Adversarial Example

An adversarial example is an input deliberately designed to make a machine learning model produce an incorrect output. As Goodfellow and colleagues described in their foundational work, it is formed by applying a small but intentionally worst-case perturbation to a normal input, so that the perturbed input is misclassified with high confidence even though it looks unchanged to a human. The canonical illustration adds an imperceptible pattern to a photo of a panda, causing the classifier to label it a gibbon with near-total certainty.

Why models are fooled

The perturbation can be smaller than one part in 255 of the pixel range, below what a standard image file even records, yet it shifts the input across the model's decision boundary. Goodfellow argued the root cause is the largely linear behavior of neural networks in high-dimensional space, which lets many tiny coordinated changes add up to a large effect on the output. Crucially, these inputs are an evasion attack at inference time, distinct from poisoning, which corrupts training.

Beyond images

Adversarial examples generalize to audio, text, and malware classifiers, and some transfer across models, meaning an example crafted against one model fools another it was never tuned for. That transferability enables black-box attacks where the adversary never sees the target's internals.

Defenses such as adversarial training, input preprocessing, and certified robustness raise the cost but rarely eliminate the threat. For operators relying on models in safety- or security-critical roles, assuming inputs may be adversarial is the prudent baseline. See our entries on model extraction and data poisoning for related attack surfaces.