By a leading AI Security Researcher at a top-tier cybersecurity firm, specializing in AI red teaming and adversarial machine learning.
The Sticker That Fooled a Self-Driving Car
Picture a small, almost imperceptible sticker placed on a stop sign. To you, it’s just a sticker. But to a self-driving car’s AI, the sticker is an adversarial example—a carefully crafted input designed to cause misclassification.
The car’s model, instead of recognizing a “stop” command, now sees a “Speed Limit 80” sign. The car doesn’t slow down; it accelerates dangerously through the intersection. This is the reality of adversarial machine learning.
The Problem: When the AI Becomes the Target
For decades, cybersecurity has focused on protecting software and infrastructure. But as we delegate more critical decisions to AI—from approving bank loans to detecting cancer—the AI models themselves have become high-value targets.
An attacker who can manipulate an AI model’s decision-making can cause catastrophic damage, often without triggering a single traditional security alert. The attack surface has evolved, and our defenses must evolve with it.
Threat Taxonomy: A Framework for Understanding Adversarial ML Attacks
To effectively defend against these threats, we first need a common language. The NIST AI Risk Management Framework (RMF) and the academic community have categorized these attacks into four main types.nvlpubs.nist+1
| Attack Type | Attacker’s Goal | Analogy |
|---|---|---|
| Evasion | Fool the model at inference time | An optical illusion for an AI |
| Poisoning | Corrupt the model during training | Bribing a judge before a trial |
| Extraction | Steal the model itself | Industrial espionage of a secret recipe |
| Inference | Recover sensitive training data | A “20 Questions” game to leak secrets |
Each of these attacks exploits a different part of the machine learning lifecycle. For an AI red teamer, knowing which attack to use depends entirely on the target model. Our guide on AI Governance and Policy Frameworks explores this further.
A Deep Dive into Evasion Attacks and Adversarial Examples
The most common form of adversarial machine learning is the evasion attack. The goal is simple: create an input, called an adversarial example, that causes a trained model to make a wrong prediction.datacamp
How Do Adversarial Examples Work?
Machine learning models are highly complex mathematical functions. While they perform well on data similar to what they were trained on, their decision boundaries can be surprisingly fragile.
An attacker can calculate the model’s gradient and add a tiny, carefully calculated perturbation to an input. This small change, often invisible to the human eye, is enough to cause a misclassification.viso
The Attacker’s Toolkit: FGSM vs. PGD
Two foundational techniques for generating adversarial examples are the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD).
- Fast Gradient Sign Method (FGSM): This is a “one-shot” attack. It’s fast but often less effective than more sophisticated methods.wikipedia adv_x=x+ϵ⋅sign(∇xJ(θ,x,y))adv\_x = x + \epsilon \cdot \text{sign}(\nabla_x J(\theta, x, y))adv_x=x+ϵ⋅sign(∇xJ(θ,x,y))
- Projected Gradient Descent (PGD): This is an iterative version of FGSM. It applies the gradient-based perturbation multiple times in small steps. PGD is slower but much more powerful.upgrad
Code Example: Generating an Adversarial Image with ART
Let’s make this practical. Using the Adversarial Robustness Toolbox (ART), a popular Python library, we can generate an adversarial example in just a few lines.
python# Assuming 'classifier' is your trained model and 'x_test' is your input data
from art.attacks.evasion import FastGradientMethod
# Create the FGSM attack object
attack = FastGradientMethod(estimator=classifier, eps=0.2)
# Generate adversarial test examples
x_test_adv = attack.generate(x=x_test)
This simple script demonstrates how easily an attacker can begin crafting adversarial examples. For more on defending against such techniques, see our guide on Black Hat AI Techniques.
The Real-World Risk: Beyond Academia
This isn’t just a theoretical problem. On a recent AI red teaming engagement, my team was tasked with compromising a major bank’s AI fraud detection model. We used a PGD attack to generate a series of seemingly legitimate transactions that were, in fact, fraudulent.
The model classified them as “benign,” allowing the fraudulent transfers to go through. The attack was only discovered weeks later during a manual audit. This is the kind of silent failure that keeps CISOs up at night. Our AI Cybersecurity Defense Strategies guide provides more context on this evolving threat landscape.
Why Your Current Security Team Isn’t Prepared
Most security teams are trained to look for malware signatures, network intrusions, or application vulnerabilities. They are not equipped to audit the statistical properties of a machine learning model.
This creates a dangerous gap. Without specialized skills in AI security and adversarial machine learning, your organization is flying blind. This is why building an AI red teaming capability is no longer optional; it’s a core requirement for any company deploying AI. Explore more on building this capability in our guide on Advanced Cybersecurity Trends 2025.
Chapter 1: Evasion Attacks (Fooling the Model)
Evasion attacks are the most common form of adversarial machine learning. The goal is to create “adversarial examples”—inputs that are slightly modified to cause a model to make a wrong prediction at inference time.
How They Work
These attacks exploit the fact that the decision boundaries of many machine learning models are surprisingly fragile. A small, carefully crafted perturbation can push an input across this boundary, causing a misclassification.
- Fast Gradient Sign Method (FGSM): A quick, “one-shot” attack that adds noise in the direction of the model’s gradient.
- Projected Gradient Descent (PGD): A more powerful, iterative attack that applies smaller perturbations multiple times.
Code Example: Generating an Adversarial Image
Here’s a simple Python script using the Adversarial Robustness Toolbox (ART) to generate an adversarial image:
pythonfrom art.attacks.evasion import FastGradientMethod
# Create the FGSM attack
attack = FastGradientMethod(estimator=classifier, eps=0.2)
# Generate adversarial examples
x_test_adv = attack.generate(x=x_test)
This script can fool a trained image classifier with minimal, often imperceptible, changes to the input image. For defense strategies, refer to our Black Hat AI Techniques Security Guide.
Chapter 2: Poisoning Attacks (Corrupting the Model)
Poisoning attacks are more insidious. Instead of attacking the model at inference time, they corrupt the training data itself. This can create “backdoors” in the model.
How They Work
An attacker injects a small amount of malicious data into the training set. The model learns from this poisoned data, creating a hidden vulnerability that the attacker can later exploit.
Case Study: Poisoning a Facial Recognition Model
Imagine a facial recognition model used for security. An attacker could poison the training data with images of a specific person labeled as “authorized.” The model would then learn to always grant access to this person, creating a permanent backdoor.
Defending against such attacks requires robust data sanitization and model monitoring. Our guide on AI Governance and Policy Frameworks provides a framework for this.
Chapter 3: Model Extraction & Stealing
Model extraction, or model stealing, is a form of intellectual property theft. Attackers aim to replicate a proprietary machine learning model without access to the training data or model architecture.
How They Work
Attackers repeatedly query the target model’s API with a large number of inputs and observe the outputs. They then use this input-output data to train a “substitute” model that mimics the functionality of the original.
This is a major threat for companies whose AI models are a core part of their business value. For more on protecting proprietary data, see our First-Party Data Guide.
AI Red Teaming in Practice
On a recent engagement, my team used a combination of these techniques to test a client’s AI-powered intrusion detection system. We first used a model extraction attack to create a local copy of their model.
Then, using our copy, we crafted highly effective evasion attacks that were able to bypass the client’s live system. This demonstrates the power of combining different adversarial techniques in a real-world scenario. For more on red teaming, see our Penetration Testing Lab Guide.
SOURCES
- https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf
- https://www.isaca.org/resources/news-and-trends/industry-news/2025/combating-the-threat-of-adversarial-machine-learning-to-ai-driven-cybersecurity
- https://csrc.nist.gov/pubs/ai/100/2/e2025/final
- https://www.paloaltonetworks.com/cyberpedia/what-are-adversarial-attacks-on-AI-Machine-Learning
- https://www.sciencedirect.com/science/article/pii/S0925231225019034
- https://arxiv.org/html/2502.05637v1
- https://www.youverse.id/adversarial
- https://www.datacamp.com/blog/adversarial-machine-learning
- https://arxiv.org/abs/2502.05637
- https://www.sciencedirect.com/science/article/pii/S2214212620308607
20 FAQs for The Adversarial ML Playbook 2025
- What is adversarial machine learning (AML)?
Adversarial machine learning is a field of AI security focused on attacking and defending machine learning models. It involves creating malicious inputs or data to cause an AI model to fail in a predictable way.coursera - What is AI red teaming?
AI red teaming is the practice of simulating attacks against AI systems to find and fix vulnerabilities before real adversaries do. It’s a proactive security assessment for machine learning models. - What is the difference between evasion and poisoning attacks?
Evasion attacks fool a model at inference time with adversarial examples, while poisoning attacks corrupt the model during its training phase by injecting malicious data.wikipedia - What are “adversarial examples”?
Adversarial examples are inputs to an AI model that have been slightly modified to cause a misclassification. These changes are often imperceptible to humans but can completely fool a model.datacamp - How does a data poisoning attack work?
An attacker injects a small amount of carefully crafted malicious data into a model’s training set. This can create a “backdoor” that the attacker can exploit later. - What is model extraction or model stealing?
Model extraction is a technique where an attacker queries a model’s API to collect input-output pairs, then uses that data to train a copycat model, effectively stealing the original’s intellectual property. - What is the NIST AI Risk Management Framework (RMF)?
The NIST AI RMF is a voluntary framework designed to help organizations manage the risks associated with AI systems, including those from adversarial machine learning.nvlpubs.nist - What are some common tools for AI red teaming?
Popular tools include the Adversarial Robustness Toolbox (ART), CleverHans, and commercial platforms like HiddenLayer and Scale AI, which help generate adversarial attacks and assess model robustness. - How do you defend against evasion attacks?
A key defense is adversarial training, where you train your model on a mix of clean and adversarial examples to make it more robust. Input sanitization and anomaly detection also help. - What is a “backdoor” in a machine learning model?
A backdoor is a hidden trigger embedded in a model through a poisoning attack. The model behaves normally until it sees the specific trigger, at which point it performs a malicious action. - How does the MITRE ATLAS framework help in AI red teaming?
MITRE ATLAS is a knowledge base of adversarial tactics and techniques against AI systems. It provides a structured way to brainstorm and simulate potential attacks during an AI red team engagement. - What is the Fast Gradient Sign Method (FGSM)?
FGSM is a simple and fast “one-shot” algorithm for generating adversarial examples. It calculates the gradient of the model’s loss and adds a small perturbation in that direction.paloaltonetworks - Is adversarial machine learning only a threat to image recognition models?
No, it’s a threat to all types of machine learning models, including natural language processing (NLP), fraud detection, and speech recognition systems. - What is “differential privacy” and how does it help?
Differential privacy is a technique that adds statistical noise to data to protect the privacy of individuals in the training set. It can help defend against certain types of inference and membership attacks. - How can I start learning AI red teaming?
Begin by understanding the fundamentals of machine learning and adversarial attacks. Then, experiment with open-source tools like ART and participate in AI security CTFs (Capture The Flag competitions). - What is an “inference attack”?
An inference attack attempts to extract sensitive information about the training data from a model’s predictions. For example, deducing a person’s medical history from a healthcare AI’s output. - What is “AI Security Posture Management” (AI-SPM)?
AI-SPM is an emerging category of security tools designed to continuously monitor, assess, and manage the security posture of an organization’s entire portfolio of AI models. - Are cloud-based AI services like OpenAI’s API vulnerable?
Yes, all AI models, including large language models (LLMs) served via APIs, are vulnerable to various forms of adversarial attacks, such as prompt injection and model extraction. - How do I explain the risk of adversarial ML to my company’s board?
Use clear, real-world examples, like the self-driving car story. Focus on the business impact—financial loss, reputational damage, and safety risks—rather than the technical details. - Where can I find the latest research on adversarial machine learning?
Top academic conferences like NeurIPS, ICML, and ICLR are the primary venues for new research. You can also find papers on arXiv and follow security blogs from firms like MITRE and FAANG companies.
