosis, malware detection, content moderation — adversarial perturbations can cause dangerous misclassifications. An attacker can perturb malware samples to evade AI-based antivirus detection, modify phishing emails to bypass AI content filters, or alter images to defeat facial recognition systems. The perturbation approach applies across white-box (full model access) and black-box (API-only access) attack scenarios.

Why It Occurs

  • Neural networks learn high-dimensional decision boundaries that contain exploitable regions far from the training data distribution
  • The linear nature of many neural network components means small input changes can produce large output shifts
  • Transfer attacks allow perturbations crafted against one model to succeed against different models trained on similar data
  • Publicly available attack toolkits (CleverHans, Foolbox, ART) lower the barrier to generating adversarial perturbations
  • Defenses such as adversarial training improve robustness but cannot eliminate all exploitable regions in high-dimensional input spaces

Real-World Context

Adversarial perturbation research has demonstrated successful attacks against commercial image classifiers, autonomous vehicle perception systems, speech recognition services, and natural language processing pipelines. Szegedy et al. (2014) first identified adversarial perturbations in deep neural networks. Subsequent research has shown that physical-world perturbations — printed patches, modified road signs, adversarial audio — can attack deployed systems. MITRE ATLAS catalogues adversarial perturbation as a core technique in its adversarial ML taxonomy.

Related Threat Patterns

Adversarial Evasion Security & Cyber

Related Terms

Adversarial Attack Evasion Attack Adversarial Training Robustness
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-04-03