Adversarial ML exploits a fundamental property of neural networks: small, imperceptible changes to inputs can cause completely wrong outputs. An image of a panda, modified by adding carefully computed noise invisible to humans, gets classified as a gibbon with 99% confidence. The key insight from Goodfellow et al. (2014) is that this vulnerability stems from the linear nature of neural networks, not from overfitting or nonlinearity.

Evasion attacks — Bypass malware detectors, content filters, or safety classifiers
Physical-world attacks — Fool autonomous vehicle perception systems
LLM attacks — Gradient-based suffixes that jailbreak aligned language models
Transferability — Attacks crafted on one model often work on completely different models

FGSM is the simplest and fastest gradient-based attack. It computes the gradient of the loss function with respect to the input, then takes the sign of that gradient and scales it by a small epsilon (ε). This single-step perturbation pushes the input in the direction that maximally increases the model’s loss — causing misclassification.

Published in December 2014, FGSM was one of the first practical adversarial attacks. Its simplicity (one gradient computation) made it foundational for the entire field. The paper also showed that adversarial training — augmenting training data with FGSM examples — could improve robustness, establishing the attack-defense dynamic that continues today.

PGD is essentially FGSM applied iteratively. Instead of one big step, it takes many small gradient steps, projecting back onto the allowed perturbation ball (ε-ball) after each step. This iterative approach finds much stronger adversarial examples than FGSM’s single step. Madry et al. framed adversarial robustness as a robust optimization problem: min_θ max_δ∈Δ L(θ, x+δ, y).

PGD became the gold standard for evaluating adversarial defenses. If a defense can’t withstand PGD, it’s not considered robust. The paper also showed that adversarial training with PGD examples produces models with “significantly improved resistance to a wide range of adversarial attacks.” Code and pre-trained models were released publicly.

While FGSM/PGD maximize loss, C&W directly minimizes the perturbation size while ensuring misclassification. It formulates adversarial example generation as an optimization problem with three variants for different distance metrics: L₂, L_∞, and L₀. This produces smaller, harder-to-detect perturbations than PGD.

C&W achieved 100% success rate against both standard and defensively distilled neural networks. Defensive distillation had claimed to reduce attack success from 95% to 0.5% — C&W showed this was an illusion. The attack became the benchmark for evaluating whether a defense is truly robust or just obfuscating gradients.

Greedy Coordinate Gradient (GCG) bridges classical adversarial ML and LLM security. Instead of perturbing pixel values, it appends optimized token sequences (adversarial suffixes) to harmful prompts. These suffixes are gibberish to humans but maximize the probability that the model produces an affirmative response instead of refusing. The method uses gradient information to greedily search over token substitutions.

The most striking finding: suffixes optimized on open-source models (Vicuna-7B and 13B) successfully jailbreak closed-source models including ChatGPT, Bard, Claude, and LLaMA-2-Chat. The authors hypothesize that transferability to GPT models is particularly high because Vicuna was trained on ChatGPT outputs.

Adversarial attacks aren’t limited to digital inputs. Researchers have demonstrated physical adversarial patches that fool autonomous driving perception systems. The ControlLoc attack (2024) achieved ~98% success in controlled conditions and ~77.5% in real-world outdoor tests against multi-object tracking, with vehicle collision rates averaging 81.3%. Tesla’s Autopilot has been misled by physical stickers on roads.

Adversarial examples often transfer between models. An attack crafted on ResNet may fool VGG, Inception, or even a completely different architecture. This enables black-box attacks: the attacker doesn’t need access to the target model’s gradients — they craft the attack on a surrogate model and it transfers. GCG demonstrated this for LLMs: suffixes from Vicuna jailbreak ChatGPT.

Adversarial Tokenization (2025): Exploits alternative subword tokenizations to evade safety filters without changing the text itself. E.g., “penguin” tokenized as [peng,uin] instead of [p,enguin].

Charmer (2024): Character-level query-based attacks that maintain semantic similarity while fooling both small (BERT) and large (LLaMA 2) models.

Attention-layer exploitation (2025): Generates adversarial examples directly from intermediate attention layers.

The primary defense: train on adversarial examples so the model learns to be robust. PGD-based adversarial training (Madry et al.) remains the most effective approach. However, it comes with a well-documented accuracy-robustness tradeoff: models that resist adversarial inputs perform worse on clean inputs. This tradeoff persists even with advanced techniques like TRADES.

Research identifies two root causes: gradient conflict between robustness and accuracy objectives during training, and the mixture distribution problem from using the same batch normalization for clean and adversarial inputs. Emerging solutions include split-BatchNorm architectures and selective layer updating, but no approach has fully resolved the tradeoff.

AttackBench is the first standardized framework for fairly comparing adversarial attacks. It evaluates 20 gradient-based attacks across 102 implementations and 815 configurations on CIFAR-10 and ImageNet. Key finding: only a few attacks consistently outperform all others, and many implementations have bugs preventing optimal performance. Source: attackbench.github.io