A Deep Dive into Adversarial Attacks in Machine

Learning

Abstract— The security and dependability

of AI systems are seriously threatened by
adversarial machine learning (ML) assaults
in several vital areas, including
cybersecurity, autonomous cars, and
healthcare. These assaults introduce small,
frequently undetectable perturbations into
the input data, which causes ML models—
especially deep learning systems—to
anticipate things incorrectly. This work
offers a thorough examination of
adversarial machine learning attacks, The Fig. 1 BLOCK
research divides adversarial assaults into DIAGRAM [3]
two categories: black-hole and Blackbox The Learning Phase and the Prediction
techniques. black-hole attacks occur when Phase are the two main stages of
the attacker fully understands the adversarial machine learning that are
architecture of the model, whereas depicted in the diagram. During the
Blackbox attacks occur when they do not. learning phase, a collection of training data
Several attack techniques are covered in is utilized to teach the machine learning
depth, demonstrating how well they may algorithm patterns and relationships that
trick models by producing adversarial will be used to make predictions later.
instances. These techniques include the However, a poisoning attack, in which an
Jacobian-based Saliency Map Attack (JSMA), adversary introduces modified or poisoned
Support Vector Machine (SVM), and Fast data into the training process, might cause
Gradient Sign Method (FGSM) the model to learn inaccurate patterns. This
I INTRODUCTION undermines the integrity of the model,
resulting in vulnerabilities or subpar
The concept of "adversarial machine performance.
learning" (AML) describes a group of
methods for purposefully altering input In order to provide predictions, the trained
data in order to trick machine learning (ML) model is given new data during the
models. In the context of security, this idea prediction phase. The adversary can now
is especially pertinent as attackers might once again step in by providing Adversarial
create inputs that lead the machine Examples, which are inputs designed
learning system to classify or predict things especially to deceive the model. To provide
incorrectly.[1] inaccurate predictions, these hostile inputs
are deliberately modified to look authentic.
It is vital to create defensive mechanisms
against such attacks in adversarial machine
learning since the adversary's activities in
all stages are intended to compromise the
model's accuracy and dependability.[2]
Adversarial machine learning has broad of Défense-GAN, which uses generative
applicability in many fields where artificial mod- ´ else to protect neural networks with
intelligence is essential for security and deep connections against adversarial
decision-making. Adversarial assaults on attacks, is described in the book [4]
camera or LiDAR imagery might lead to
Spectral Normalization for Generative
incorrect perception of objects, people, or
Adversarial Networks This section discusses
road signs in autonomous cars, posing a
about the goal of using spectral
danger to safety. Adversarial instances in
normalization is to solve the instability that
cybersecurity can elude spam filters,
frequently arises when training GANs.
malware detection systems, or intrusion
Approach it’s a weight normalization
detection techniques, reducing the efficacy
technique that integrates easily into current
of these security protocols. The growing
implementations and is computationally
use of AI systems in sensitive applications
efficient. [5]
highlights the crucial need for adversarial
machine learning research. For these Adversarial Machine Learning at Scale This
models to be deployed safely, it is section discusses about the purpose of
important that they be secure and reliable adversarial examples is to trick machine
against adversary attacks, particularly in learning models using harmful inputs. They
mission critical areas where mistakes might frequently transfer between models, which
have dire repercussions. enables attackers to launch black box
assaults without being aware of the
II LITERATURE SURVERY
parameters of the target model. [6]
Szegedy, C., and et.al[1] discusses about A
Systematic Survey from the Life-cycle A Survey of Adversarial Machine Learning in
Perspective Adversarial Machine Learning Cyber Warfare This section discusses about
(AML) is the study of how multiple types of the article addresses the shift in warfare
assaults may be used to influence machine from symmetric to asymmetrical,
learning models such that they provide emphasizing the growing dangers to
false predictions. business and the economy posed by
automation, big data analytics [7]
Adversarial Training for Free This section
discusses about A strategy to improve the Adversarial Examples Are Not Bugs, This
practicality of adversarial training for large- section discusses about They Are Features
scale issues, like ImageNet, is presented in Adversarial examples have attracted
the article. High computational costs are significant attention in machine learning,
usually associated with adversarial training but the reasons for their existence and
[2] pervasiveness remain unclear [8]

Adversarial Reprogramming of Neural Explaining And Harnessing Adversarial

Networks This section discusses about the Examples This section discusses about the
work addresses adversarial reprogramming, text discusses the phenomenon of neural
a brand-new class of adversarial assault. In networks misclassifying adversarial
contrast with traditional adversarial examples—inputs that have been slightly
assaults, which try to make a model altered to deceive the model into making
perform worse or generate certain outputs, incorrect predictions with high confidence
adversarial reprogramming entails [9]
changing a neural network to carry out a Adversarial Machine Learning in
completely other job that the attacker has Recommender Systems This section
selected.[3] discusses about the present research
Défense-Gan Protecting Classifiers Against investigates how adversarial assaults,
Adversarial Attack Using Generative Models which try to alter the system’s suggestions,
This section discusses about the structure might affect recommender systems. The
research paper makes contributions to
several fields, such as Recognizing the size and simplicity, particularly when it
effects of data features on robustness [10] comes to digit categorization tasks

Adversarial Machine Learning for Cyber

Security This section discusses about the
paper focuses on traffic classification in
cybersecurity, discussing how attackers
might manipulate features in network
traffic to evade detection by machine
learning-based security [11]

A Survey of Adversarial Machine Learning in Fig. 2BLOCK DIAGRAM[]

Cyber Warfare This section discusses about The diagram illustrates a poisoning attack
the AML involves designing machine in adversarial machine learning,
learning algorithms to be resilient against highlighting its effects during both the
attacks in adversarial environments. [12] training and test phases Poisoning samples,
Explainable and Reliable Against which are carefully constructed data points
Adversarial Machine Learning in Data intended to tamper with the learning
Analytics This Section discusses about the process, are injected into the training set
approaches aim to improve detection during the training phase. A biased model
accuracy while minimizing false positives is produced when these tainted data are
and maintaining robustness in real-world added to the model during training or
applications such as DNS [13] updates. The biased model gets input
during the test phase and generates an
III. PROPOSED METHODOLOGY output that accurately depicts the attack's
impact. This output could demonstrate
In this paper we have used different
decreased performance, in which the
Machine learning algorithm on same
poisoning makes the model's overall
dataset and used poison attack on this
performance worse. As an alternative, the
algorithm The MNIST dataset is one of the
adversary can pursue an error-specific
most widely used datasets for digit
attack objective or an error-generic assault
recognition tasks, and it is likely that the
goal, which would try to generally impair
dataset referred to as” Numerical Digit” in
the model's performance across a range of
the table is a dataset used for such tasks.
activities.
MNIST, which consists of handwritten
numbers from 0 to 9 in grayscale It focuses on particular inputs or produces
photographs, is frequently used in specific incorrect results. The graphic
computer vision and machine learning to clearly illustrates how bias introduced by
solve categorization issues. A high number poisoning assaults, which may cause either
of tagged photos are included in the targeted or widespread performance
dataset’s structured format, which makes it deterioration, might interfere with a
useful for training and testing machine machine learning model.
learning models. Seventy thousand photos
make up the dataset, if it is in fact the IV. PERFORMANCE ANALYSIS
MNIST dataset. There are 60,000 photos in We conducted our analysis on several ML
the training set and 10,000 in the testing algorithms in this study by subjecting them
set. Every 28x28 pixel grayscale picture in to poison attacks and observing their
the collection has Fig. 1. BLOCK DIAGRAM accuracy.
pixel values ranging from 0 (black) to 255
(white). The ten classes in the dataset The algorithm that is used here is In
correspond to the numbers 0 through 9. adversarial machine learning, the Fast
MNIST is a benchmark for assessing Gradient Signed Method is a popular attack
machine learning algorithms because of its approach that creates adversarial instances
by manipulating a neural network's ϵ=0.2, and the model continues to forecast
gradients to change the input data in a way the digit as "3"—an inaccurate prediction.
that results in inaccurate model predictions. The model continues to predict "3" or
mistakenly adjusts the forecast to "2" as

accuracy drastically decreases as 𝜖 ϵ rises,

the distortion increases, and the test

falling as low as 3.62%.

A popular kind of supervised machine

learning technique for classification and
regression applications is the Support
Vector Machine (SVM). They can manage
complicated datasets and perform
especially well in high-dimensional areas.
Fig. 3………

In The diagram The 𝜖 ϵ values in the figure

begin at 0.01 and progressively rise to
0.25. The model predicts the correct digit
"7" with high test accuracy (e.g., 98.62%,

negligible distortion for lower 𝜖 ϵ values

97.80%, and 95.11%, respectively) and
The result of an adversarial assault on a
machine learning model intended to
(e.g., 0.01, 0.025, 0.05). However, the
identify handwritten numbers is depicted in
distortion is more noticeable, and the
the diagram. Through the introduction of

when the 𝜖 ϵ values rise over 0.1. The

accuracy of the model drastically decreases
tiny adjustments to the input photos, the
assault was effective in lowering the

at 𝜖 = 0.2 ϵ=0.2 and above, while the

model guesses the digit as "3" inaccurately
accuracy of the model from 93.6% to

accuracy drops to 9.24% at 𝜖 = 0.25

50.4%. Despite being invisible to the
human eye, these changes managed to
ϵ=0.25. trick the model into incorrectly identifying
The algorithm that is used here is in the numbers. This shows how susceptible
adversarial machine learning, the Fast machine learning models are to hostile
Gradient Signed Method is a popular attack attacks and emphasizes how crucial it is to
approach that creates adversarial instances create strong defences against them.
by manipulating a neural network's The algorithm that is used here is In
gradients to change the input data in a way adversarial machine learning, the Fast
that results in inaccurate model predictions. Gradient Signed Method is a popular attack
approach that creates adversarial instances
by manipulating a neural network's
gradients to change the input data in a way
that results in inaccurate model predictions.

distorted as the 𝜖 ϵ value rises from 0.2 to

In the graphic, the picture is much more

0.65, making it more difficult for the model

the test accuracy is 28.77% at 𝜖 = 0.2

to recognize the digit accurately. At first,
An adversarial assault on a machine An adversarial assault on a machine
learning model that was trained to identify learning model that was trained to identify
handwritten numbers is depicted in the handwritten numbers is depicted in the
diagram. The assault included tiny changes diagram. Through the introduction of tiny
to the input photos, which successfully adjustments to the input photos, the
decreased the accuracy of the model from assault was effective in lowering the
82.6% to 15.8%. Despite being invisible to accuracy of the model from 91.5% to
the human eye, these changes managed to 90.08%. Despite being invisible to the
trick the model into incorrectly identifying human eye, these changes managed to
the numbers. This shows how susceptible trick the model into incorrectly identifying a
machine learning models are to hostile few of the numbers. This shows how
attacks and emphasizes how crucial it is to susceptible machine learning models are to
create strong defences against them. hostile attacks and emphasizes how crucial
it is to create strong defences against
A mathematical idea known as the Jacobian
them.
matrix has uses in machine learning and
other domains. The Jacobian matrix is A branch of artificial intelligence known as
widely utilized in gradient-based "logic-based machine learning" blends the
optimization techniques in machine ideas of machine learning with logic to
learning, including neural network produce intelligent systems that can reason
backpropagation. and decide using logical patterns and rules.

An adversarial assault on a machine

learning model that was trained to identify
An adversarial assault on a machine handwritten numbers is depicted in the
learning model that was trained to identify diagram. The assault included small
handwritten numbers is depicted in the changes to the input photos, which
diagram. By subtly altering the input successfully decreased the accuracy of the
photos, the attack was able to lower the model from 93.8% to 92.8%. Despite being
model's accuracy from 94% to 91.8%. invisible to the human eye, these changes
Despite being invisible to the human eye, managed to trick the model into incorrectly
these changes managed to trick the model identifying a few of the numbers. This
into incorrectly identifying a few of the illustrates how susceptible machine
numbers. This shows how susceptible learning models are to hostile attacks and
machine learning models are to hostile emphasizes how crucial it is to create
attacks and emphasizes how crucial it is to strong defences against them.
create strong defences against them.

A potent adversarial assault technique, the

Carlini-Wagner (CW) attack creates
disturbances that are invisible to humans
but have the potential to seriously confuse
machine learning algorithms.

Analysis table
The table above shows The MNIST dataset the input data. The security and resilience
was utilized, and several attack types— of AI systems have come under intense
such as poison, black hole, and black box scrutiny as a result, particularly in fields
attacks—were used. The ability of several where human safety is at stake,
machine learning algorithms, including including cybersecurity, healthcare, and
FGSM, SVM, LLA, CWA, and JBSMA, to autonomous driving. The examination
identify and counteract these assaults was
of several algorithms in the table
assessed. The detection rates, which range
illustrates the vast range of efficacy of
from 15.8% to 95%, demonstrate the
difficulties in thwarting hostile attempts protection measures against adversarial
and the demand for stronger and more assaults. More sophisticated adversarial
efficient defences. methods, such as poison assaults, can
be difficult to defeat by conventional
Table 1. …………
algorithms like FGSM, even though they
could be effective in some situations.
Nonetheless, sophisticated algorithms like
LLA, CWA, and JBSMA have shown
encouraging outcomes, attaining high

VI. FUTURE SCOPE

1 Improved Défense Mechanisms Although

successful against some attacks, current
defenses frequently fall short against a
variety of hostile techniques. Subsequent
investigations will probably concentrate on
creating more resilient, all-encompassing
Bar Graph
defensive systems that can shield models
For several machine learning models, the against a wide range of threats, including
graphic contrasts the initial accuracy with invisible ones.
the accuracy following an assault. The
2. Adversarial Training Adversarial training,
findings demonstrate that the susceptibility
in which models are trained on adversarial
of various models to adversarial assaults
cases to increase their resilience, is one
varies. Following the assault, certain
potential method. On clean data, though, it
models—like the Support Vector Machine
frequently degrades model performance
and Fast Gradient Sign Method—saw sharp
and is computationally costly. Further
declines in accuracy, while others—like the
developments in this field may result in
Logic Learning Machine—showed more
more effective techniques that improve
resistance. These results highlight how
robustness without compromising accuracy.
crucial it is to have strong defences to
shield machine learning systems against 3. Explainability and Interpretability
hostile attacks. Determining the reasons behind models’
susceptibility to adversarial attacks is
V. CONCLUSION
essential to creating resilient defences.
Critical problems in machine learning Subsequent studies might concentrate on
models have been exposed via adversarial enhancing the interpretability of deep
machine learning, especially in domains like learning models in order to pinpoint areas
computer vision, natural language where they make mistakes and strengthen
processing, and autonomous systems. their defences against intrusions.
Adversarial assaults can lead to models
4. Real-Time Detection and Response
producing inaccurate predictions or
Creating systems that can identify and
classifications since they include tiny,
counteract hostile attacks instantly is
sometimes unnoticeable modifications to
essential for implementing artificial [9] Qiu, S., Liu, Q., Zhou, S., Wu, C. (2019).
intelligence in high-risk settings like ”Review of Artificial Intelligence Adversarial
financial markets, drones, and driverless Attack and Défense Technologies.”
cars. arXiv:1909.08072

5. Transferability of Attacks A lot of [10] Yuan, X., He, P., Zhu, Q., Li, X. (2019).
adversarial assaults may trick one model by ” Adversarial Examples: Attacks and
tricking another, which is known as Defences for Deep Learning.” IEEE Access
transferability. Subsequent studies might
[11] Xueli Shi, Zhi Li, Yi Wang, Yu Lu, Li
investigate methods to stop attack
Zhang, "A Robust Adversarial Defense
transferability, strengthening models’
Algorithm for Enhancing Salient Object
resilience to other architectures.
Detection in Remote Sensing Image", IEEE
6. Ethical and Policy Implications There will Transactions on Geoscience and Remote
be increasing debates over the moral Sensing, vol.62, pp.1-14, 2024.
ramifications and regulatory frameworks
[12] Amira Guesmi, Ioan Marius Bilasco,
required to guard against the malevolent
Muhammad Shafique, Ihsen Alouani,
use of adversarial machine learning in vital
"AdvART: Adversarial Art for Camouflaged
industries like banking, healthcare, and
Object Detection Attacks", 2024 IEEE
defence as these attacks get more
International Conference on Image
complex.
Processing (ICIP), pp.666-672, 2024.
REFERENCES
[13] Nandish Chattopadhyay, Amira
[1] Szegedy, C., Zaremba, W., Sutskever, I., Guesmi, Muhammad Shafique, "Anomaly
et al. (2014). ”Intriguing properties of Unveiled: Securing Image Classification
neural networks.”: arXiv:1312.6199 against Adversarial Patch Attacks", 2024
IEEE International Conference on Image
[2] Goodfellow, I. J., Shlens, J., Szegedy, C.
Processing (ICIP), pp.929-935, 2024.
(2015). ”Explaining and harnessing
adversarial examples.”: arXiv:1412.6572 [14]https://www.researchgate.net/figure/
Adversarial-Machine-
[3] Kurakin, A., Goodfellow, I., Bengio, S.
Learning_fig1_318227376
(2017). ”Adversarial machine learning at
scale.”arXiv:1611.01236. [15]
https://www.researchgate.net/figure/Overvi
[4] Carlini, N., Wagner, D. (2017). ”Towards
ew-of-poisoning-attacks_fig2_340625046
evaluating the robustness of neural
networks.” arXiv:1608.04644

[5] Papernot, N., McDaniel, P., Jha, S., et al.

(2016). ”The Limitations of Deep Learning
in Adversarial Settings arXiv:1511.07528

[6] Madry, A., Makelov, A., Schmidt, L., et

al. (2018). ”Towards deep learning models
resistant to adversarial attacks.”
arXiv:1706.06083

[7] Ian J. Goodfellow, Yoshua Bengio, Aaron

Courville (2016). ”Deep Learning.” Deep
Learning Book

[8] Akhtar, N., Mian, A. (2018). ”Threat of

Adversarial Attacks on Deep Learning in
Computer Vision: A Survey.”
arXiv:1801.00553