Testing the limits: exploring adversarial techniques in AI models

Tes ing he limi s: explo ing ad e sa ial
echniques in AI models
Apos olis Za as
1
, A hanasia Kolla ou
1
, A is eidis Fa ao
2
,
Panagio is Boun akas
1
and Ch is os Xenakis
1
1Uni e si y o Pi aeus, Pi aeus, G eece
2InQbi Inno a ions SRL, Bucha es , Romania
ABSTRACT
The ising adop ion o a ificial in elligence and machine lea ning in c i ical sec o s
unde sco es he p essing need o obus sys ems capable o wi hs anding ad e sa ial
h ea s. While deep lea ning a chi ec u es ha e e olu ionized asks such as image
ecogni ion, hei suscep ibili y o ad e sa ial echniques emains an open challenge.
This a icle e alua es he impac o a ious ad e sa ial me hods, including he as
g adien sign me hod, p ojec ed g adien descen , DeepFool, and Ca lini & Wagne ,
on fi e neu al ne wo k models: a ully connec ed neu al ne wo k, LeNe , Simple
con olu ional neu al ne wo k (CNN), MobileNe V2, and VGG11. Using he
EVAISION ool explici ly de eloped o his esea ch, hese a acks we e implemen ed
and analyzed based on accu acy, F1-sco e, and misclassifica ion a e. The esul s
e ealed a ying le els o ulne abili y ac oss he es ed models, wi h simple
a chi ec u es occasionally ou pe o ming mo e complex ones. These findings
emphasize he impo ance o selec ing he mos app op ia e ad e sa ial echnique o
a gi en a chi ec u e and cus omizing he associa ed a ack pa ame e s o achie e
op imal esul s in each scena io.
Subjec s A ificial In elligence, Compu e Vision, Da a Mining and Machine Lea ning
Keywo ds Ad e sa ial a acks, Misclassifica ion, Cybe secu i y
INTRODUCTION
In ecen yea s, a ificial in elligence (AI) and machine lea ning (ML) ha e gained
conside able popula i y and ha e been in eg a ed in o a wide ange o sec o s,
ans o ming he way many indus ies ope a e by powe ing applica ions (Boun akas e al.,
2023) in a eas such as image ecogni ion, na u al language p ocessing, heal hca e, and
au onomous ehicles. These applica ions ely on algo i hms ha analyze la ge olumes o
aining da a o iden i y pa e ns and make p edic ions. Deep lea ning (DL), a subfield o
ML, u ilizes mul ilaye ed neu al ne wo ks o handle complex da a and sol e in ica e
p oblems. This capabili y has p o ed highly e ec i e in asks including image classifica ion
and speech ecogni ion (Cha alambous e al., 2022).
Despi e he ema kable ad ances in AI and ML, hese models exhibi specific
ulne abili ies ha can comp omise hei eliabili y and obus ness. The complexi y o
hese sys ems poses significan challenges in ensu ing smoo h ope a ion while upholding
high-secu i y s anda ds, an issue o pa icula conce n in domains whe e models suppo
c i ical unc ions. In his con ex , models ace significan limi a ions a ising om hei
inhe en ope a ional cha ac e is ics and he in en ional exploi a ion o hese weaknesses
h ough ad e sa ial echniques (Pe ihakis e al., 2024).
How o ci e his a icle Za as A, Kolla ou A, Fa ao A, Boun akas P, Xenakis C. 2025. Tes ing he limi s: explo ing ad e sa ial echniques
in AI models. Pee J Compu . Sci. 11:e3330 DOI 10.7717/pee j-cs.3330
Submi ed 30 May 2025
Accep ed 3 Oc obe 2025
Published 31 Oc obe 2025
Co esponding au ho
Apos olis Za as, [email p o ec ed]
Academic edi o
Consola o Se gi
Addi ional In o ma ion and
Decla a ions can be ound on
page 31
DOI 10.7717/pee j-cs.3330
Copy igh
2025 Za as e al.
Dis ibu ed unde
C ea i e Commons CC-BY 4.0
F om an in e nal pe spec i e, he sensi i i y o DL a chi ec u es o minimal
pe u ba ions can esul in misclassifica ions o unp edic able beha io (Suciu e al., 2022).
This challenge becomes e en mo e p essing when models ail o gene alize e ec i ely o
eal-wo ld condi ions, such as noisy o anomalous da a, o en due o o e fi ing on cu a ed
da ase s. Fu he mo e, he opaci y o hese models, o en called he black-box p oblem,
hampe s in e p e abili y and unde mines us in he decision-making p ocess. Ex e nally,
ad e sa ial echniques exploi hese ulne abili ies by in oducing s eal hy modifica ions
ha cause models o misbeha e a in e ence ime (e asion a acks), co up aining da a
(poisoning a acks), o s eal p op ie a y models o sensi i e in o ma ion (model ex ac ion
and in e ence a acks) (Boun akas e al., 2023).
A pa icula ly conce ning ca ego y o a ack in ol es ad e sa ial examples. Fi s
desc ibed by Szegedy (2013), hese a e in en ionally c a ed inpu s con aining unde ec able
pe u ba ions o sub e he classifica ion p ocess. Subsequen esea ch (Lin e al., 2017;
Dong e al., 2018) has ein o ced hese findings, demons a ing he ease wi h which
ad e sa ial examples can comp omise eal-wo ld sys ems.
AI-based sys ems ha e been linked o a ious cybe secu i y inciden s o e he yea s. In
2025, OmniGPT, an AI cha bo se ice, epo edly expe ienced a da a b each in which a
hacke claimed o ha e accessed use s’billing in o ma ion and c eden ials (Sha ma, 2025).
Simila ly, in 2024, Muah.AI, a pla o m o c ea ing AI-gene a ed i ual pa ne s, was
comp omised, a ec ing 1.9 million use s, and exposing da a sugges ing ha some
indi iduals we e gene a ing illici con en (Palme & Chu ch, 2024). Fu he mo e, a s udy
by Palisade Resea ch e ealed ha in s a egy games such as chess and go, olde AI models
(e.g., OpenAI’s GPT-4o and An h opic’s Claude Sonne 3.5) equi ed p omp ing om
esea che s o a emp chea ing ac ics. Howe e , mo e ecen models, including o1-
p e iew and DeepSeek R1, pu sued exploi s wi hou p omp ing, indica ing ha AI sys ems
may de elop decep i e o manipula i e s a egies independen ly o explici human
ins uc ion (Boo h, 2025).
In esponse, se e al de ense mechanisms ha e eme ged o enhance he esilience o AI
models agains such h ea s (Boun akas e al., 2023;Pan elakis e al., 2023). A common
s a egy is ad e sa ial aining (Good ellow, Shlens & Szegedy, 2014;Hussain, Shang & Hong,
2025), which augmen s he aining da ase wi h ad e sa ial examples, helping models
ecognize and esis malicious inpu s. Dis illa ion (Hin on, Vinyals & Dean, 2015;Pape no
e al., 2016) ep esen s ano he popula app oach, whe ein ou pu s om one model a e used
o ain ano he , smoo hing decision bounda ies and diminishing suscep ibili y o
g adien -based a acks. Addi ional me hods, such as g adien masking (Lee, Bae & Yoon,
2020;Zhang e al., 2025), ea u e comp ession (Bhagoji e al., 2018;Chuah e al., 2022), and
noise educ ion (Joshi e al., 2022), ocus on ob usca ing he c i ical de ails exploi ed by
a acke s o emo ing ad e sa ial changes p io o model p ocessing.
None heless, exis ing de ense mechanisms su e om limi a ions ha cons ain hei
eal-wo ld e ficacy. Fo ins ance, ad e sa ial aining ypically a ge s specific a ack ypes
and hus is less e ec i e agains e ol ing h ea s. De ensi e dis illa ion o simila me hods
can educe a model’s accu acy on benign da a, which is p oblema ic o applica ions
demanding bo h obus ness and high p ecision. Mo eo e , compu a ional ine ficiency
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 2/37
emains a conce n, pa icula ly in la ge-scale o eal- ime applica ions, whe e he
significan esou ce demands o de ensi e me hods can be imp ac ical. These challenges
a e compounded by he agmen ed manne in which many de enses a e es ed, ocusing
on na ow a ack scena ios o specific model ypes. Such a es ic ed pe spec i e impedes
ou unde s anding o how di e se models a e ac oss di e en ad e sa ial condi ions.
O e all, he iden ified AI/ML cybe secu i y- ela ed gaps can be summa ized as ollows:
ðiÞAd e sa ies can manipula e inpu s o decei e AI/ML models; ðiiÞAI/ML models o en
p ocess sensi i e da a, making hem a ac i e cybe secu i y a ge s; ðiiiÞad e sa ies can
s eal, eplica e, o exploi p op ie a y AI models; ði Þmany AI models unc ion as black
boxes, complica ing he de ec ion o malicious ac i i ies; ð Þexcessi e eliance on
hi d-pa y da ase s, lib a ies, and ha dwa e, which may ha e been p e iously
comp omised; ð iÞAI sys ems a e o en based on minimal o no p io obus ness es s (i.e.,
agains ad e sa ial a acks). In esponse o hese gaps, his a icle in es iga es he impac o
a ious ad e sa ial echniques on di e en neu al ne wo k a chi ec u es. Specifically, we
ha e designed and implemen ed EVAISION, a cus om e alua ion ool enginee ed o execu e
ad e sa ial a acks sys ema ically on selec ed a chi ec u es and e alua e hei esilience
using p edefined pe o mance me ics
1
.
In summa y, we make he ollowing main con ibu ions:
.We ca ego ize exis ing ad e sa ial echniques ha aim o exploi ulne abili ies in ML
and DL models.
.We define secu i y equi emen s o ools dedica ed o pe o ming ad e sa ial AI a acks
o ensu e he ools’p ope unc ionali y and e hical use.
.We design and de elop EVAISION, a ool o execu ing ad e sa ial echniques and es ing
models.
.We pe o m a compa a i e analysis o ad e sa ial AI e asion a acks in h ee disc e e
da ase s (MNIST (Lecun e al., 1998), Fashion-MNIST (Xiao, Rasul & Vollg a , 2017, and
CIFAR-10 (K izhe sky, 2009)).
The emainde o his a icle is o ganized as ollows. ‘Backg ound’ou lines he key
heo e ical ounda ions and p o ides he con ex ual backg ound necessa y o
unde s anding his esea ch. ‘Design and De elopmen ’de ails he me hodological
app oach. ‘Pe o mance E alua ion’p esen s he esul s and discusses he key findings. In
‘Real-Wo ld Impac o Ad e sa ial AI A acks’, he eal-wo ld implica ions o his s udy
a e examined, while ‘Discussion and Limi a ions’discusses he limi a ions o he p oposed
app oach and sugges s a enues o u u e esea ch. ‘Rela ed Wo k’ e iews ele an
li e a u e. Finally, ‘Conclusion’concludes he a icle, summa izing he main con ibu ions.
BACKGROUND
The apid ad ancemen o AI and ML has enabled hei adop ion ac oss a b oad spec um
o fields, including heal hca e, finance, and au onomous sys ems. Despi e hese
ans o ma i e capabili ies, AI models emain suscep ible o ad e sa ial h ea s ha can
unde mine hei in eg i y and eliabili y. Consequen ly, a solid unde s anding o he
1
The sou ce code o EVAISION can be
ound a h ps://gi hub.com/UniPiSSL/
es ing- he-limi s-e AIsion.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 3/37
ounda ional p inciples o AI, i s co e me hodologies, and he associa ed secu i y
challenges is essen ial o e alua ing he obus ness o hese models agains ad e sa ial
a acks. This sec ion p o ides an o e iew o undamen al AI and ML concep s, examining
he key componen s o DL a chi ec u es. Following his, we in oduce he concep o
ad e sa ial machine lea ning (AML), which examines ad e sa ies’ echniques o exploi
model ulne abili ies. By es ablishing his ounda ional knowledge, we highligh he
impo ance o ad e sa ial h ea s and hei b oade implica ions o AI-d i en sys ems.
Fundamen als
AI encompasses he design o compu a ional sys ems capable o pe o ming asks ha
ypically equi e human in elligence, such as decision-making, p oblem-sol ing, and
pa e n ecogni ion. A he co e o AI lies ML (see Fig. 1), a subse ha ains models o
lea n pa e ns om da a in o de o make p edic ions o classifica ions. Wi hin ML, DL
cons i u es a specialized subfield ha le e ages a ificial neu al ne wo ks wi h mul iple
laye s o cap u e complex ela ionships in da a.
DL a chi ec u es such as con olu ional neu al ne wo ks (CNNs) a e pa icula ly
well-sui ed o asks in ol ing image da a. These ne wo ks ans o m inpu da a h ough a
se ies o in e connec ed laye s, elying on wo key ope a ions: ðiÞcon olu ion, a
ma hema ical ope a ion ha ex ac s spa ial ea u es, enabling he ne wo k o de ec edges,
ex u es, and o he dis inc i e pa e ns (Lecun e al., 1998) and ðiiÞpooling, which educes
A i icial In elligence
Machine Lea ning
Deep Lea ning
Figu e 1 Co ela ion among AI, ML, and DL. Full-size

DOI: 10.7717/pee j-cs.3330/fig-1
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 4/37
he spa ial dimensions o ea u e maps while e aining essen ial in o ma ion, he eby
dec easing compu a ional complexi y (K izhe sky, Su ske e & Hin on, 2012).
To enable e ec i e lea ning, ac i a ion unc ions, such as he ec ified linea uni
(ReLU), in oduce non-linea i y by mapping nega i e inpu s o ze o, he eby allowing he
model o cap u e mo e complex pa e ns. Ano he cen al concep in DL is op imiza ion,
whe e he model’s pa ame e s a e i e a i ely adjus ed o minimize a loss unc ion, such as
c oss-en opy loss. This loss unc ion measu es he disc epancy be ween he model’s
p edic ions and he ac ual labels, guiding aining owa d imp o ed pe o mance
(Good ellow e al., 2016).
Op imiza ion algo i hms like s ochas ic g adien descen (SGD) and Adam help
fine- une he model’s weigh s e ficien ly. While SGD upda es pa ame e s inc emen ally on
small ba ches o da a, Adam employs adap i e lea ning a es, making i pa icula ly
e ec i e o la ge-scale da ase s. By applying hese echniques, CNNs ha e achie ed
excep ional esul s in image classifica ion asks. Fo ins ance, models ained on he
MNIST da ase , which consis s o g ayscale images o handw i en digi s, a e widely used
o benchma k classifica ion accu acy and e alua e esilience o ad e sa ial a acks (Lecun
e al., 1998).
Ad e sa ial machine lea ning
AML p ima ily in es iga es he ulne abili ies o ML models and hei capaci y o
wi hs and in en ionally c a ed inpu s, o en e e ed o as ad e sa ial examples
(Boun akas e al., 2023;Fa ao e al., 2024). These examples in ol e sub le pe u ba ions
ha p omp models o make e oneous p edic ions, e en hough he modifica ions a e
nea ly impe cep ible o he human eye. Ad e sa ial examples can se e ely unde mine ML
sys ems in nume ous domains (Wang e al., 2023); o ins ance, minimal al e a ions o an
image can lead a CNN o misclassi y he image wi h high confidence. E en a sligh
adjus men o an image o he digi 3can cause he model o mis akenly ecognize i as a 5.
Such ad e sa ial echniques can also be employed in physical se ings. Examples include
using lase beams o manipula e a fic sign ecogni ion sys ems o c a ing ad e sa ial
channel s a e in o ma ion (CSI) inpu s o mislead In e ne o Things (IoT)-based deep
neu al ne wo ks (DNNs). Ad e sa ial a acks may a ge a ious s ages o he ML li ecycle.
Du ing he aining phase, poisoning a acks in ol e injec ing malicious da a in o he
aining se , he eby p oducing comp omised o biased models (Biggio, Nelson & Lasko ,
2012). In he es ing o in e ence phase, e asion a acks modi y inpu s in ways ha o ce
he model o misclassi y, e en hough hese modifica ions a e o en impe cep ible o
human obse e s (Good ellow e al., 2016). Fu he mo e, ad e sa ial me hods such as
model ex ac ion and in e ence a acks di ec ly exploi he model by eplica ing i s
beha io o ex ac ing sensi i e in o ma ion (T amè e al., 2016).
To add ess hese h ea s, esea che s a e ac i ely explo ing a ious de ensi e s a egies
o bols e model obus ness. Wu e al. (2023) sys ema ically e iew hese app oaches,
ca ego izing hem based on hei posi ion in he ML li ecycle. Thei amewo k highligh s
de enses ha span p e- aining, aining, and pos - aining s ages, emphasizing a p oac i e
and holis ic s a egy o sa egua ding ML sys ems.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 5/37

Ad e sa ial echniques
Ad e sa ial echniques comp ise a b oad spec um o me hods ha exploi ulne abili ies
in ML models o deg ade hei pe o mance o ex ac sensi i e in o ma ion. These
me hods can mani es a any s age o he ML li ecycle, spanning om he con amina ion o
aining da a o he manipula ion o model inpu s du ing in e ence. Mo eo e , ad e sa ial
me hods a e o en classified by he a acke ’s le el o knowledge abou he model (yielding
whi e-box and black-box a acks) o by he ype o ou pu being manipula ed, such as
sco es o decisions. In his subsec ion, we examine he p incipal ca ego ies o ad e sa ial
echniques, including e asion a acks, poisoning a acks, model ex ac ion a acks, and
in e ence a acks, and unde sco e how each class exploi s dis inc ulne abili ies wi hin
ML sys ems.
O e iew o ad e sa ial echniques
Ad e sa ial echniques exploi ulne abili ies in ML models o comp omise hei
pe o mance o ex ac sensi i e in o ma ion. These me hods encompass a ious
app oaches o decei e o manipula e models a a ious s ages o hei li ecycle, om
aining o deploymen . Ad e sa ial echniques can be ca ego ized using mul iple c i e ia,
including he ad e sa y’s knowledge o he model (i.e., knowledge-based ca ego ies), he
ype o model ou pu , o he specific goals o he a ack, among o he s.
Based on he ad e sa y’s knowledge o he model, ad e sa ial echniques a e commonly
ca ego ized in o whi e-box a acks and black-box a acks (Ko yan, 2023). In whi e-box
a acks, he ad e sa y possesses comp ehensi e knowledge o he model, including i s
a chi ec u e and pa ame e s. Such insigh enables he p ecise c a ing o ad e sa ial
examples o exploi he model’s ulne abili ies. A well-known echnique in his con ex is
he as g adien sign me hod (FGSM), which calcula es he loss g adien s wi h espec o
he inpu o p oduce malicious pe u ba ions. In pa icula , in he whi e-box pipeline, he
ad e sa y is assumed o possess comple e knowledge o he a ge model, including i s
a chi ec u e, pa ame e s, and he abili y o compu e exac inpu g adien s ia
backp opaga ion. Wi hin his se ing, he ad e sa ial objec i e can be o mula ed as ei he
un a ge ed o a ge ed. In he un a ge ed case, he ad e sa y seeks o maximize he
classifica ion loss in o de o induce any misclassifica ion, whe eas in he a ge ed case, he
objec i e is o minimize he loss owa d a specific a ge class. Addi ionally, all ad e sa ial
examples a e es ic ed o he alid inpu domain o p ese e seman ic simila i y wi h he
o iginal inpu s. Gi en clean samples and hei co esponding g ound- u h labels, he
p ep ocessing s eps applied by he model, such as no maliza ion, esizing, o da a ype
ans o ma ions, mus be accu a ely eplica ed du ing he a ack o ensu e co ec g adien
compu a ion. The pe u ba ion is hen ob ained by op imizing he chosen objec i e
unc ion using g adien -based echniques. The success o gene a ed ad e sa ial inpu s is
ypically e alua ed using me ics such as he accu acy o un a ge ed a acks, o he
pe cen age o inpu s classified in o he desi ed a ge class o a ge ed a acks. O e all, he
whi e-box a ack pipeline ep esen s he mos powe ul ad e sa ial se ing, es ablishing an
uppe bound on model ulne abili y and se ing as a benchma k o e alua ing he
obus ness o machine lea ning sys ems.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 6/37
By con as , black-box a acks occu when he ad e sa y lacks di ec access o he
model’s in e nal s uc u e and pa ame e s (Boun akas e al., 2023). Ins ead, he a acke
mus ely on que ying he model and analyzing i s ou pu s o in e decision bounda ies. A
common s a egy in ol es aining a su oga e model o app oxima e he a ge model’s
beha io , allowing ad e sa ies o de elop and e alua e ad e sa ial examples wi hou
explici knowledge o he o iginal model’s inne wo kings. Mo e p ecisely, in he black-box
pipeline, he ad e sa y is assumed o ha e no access o he in e nal a chi ec u e,
pa ame e s, o g adien s o he a ge model and can only in e ac wi h i h ough i s
ou pu s. Depending on he le el o eedback a ailable, black-box a acks can be ca ego ized
in o h ee main s a egies. The fi s is ans e -based a acks, whe e he ad e sa y canno
di ec ly que y he a ge model bu ins ead ains a su oga e model on da a om a simila
dis ibu ion. Ad e sa ial examples a e c a ed on he su oga e model using whi e-box
echniques a e hen ans e ed o he a ge model, elying on he ans e abili y p ope y
o ad e sa ial examples. The second ca ego y is sco e-based a acks, whe e he ad e sa y
can que y he a ge model and ob ain confidence sco es o logi s. In his se ing, he
a acke es ima es app oxima e g adien s by analyzing he a ia ions in he model’s ou pu
sco es when small pe u ba ions a e applied o he inpu s and hen uses hese es ima ed
g adien s o i e a i ely gene a e ad e sa ial examples. The hi d ca ego y is decision-based
a acks, whe e only he p edic ed class labels a e accessible. These a acks ypically s a
om a hea ily pe u bed inpu ha is al eady misclassified and i e a i ely educe he
pe u ba ion magni ude while ensu ing he example emains ad e sa ial, using echniques
such as he Bounda y A ack.
While whi e-box access is ypically una ainable in eal-wo ld se ings, a acke s may
s ill ob ain limi ed in o ma ion, such as a subse o inpu ea u es, ou pu class labels, o , in
he case o DNNs, in e media e ep esen a ions om hidden laye s. This pa ial insigh
allows ad e sa ies o de elop mo e in o med a ack s a egies han in black-box se ings
while ope a ing unde ealis ic cons ain s. This is widely known as he g ay-box a ack.
He e, he ad e sa y has pa ial knowledge o he a ge model bu lacks ull access o i s
in e nal pa ame e s o comple e a chi ec u e. In his se ing, he a acke may know
aspec s such as he backbone ne wo k, da a dis ibu ion, p ep ocessing echniques, o
no maliza ion s a is ics, bu o he componen s, such as ask-specific heads o s ochas ic
de enses, emain unknown. Limi ed que ies o ob ain labels o confidence sco es may also
be pe mi ed unde s ic cons ain s. The a ack can be ei he un a ge ed, aiming o induce
any misclassifica ion, o a ge ed, o cing p edic ions in o a specific class, while ensu ing
pe u ba ions emain isually impe cep ible and alid wi hin he inpu domain. To exploi
a ailable knowledge, he ad e sa y ypically builds a calib a ed su oga e model aligned
wi h he known p ope ies o he a ge sys em. When possible, he su oga e is efined
h ough fine- uning, syn he ic da a gene a ion, o dis illa ion om limi ed que ies. Fo
non-di e en iable componen s o andomized de enses. Compa ed o whi e-box a acks,
g ay-box scena ios a e mo e challenging bu also mo e ealis ic, b idging he gap be ween
ully anspa en sys ems and comple e black-box se ings.
Ad e sa ial a acks can also be g ouped by hei s a egy, defining hei implemen a ion
and objec i es. E asion a acks in oduce small, o en impe cep ible pe u ba ions o da a
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 7/37
du ing in e ence o mislead he model. Poisoning a acks comp omise he aining p ocess
by injec ing malicious samples in o he da ase . Model ex ac ion a acks eplica e a
p op ie a y model by que ying i and subsequen ly aining a subs i u e. Finally,
in e ence a acks (e.g., membe ship o model in e ence and a ibu e in e ence) aim o
glean sensi i e in o ma ion om he model, such as whe he a specific eco d was included
in he aining se .
Ca ego ies o ad e sa ial echniques
Ad e sa ial echniques exploi specific ulne abili ies in ML models, o en a ge ing hei
beha io in a ious ways. While he spec um o ad e sa ial me hods is ex ensi e, his
sec ion concen a es on ou key a ack s a egies—e asion a acks, poisoning a acks,
model ex ac ion a acks, and in e ence a acks— ha exempli y ad e sa ies’di e se
app oaches o comp omise models.
E asion A acks. E asion a acks exploi ML models’ ulne abili ies du ing in e ence by
in oducing small, ca e ully designed pe u ba ions o he inpu da a. While hese
pe u ba ions usually emain impe cep ible o he human eye, hey a e c a ed o decei e
he model in o making inco ec p edic ions o classifica ions. By a ge ing a model’s
decision bounda ies, a acke s can push inpu s ac oss hese bounda ies wi h minimal
modifica ions, he eby causing a significan deg ada ion in he model’s pe o mance. Fo
ins ance, an ad e sa y could sub ly al e an image o a s op sign so ha a compu e ision
model, po en ially in eg a ed in o an au onomous ehicle, misclassifies i as a yield sign
(Pape no e al., 2017). Such scena ios can lead o dange ous eal-wo ld consequences.
E asion a acks undamen ally ely on g adien -based me hods. A acke s compu e he
g adien o he model’s loss unc ion wi h espec o he inpu da a o de e mine he
di ec ion ha maximally inc eases he model’s e o . By applying a pe u ba ion aligned
wi h his di ec ion, hey c ea e ad e sa ial examples ha appea isually unchanged o
human obse e s. A commonly used o mula ion o c a ing such pe u ba ions is shown
in Eq. (1) (Pan elakis e al., 2023):
Xad ¼xþ2.signð xLðx;yÞÞ (1)
whe e xis he o iginal inpu , 2is he pe u ba ion magni ude, which de e mines he
quan i y o noise ha is added o he inpu , and xLðx;yÞis he g adien o he loss
unc ion wi h espec o x.
The e ec i eness o e asion a acks s ems om deep lea ning models’inhe en
sensi i i y o sligh inpu a ia ions. While his sensi i i y acili a es he cap u e o complex
pa e ns, i also makes hese models ulne able o ad e sa ial manipula ions. A ho ough
unde s anding o e asion a acks helps esea che s an icipa e po en ial h ea s and de elop
s a egies o o i y model obus ness.
Poisoning a acks. Unlike e asion a acks, which a ge he model du ing in e ence,
poisoning a acks in ol e in en ionally manipula ing aining da a o in oduce
ulne abili ies in o he model. These a acks exploi he eliance o ML algo i hms on clean
and ep esen a i e da ase s by con amina ing he aining se wi h maliciously c a ed
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 8/37
samples. The ad e sa y s a egically injec s hese samples o influence he model’s lea ning
p ocess by deg ading i s o e all pe o mance o inducing specific e oneous beha io s
unde a ge ed condi ions.
Poisoning a acks ypically exploi ulne abili ies in he da a collec ion and model
aining pipeline by le e aging he ollowing mechanisms:
.Label flipping: Ad e sa ies manipula e he labels o aining samples o induce inco ec
associa ions wi hin he model. Fo example, al e ed labels in a acial ecogni ion sys em
may lead he model o misiden i y indi iduals, he eby deg ading i s classifica ion
accu acy.
.Fea u e injec ion: A acke s in oduce malicious examples con aining i ele an o
misleading ea u es in o he aining da ase . Such pe u ba ions dis o he model’s
ea u e space and lea ning ajec o y. Fo ins ance, inse ing benign-looking bu ca e ully
c a ed pa e ns in o spam emails can cause he classifie o misin e p e o o e look
legi ima e spam indica o s.
.Backdoo a acks: These cons i u e a specialized class o poisoning a acks, whe ein
ad e sa ies embed specific“ igge s”wi hin he da a ha a e co e ly associa ed wi h
pa icula a ge labels. Du ing in e ence, he igge compels he model o misclassi y
inpu s, i espec i e o hei ue con en .
Poisoning a acks pose a significan h ea , mainly when aining da a is sou ced om
un e ified o publicly accessible o igins. Such ulne abili ies a e p e alen in ede a ed
lea ning amewo ks, open-sou ce eposi o ies, and collabo a i ely cu a ed da ase s. In
hese con ex s, a acke s can inse ad e sa ial samples in o he da a s eam, comp omising
he esul ing model’s in eg i y and eliabili y.
Model ex ac ion a acks. These a ge ML sys ems by eplica ing hei unc ionali y
h ough sys ema ic que ying. These a acks a e pa icula ly conce ning o models
deployed ia publicly accessible applica ion p og am in e aces (APIs), whe e ad e sa ies
can exploi he que y- esponse in e ace o in e decision bounda ies o app oxima e he
unde lying pa ame e s o he a ge model. Such ac ions no only comp omise he
in ellec ual p ope y o he model owne bu also enable u he ad e sa ial ac i i ies, such
as e asion a acks.
The ac ics employed by a acke s a e influenced by he ype o model ou pu s a ailable.
When so labels (i.e., class p obabili ies) a e accessible, ad e sa ies can e ficien ly
app oxima e model pa ame e s wi h ela i ely ew que ies. In con as , when only ha d
labels (i.e., p edic ed classes) a e e u ned, he ex ac ion p ocess becomes mo e
challenging. None heless, T amè e al. (2016) demons a ed ha linea and non-linea
models can be e ec i ely ex ac ed e en in such cons ained se ings. Thei wo k showed
ha i is possible o eplica e a a ge model’s beha io wi h high fideli y despi e limi ed
access o ou pu in o ma ion wi h ca e ully c a ed que ies.
Model ex ac ion is o en accompanied by su oga e aining, whe ein he ad e sa y
uses he collec ed que y- esponse pai s o ain a local model ha mimics he
decision-making p ocess o he a ge sys em. This su oga e model can be exploi ed o
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 9/37
single-channel g ayscale images o he MNIST and Fashion MNIST da ase s. Inpu da a
adjus men : All images we e esized o 224 224 pixels o ma ch VGG11’s expec ed inpu
dimensions. Ou pu adjus men : The final ully connec ed laye was eplaced wi h a new
laye configu ed o ou pu p edic ions o 10 classes, co esponding o he labels in
MNIST, Fashion-MNIST, and CIFAR-10.
Secu i y equi emen s
Defining secu i y equi emen s o an ad e sa ial AI e asion a ack ool is essen ial o
mi iga e misuse, uphold e hical esea ch s anda ds, and main ain con ol o e he ool’s
ope a ion. These equi emen s acili a e con olled access, es ic excessi e esou ce
consump ion, and ensu e he ep oducibili y o a acks. Fu he mo e, hey sa egua d
sensi i e da a, p ese e he in eg i y o a ge ed models, and suppo o ensic analysis o
moni o and add ess po en ial isks. Based on ecen li e a u e (Pan elakis e al., 2023;
Pe ihakis e al., 2024), he ollowing secu i y equi emen s ha e been iden ified:
S1—Secu e model in e ac ion.The ool mus u ilize con olled APIs o in e ac ion wi h
a ge models, he eby p e en ing di ec filesys em modifica ions. All inpu s and ou pu s
associa ed wi h model que ies mus be logged and e ified h ough checksums o de ec
unau ho ized al e a ions.
S2—Execu ion in eg i y.Modifica ions o he a ack code o dynamic ampe ing o a ack
algo i hms du ing execu ion mus be s ic ly p ohibi ed o ensu e he in eg i y o he ool’s
ope a ion.
S3—Con olled access.P io o execu ion, he in eg i y o a ack sc ip s mus be e ified
h ough c yp og aphic signing mechanisms o p e en unau ho ized code execu ion.
S4—Resou ce and abuse con ols.The ool mus implemen esou ce usage cons ain s o
mi iga e he isk o Denial-o -Se ice (DoS) a acks and mus be capable o de ec ing and
hal ing ecu si e a ack chaining ha could esul in uncon olled ad e sa ial e aining.
EVAISION a chi ec u e
EVAISION is designed o pe o m ad e sa ial a acks on ML models h ough an au oma ed
and modula amewo k. This design allows use s o conduc mul iple e alua ions and
collec pe o mance me ics wi hou de eloping sepa a e sc ip s o each a ack scena io.
I s modula a chi ec u e ensu es seamless in eg a ion o addi ional a acks, models, o
e alua ion me ics, making EVAISION inhe en ly ex ensible o ad e sa ial obus ness
es ing. Figu e 2 illus a es he a chi ec u e o EVAISION, highligh ing i s key componen s
and hei in e ac ions.
The co e componen s o EVAISION include he main sc ip as well as he a ack and
e alua ion modules.
A ack Manage . The A ack Manage ac s as he cen al coo dina o wi hin EVAISION,
o e seeing he execu ion o ad e sa ial a acks. I in e aces be ween use -defined
pa ame e s and in e nal componen s, ensu ing a seamless wo kflow om inpu handling
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 16/37

o a ack execu ion and pe o mance e alua ion. A c i ical esponsibili y o he A ack
Manage is o in e ace wi h he Ta ge Model Connec o , acili a ing communica ion wi h
ex e nal AI models. I manages he deli e y o pe u bed inpu s and collec s co esponding
p edic ions o analysis. Mo eo e , he A ack Manage selec s app op ia e a ack
s a egies based on use -specified equi emen s and model access cons ain s (e.g.,
whi e-box o black-box). I ensu es he A ack Gene a ion Engine ope a es using he
selec ed me hods, such as g adien -based app oaches (e.g., FGSM, PGD). I also moni o s
he en i e a ack li ecycle, om inpu p ep ocessing and a ack gene a ion o esul s
agg ega ion. The A ack Manage wo ks closely wi h he E alua ion Module o gua an ee
accu a e and meaning ul pe o mance insigh s, including a ack success a es and
pe u ba ion me ics. I s adap able design allows o s aigh o wa d expansion,
accommoda ing di e se AI models and a ack configu a ions, he eby p o iding a obus
amewo k o e alua ing model obus ness.
Ta ge model connec o . This module se es as a s anda dized in e ace be ween
EVAISION and ex e nal AI models, suppo ing bo h anspa en (whi e-box) and opaque
(black-box) se ings. In anspa en configu a ions, he connec o enables di ec access o
g adien s, model pa ame e s, and a chi ec u e, acili a ing highly op imized a acks. I
suppo s que y-based in e ac ions in opaque scena ios, allowing EVAISION o send c a ed
inpu s and analyze he model’s ou pu s o iden i y ulne abili ies. The Ta ge Model
Connec o also ensu es inpu /ou pu compa ibili y by applying necessa y ans o ma ions,
such as no maliza ion, encoding, o esizing, ailo ed o he equi emen s o he a ge
model. O e all, his module ensu es eliable in eg a ion wi h di e se AI sys ems, enabling
ealis ic ad e sa ial es ing ac oss a ious deploymen en i onmen s.
A ack gene a ion engine. This module gene a es ad e sa ial pe u ba ions designed o
decei e ex e nal AI sys ems. I implemen s di e se a ack algo i hms, ca ego ized in o
g adien -based, op imiza ion-based, and que y-based echniques. I le e ages me hods
such as FGSM, PGD, C&W, and DeepFool o exploi model ulne abili ies ia ca e ully
A ack Manage
Ta ge Model
Connec o
A ack Gene a ion
Engine
Pe u ba ion Module
P
A ack E alua ion
E AIson
Ta ge Machine
E aison a acks
A ack impac
Figu e 2 EVAISION bluep in . Full-size

DOI: 10.7717/pee j-cs.3330/fig-2
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 17/37
c a ed inpu al e a ions in whi e-box scena ios. I s flexible design allows EVAISION o
assess model obus ness unde a ious a ack me hodologies and ope a ional condi ions.
Da a pe u ba ion module. This module ensu es ha pe u ba ions emain sub le ye
e ec i e in misleading he a ge model. I p ep ocesses inpu da a o mee he o ma
equi emen s o bo h he a ack algo i hms and he a ge AI sys em, applying
ans o ma ions such as no maliza ion, esizing, and encoding based on he da a ype (e.g.,
image, ex , o s uc u ed da a). Once p ep ocessed, he module applies ad e sa ial
pe u ba ions gene a ed by he A ack Gene a ion Engine, adhe ing o specific no m
cons ain s o main ain impe cep ibili y. I inco po a es efinemen echniques, including
op imiza ion-based adjus men s, o balance minimal dis o ion wi h high a ack success
a es. This module ensu es ha gene a ed ad e sa ial examples a e bo h ealis ic and
impac ul.
A ack e alua ion module. This componen e alua es he e ficacy o ad e sa ial a acks by
analyzing he impac o pe u bed inpu s on he a ge model’s p edic ions. I p o ides
quan i a i e and quali a i e me ics, including accu acy, p ecision, ecall, F1-sco e,
misclassifica ion a e, and mean confidence. Addi ionally, i measu es shi s in p edic ion
confidence, highligh ing how ad e sa ial inpu s a ec model ce ain y. The module
suppo s side-by-side compa isons be ween clean and ad e sa ial p edic ions, enabling
de ailed analysis o model ulne abili ies. This module s eng hens he analysis o
ad e sa ial obus ness and suppo s b oade secu i y assessmen s by p o iding a
comp ehensi e e alua ion amewo k.
P ocessing flow. The ool’s p ocessing pipeline begins wi h use -defined inpu s and a ack
pa ame e s, such as a ack ype (e.g., FGSM, PGD, C&W), pe u ba ion cons ain s, and
access mode (whi e-box o black-box). The inpu da a is fi s p ocessed by he da a
pe u ba ion module, which pe o ms necessa y p ep ocessing (e.g., no maliza ion,
esizing, encoding, okeniza ion). The p ep ocessed da a is passed o he A ack
Gene a ion Engine, which gene a es ad e sa ial pe u ba ions in acco dance wi h he
selec ed s a egy. In whi e-box se ings, he engine compu es g adien s o op imize
pe u ba ions; in black-box scena ios, i uses que y-based echniques o efine inpu s
i e a i ely. The gene a ed ad e sa ial examples a e hen passed o he Ta ge Model
Connec o , which in e aces wi h he ex e nal AI model o ob ain p edic ions. The A ack
E alua ion Module analyzes hese ou pu s o compu e he final me ics. Each a ack ype
equi es specific pa ame e s, summa ized as ollows:
.FGSM: epsilon
.PGD: epsilon, s ep size, numbe o i e a ions
.DeepFool: maximum i e a ions, o e shoo
.C&W: confidence, lea ning a e, maximum i e a ions
Upon comple ion o he a ack, he ad e sa ial examples a e used o e alua e he
model’s obus ness h ough he defined me ics.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 18/37
FGSM implemen a ion. The un_ gsm unc ion le e ages he Ad e sa ial Robus ness
Toolbox (ART) (LF AI Founda ion, 2025) o implemen FGSM. The inpu is con e ed o a
NumPy a ay as ART equi es, and he FGSM class is ins an ia ed wi h he classifie and
epsilon (pe u ba ion s eng h). The gsm.gene a e() me hod applies pe u ba ions
ha maximize he model’s loss.
PGD implemen a ion. The un_pgd unc ion simila ly uses ART o PGD. A e
con e ing inpu da a o NumPy a ays, he PGD class is configu ed wi h pa ame e s such
as maximum pe u ba ion, s ep size, and i e a ions. Ad e sa ial examples a e gene a ed
i e a i ely and e u ned as PyTo ch enso s.
DeepFool implemen a ion. The un_deep ool unc ion implemen s DeepFool ia ART.
I ini ializes he DeepFool class wi h he a ge classifie and gene a es minimal
pe u ba ions equi ed o misclassifica ion. The ou pu s a e e u ned o he main pipeline
o e alua ion.
C&W implemen a ion. The un_ca lini_wagne unc ion uses ART’s
Ca liniL2Me hod class. Inpu s a e ans o med in o NumPy a ays, and he class is
configu ed wi h confidence and i e a ion pa ame e s. The gene a e me hod applies he
C&W op imiza ion algo i hm, and esul s a e e u ned o u he analysis.
PERFORMANCE EVALUATION
The execu ion o all he a acks and he calcula ion o he me ics p esen ed below we e
ca ied ou on a machine equipped wi h a 13 h Gen In el Co e i7 p ocesso , an NVIDIA
GeFo ce RTX 4060 g aphics ca d, and 16 GB o RAM, unning he Windows 11 Ope a ing
Sys em.
In EVAISION, a se o e alua ion me ics was defined o assess he pe o mance o he ML
models agains he ad e sa ial echniques employed. These me ics we e compu ed o he
model pe o mance on clean da ase s and on he ad e sa ial examples gene a ed by he
a acks. This dual app oach ensu es a mo e comp ehensi e compa ison o he esul s. The
me ics cu en ly included in he e alua ion module o EVAISION a e desc ibed below. To
ensu e obus ness and mi iga e s ochas ic a iabili y, each ad e sa ial AI a ack was
independen ly execu ed fi e imes pe model-a ack pai . The epo ed esul s ep esen
he a e age pe o mance ac oss hese uns, and s anda d de ia ions a e also p o ided
whe e applicable o eflec he s a is ical consis ency o he ou comes. This epe i ion
enables a mo e eliable compa ison be ween models and a acks, con ibu ing o he
s a is ical alidi y o he e alua ion.
Accu acy (see Eq. (7)) measu es he p opo ion o co ec ly classified samples ou
o he o al da ase . I also unc ions as a gene al indica o o he model’s p edic i e
capabili y.
Accu acy ¼Numbe o Co ec P edic ions
To al Numbe o Samples (7)
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 19/37
P ecision e alua es he p opo ion o ue posi i e p edic ions ou o all posi i e
p edic ions made by he model (see Eq. (8)). I eflec s he model’s abili y o a oid alse
posi i es.
P ecision ¼T ue Posi i es
T ue Posi i es þFalse Posi i es (8)
Recall measu es he p opo ion o ue posi i e p edic ions ou o he ac ual posi i es in
he da ase (see Eq. (9)). I assesses he model’s abili y o iden i y all ele an ins ances
wi hou missing any.
Recall ¼T ue Posi i es
T ue Posi i es þFalse Nega i es (9)
F1-sco e is he ha monic mean o p ecision and ecall, p o iding a single me ic ha
balances bo h alse posi i es and alse nega i es (see Eq. (10)).
F1-sco e ¼2P ecision Recall
P ecision þRecall (10)
Misclassifica ion a e complemen s accu acy by measu ing he p opo ion o inco ec
p edic ions (see Eq. (11)). I is defined as:
Misclassi ica ion Ra e ¼1Accu acy (11)
Mean confidence measu es he a e age confidence le el o he model in i s p edic ions o
he ue class labels (see Eq. (12)). I he ou pu p obabili ies a e no no malized, a so max
unc ion is applied o ensu e he alues ep esen p ope confidence sco es.
Mean Con idence ¼1
NX
N
i¼1
PðT ue ClassxiÞ(12)
whe e PðT ueClassxiÞis he p edic ed p obabili y o he ue class o sample xi.
Below, we p esen he o e all impac summa y pe model and pe da ase (MNIST,
Fashion-MNIST, CIFAR-10). The impac is calcula ed as he di e ence be ween he me ic
alue a e he a ack and he me ic alue be o e he a ack (see Eq. (13)).
Impac ¼Me icA e Me icBe o e:(13)
Fo ou expe imen s, we ca e ully selec ed he hype pa ame e s o he employed a acks
based on commonly adop ed p ac ices in he li e a u e o ensu e ai compa isons. Mo e
p ecisely, o he FGSM, he pe u ba ion magni ude ewas se o 0:2, which con ols he
maximum allowed dis o ion added o he inpu while gene a ing ad e sa ial examples.
Rega ding PGD, we used e¼0:1, a s ep size pe i e a ion o 0:001, and he maximum
numbe o op imiza ion i e a ions was fixed a 40. In C&W, we se he confidence
pa ame e o 0:1 o en o ce a small sepa a ion ma gin om he decision bounda y, and he
maximum numbe o i e a ions was fixed a 10. Finally, o DeepFool, he maximum
numbe o i e a ions was se o 100, wi h an e alue o 1e−6 o con ol he o e shoo
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 20/37
pa ame e . Addi ionally, he numbe o class g adien s compu ed pe i e a ion was se o
10 o e ficien ly app oxima e decision bounda ies. These hype pa ame e s we e chosen o
balance a ack s eng h and compu a ional e ficiency, ensu ing a ai e alua ion ac oss
di e en ad e sa ial echniques.
Baseline
The ini ial phase o ou e alua ion in ol ed measu ing he pe o mance o he models
unde hei o iginal, unpe u bed condi ions be o e in oducing ad e sa ial AI a acks.
The assessmen is based on he a o emen ioned e alua ion me ics. Table 1 summa izes
he baseline pe o mance o he models (i.e., FCNN, LeNe , Simple CNN, MobileNe V2,
and VG11) du ing hei co ec ope a ion. No ably, hese baseline esul s we e ob ained
om expe imen s conduc ed fi e imes each in he desc ibed en i onmen . Simple CNN
consis en ly achie ed he highes accu acy ac oss all da ase s (i.e., MNIST, Fashion-
MNIST, and CIFAR-10). In con as , LeNe pe o med he wo s on MNIST and Fashion-
MNIST, while MobileNe V2 exhibi ed he lowes accu acy on CIFAR-10. Al hough he
e alua ion is conduc ed on widely-used benchma k da ase s (i.e., MNIST, Fashion-
MNIST, and CIFAR-10), hese da ase s a e s anda d in ad e sa ial ML esea ch and
p o ide a con olled, ep oducible en i onmen o igo ous compa ison ac oss a ack
echniques and models. Thei es ablished ole in he li e a u e ensu es baseline alidi y
while enabling u u e ex ension o mo e complex, eal-wo ld da ase s. This pa e n is
u he co obo a ed by o he me ics, including he F1-sco e, p ecision, ecall, mean
confidence, and misclassifica ion a e.
FGSM impac summa y
The esul s o he FGSM a ack ac oss all e alua ed models demons a e conside able
a iabili y in he deg ee o impac on pe o mance me ics, he eby highligh ing he
Table 1 Baseline me ics (Ini ial pe o mance on AI models).
Model Value (%)
MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10
Accu acy F1-sco e P ecision
FCNN 92 87 39 91 85 35 91 87 37
LeNe 91 82 48 93 81 45 94 82 48
Simple CNN 96 89 61 97 88 59 97 88 62
MobileNe V2 96 84 18 96 83 13 65 85 15
VG11 96 87 50 96 87 48 96 88 49
Recall Mean confidence Misclassifica ion a e
FCNN 93 85 37 91 83 35 7 12 60
LeNe 94 82 45 92 77 36 6 17 51
Simple CNN 98 90 61 96 88 60 3 10 38
MobileNe V2 96 84 17 92 80 16 3 14 81
VG11 97 87 51 97 86 46 3 12 50
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 21/37

ela i e obus ness and ulne abili ies inhe en o di e en neu al ne wo k a chi ec u es
unde ad e sa ial condi ions (see Table 2).
A compa a i e analysis o model pe o mance unde FGSM pe u ba ions ac oss all
da ase s e eals ha suscep ibili y o ad e sa ial a acks is highly a chi ec u e-dependen .
No ably, he Simple CNN exhibi ed subs an ial ulne abili y in mos da ase s, hough he
FCNN expe ienced e en g ea e deg ada ion in pe o mance, pa icula ly on he MNIST
da ase . The FCNN’s lack o con olu ional laye s, and consequen ly spa ial awa eness,
o ces i o p ocess inpu as a fla ec o , se e ely limi ing i s capaci y o cap u e local
pa e ns and inc easing i s sensi i i y o FCNN’s g adien -based pe u ba ions.
In con as , while Simple CNN inco po a es con olu ional laye s ha p o ide a deg ee
o spa ial awa eness, i s shallow a chi ec u e limi s i s capaci y o obus ea u e ex ac ion
and he o ma ion o fi m decision bounda ies. This inadequacy ende s i simila ly
ulne able o ad e sa ial noise, albei ma ginally mo e obus han FCNN.
LeNe , among he simple a chi ec u es, demons a ed he highes esilience. I s use o
con olu ional laye s and max pooling no only acili a es spa ial ea u e ex ac ion bu also
con ibu es o noise educ ion, imp o ing i s de ense agains FGSM pe u ba ions.
MobileNe V2 ou pe o med LeNe in ad e sa ial obus ness, a ibu able o i s mo e
ad anced a chi ec u al elemen s, such as dep hwise sepa able con olu ions and esidual
connec ions, which enhance ea u e ex ac ion e ficiency and o e imp o ed esis ance o
ad e sa ial inpu s.
Among all models es ed, VGG11 exhibi ed he g ea es esilience o FGSM a acks. I s
deep a chi ec u e allows o hie a chical ea u e ex ac ion, whe ein ea ly laye s cap u e
low-le el ea u es and deepe laye s abs ac complex pa e ns. This dep h and i s abili y o
o m obus decision bounda ies p o ide supe io de ense agains ad e sa ial
pe u ba ions compa ed o he o he a chi ec u es e alua ed.
Table 2 Impac o he FGSM a ack on he model pe o mance me ics.
Model Impac (%)
MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10
Accu acy F1-sco e P ecision
FCNN −68 −54 −24 −66 −53 −23 −62 −48 −22
LeNe −11 −43 −29 −11 −40 −26 −12 −39 −32
Simple CNN −84 −64 −43 −83 −62 −43 −83 −60 −43
MobileNe V2 −8−65 −3−9−68 −2−8−67 −5
VG11 −4−60 −31 −5−58 −33 −3−52 −34
Recall Mean confidence Misclassifica ion a e
FCNN −67 −53 −25 −67 −50 24 68 54 24
LeNe −10 −41 −27 −13 −39 29 11 43 29
Simple CNN −83 −62 −45 −81 −62 43 84 64 43
MobileNe V2 −9−69 −3−9−62 3 8 65 3
VG11 −5−60 −34 −5−58 31 4 60 31
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 22/37
PGD impac summa y
The PGD a ack is ano he ad e sa ial echnique e alua ed in his s udy ( e e Table 3).
The PGD a ack i e a i ely efines pe u ba ions o maximize hei impac on model
p edic ions. The ollowing analysis summa izes he pe o mance o each model unde he
PGD a ack.
The esul s o he PGD a ack ac oss all models highligh he a ying le els o
ulne abili y, as well as he di e en impac s on e alua ion me ics, as p esen ed in Table 3.
The Simple CNN model was he mos a ec ed by PGD, simila o he e ec o he FGSM
a ack. Al hough he model inco po a es con olu ional laye s, which p o ide spa ial
awa eness, i s shallow a chi ec u e limi s i s abili y o cons uc obus decision
bounda ies. Simila ly, he FCNN exhibi ed significan ulne abili y due o i s lack o spa ial
awa eness, p ocessing inpu s as fla ec o s and elying on global g adien s o p edic ions.
While FGSM caused a no able deg ada ion in FCNN’s pe o mance, he PGD a ack, wi h
i s i e a i e and mo e a ge ed pe u ba ions, led o sligh ly imp o ed pe o mance
compa ed o FGSM.
Su p isingly, VGG11 did no pe o m as well unde PGD as an icipa ed, wi h
conside able d ops in e alua ion me ics. The deepe a chi ec u e, which was expec ed o
o e esilience, appea ed ulne able o PGD’s i e a i e pe u ba ions, po en ially due o i s
eliance on lea ned pa e ns ha may ha e become agile unde ad e sa ial manipula ion.
In con as , MobileNe V2 demons a ed s ong esis ance o PGD, ou pe o ming bo h he
simple models (FCNN and Simple CNN) and e en VGG11. This is likely a ibu able o
i s use o sepa able con olu ions and esidual connec ions, which enhance i s abili y o
ex ac ea u es e ficien ly.
LeNe pe o med he bes unde he PGD a ack, exhibi ing he smalles pe o mance
d ops ac oss all me ics. I s con olu ional laye s and max pooling mechanisms p o ide
Table 3 Impac o he PGD a ack on he model pe o mance me ics.
Model Impac (%)
MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10
Accu acy F1-sco e P ecision
FCNN −33 −24 −32 −34 −26 −30 −31 −25 −31
LeNe −1−25 −37 −1−26 −35 0 −21 −37
Simple CNN −86 −45 −43 −85 −44 −45 −85 −42 −46
MobileNe V2 −3−75 −11 −6−74 −8−5−74 −17
VG11 −15 −74 −38 −15 −75 −37 −13 −73 −37
Recall Mean confidence Misclassifica ion a e
FCNN −32 −25 −33 −32 −23 −23 33 24 32
LeNe −1−28 −37 −3−21 −22 1 25 37
Simple CNN −86 −46 −46 −84 −44 −40 86 45 43
MobileNe V2 −5−73 −8−3−72 −8 3 75 11
VG11 −13 −75 −37 −16 −71 −33 15 74 38
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 23/37
subs an ial spa ial awa eness and noise educ ion. While lacking he dep h o VGG11,
LeNe ’s ela i ely simple a chi ec u e may ha e con ibu ed o i s obus ness, as i did no
o e fi o specific pa e ns du ing aining.
DeepFool impac summa y
The esul s om he DeepFool a ack indica e ha all he models es ed we e significan ly
a ec ed, exhibi ing subs an ial deg ada ion ac oss all pe o mance me ics ( e e o
Table 4).
The Simple CNN demons a ed he mos negligible impac on mos me ics among he
models e alua ed, ou pe o ming he o he a chi ec u es es ed in his a ack. I s ela i ely
simple decision bounda ies limi ed he abili y o he DeepFool-gene a ed ad e sa ial
samples o deg ade pe o mance, in con as o he mo e complex models. Despi e his
ela i e esilience, he Simple CNN s ill expe ienced no iceable educ ions in all
pe o mance me ics, as illus a ed in Table 4.
The FCNN, while showing a conside able impac om he a ack, exhibi ed
pe o mance compa able o, and in some cases sligh ly be e han, deepe models such as
VGG11 in specific me ics. I s simple a chi ec u e and eliance on global g adien s
allowed i o e ain a sligh ad an age in e ms o s abili y unde he DeepFool a ack
compa ed o mo e complex models.
In con as , LeNe and VGG11 demons a ed simila ly comp omised pe o mance
unde he DeepFool a ack. Al hough VGG11’s deepe a chi ec u e and mo e complex
decision bounda ies had p e iously p o ided i wi h some obus ness, hese ea u es we e
insu ficien in mi iga ing he e ec s o DeepFool’s i e a i e adjus men s. The a ack
exploi ed he model’s complexi y, esul ing in significan misclassifica ions. LeNe , a
shallowe a chi ec u e ha had shown esilience agains ea lie a acks, also ailed o
main ain i s obus ness unde DeepFool’s i e a i e p ecision.
Table 4 Impac o he DeepFool a ack on he model pe o mance me ics.
Model Impac (%)
MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10
Accu acy F1-sco e P ecision
FCNN −91 −76 −27 −90 −73 −26 −90 −70 −27
LeNe −93 −72 −27 −94 −74 −25 −94 −75 −25
Simple CNN −72 −83 −44 −70 −83 −43 −61 −85 −44
MobileNe V2 −96 −54 −11 −95 −52 −12 −94 −49 −11
VG11 −93 −78 −31 −93 −78 −30 −92 −79 −30
Recall Mean confidence Misclassifica ion a e
FCNN −91 −74 −29 −53 −46 −11 91 76 27
LeNe −94 −74 −27 −52 −35 −10 93 72 27
Simple CNN −72 −82 −45 −50 −42 −22 72 83 44
MobileNe V2 −96 −54 −17 −54 −37 −3965411
VG11 −94 −77 −33 −49 −41 −14 93 78 31
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 24/37
Las ly, MobileNe V2 expe ienced he mos significan deg ada ion ac oss all
da ase s, pa icula ly in key me ics such as accu acy and mean confidence. Despi e he
ad an ages o esidual connec ions in imp o ing s abili y unde simple a acks like
FGSM o PGD, hese mechanisms did no p o ide he same le el o p o ec ion agains
he DeepFool a ack. Consequen ly, MobileNe V2’s pe o mance was subs an ially
impai ed.
C&W impac summa y
The esul s o he C&W a ack highligh a ying le els o impac ac oss he
es ed models, demons a ing hei ela i e obus ness o ad e sa ial pe u ba ions
(see Table 5).
The C&W a ack (see Table 5) induced a ying deg ees o dis up ion ac oss he models,
e ealing hei esilience o hese ad e sa ial pe u ba ions. As expec ed, he Simple CNN
model exhibi ed he g ea es suscep ibili y, expe iencing subs an ial pe o mance d ops
ac oss mos me ics. While i s con olu ional laye s p o ided some spa ial awa eness, i s
shallow dep h and weak decision bounda ies ende ed i pa icula ly ulne able o his
a ack. LeNe , wi h i s combina ion o con olu ional laye s and max pooling, displayed
mode a e obus ness compa ed o o he models; howe e , he a ge ed na u e o he C&W
a ack ul ima ely led o misclassifica ions, as i s simple decision bounda ies we e
insu ficien o esis he pe u ba ions. MobileNe V2 also su e ed a no iceable
pe o mance deg ada ion unde he C&W a ack, posi ioning i below he FCNN in e ms
o obus ness. Despi e i s sepa able con olu ions and esidual connec ions, which enhance
ea u e ex ac ion, MobileNe V2’s a chi ec u e was no op imized o handling highly
a ge ed pe u ba ions like hose induced by he C&W a ack. In e es ingly, he FCNN
pe o med be e han some mo e ad anced models, including MobileNe V2. I s simple
a chi ec u e and linea decision bounda ies, ypically seen as disad an ages, may ha e
Table 5 Impac o he C&W a ack on he model pe o mance me ics.
Model Impac (%)
MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10 MNIST F-MNIST CIFAR-10
Accu acy F1-sco e P ecision
FCNN −11 −32 −12 −12 −32 −9−11 −31 −6
LeNe −6−28 −18 −8−28 −17 −7−27 −17
Simple CNN −86 −78 −45 −87 −78 −44 −85 −77 −46
MobileNe V2 −17 −75 −5−19 −74 −2−16 −73 −3
VG11 −2−13 −15 −2−15 −16 −1−12 −14
Recall Mean confidence Misclassifica ion a e
FCNN −11 −32 −11 −5−16 −5113212
LeNe −8−28 −19 −3−13 −5 6 28 18
Simple CNN −87 −80 −46 −60 −51 −25 86 78 45
MobileNe V2 −18 −74 −5−10 −46 −11775 5
VG11 −2−15 −16 −1−9−8 2 13 15
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 25/37
(RESCALE). The unde s had no ole in s udy design, da a collec ion and analysis, decision
o publish, o p epa a ion o he manusc ip .
G an Disclosu es
The ollowing g an in o ma ion was disclosed by he au ho s:
Eu opean Commission’s Ho izon Eu ope and DIGITAL: 101131292 (AIAS), 101183162
(ANTIDOTE), 101168407 (cPAID) and 101120962 (RESCALE).
Compe ing In e es s
Apos olis Za as is employed by he Founda ion o Resea ch and Technology and
A is eidis Fa ao is employed by he Uni e si y o Pi aeus.
A is eidis Fa ao is also employed by InQbi Inno a ions SRL, Romania.
Au ho Con ibu ions
.Apos olis Za as concei ed and designed he expe imen s, pe o med he expe imen s,
analyzed he da a, pe o med he compu a ion wo k, p epa ed figu es and/o ables,
au ho ed o e iewed d a s o he a icle, and app o ed he final d a .
.A hanasia Kolla ou concei ed and designed he expe imen s, pe o med he
expe imen s, analyzed he da a, pe o med he compu a ion wo k, p epa ed figu es and/
o ables, au ho ed o e iewed d a s o he a icle, and app o ed he final d a .
.A is eidis Fa ao concei ed and designed he expe imen s, pe o med he expe imen s,
analyzed he da a, pe o med he compu a ion wo k, p epa ed figu es and/o ables,
au ho ed o e iewed d a s o he a icle, and app o ed he final d a .
.Panagio is Boun akas concei ed and designed he expe imen s, pe o med he
expe imen s, analyzed he da a, pe o med he compu a ion wo k, p epa ed figu es and/
o ables, au ho ed o e iewed d a s o he a icle, and app o ed he final d a .
.Ch is os Xenakis concei ed and designed he expe imen s, pe o med he expe imen s,
analyzed he da a, pe o med he compu a ion wo k, p epa ed figu es and/o ables,
au ho ed o e iewed d a s o he a icle, and app o ed he final d a .
Da a A ailabili y
The ollowing in o ma ion was supplied ega ding da a a ailabili y:
The code and da a is a ailable a Gi Hub and Zenodo:
-h ps://gi hub.com/UniPiSSL/ es ing- he-limi s-e AIsion.
- Uni e si y o Pi aeus. (2025). EVAISION. Zenodo. h ps://doi.o g/10.5281/zenodo.
17276197.
The MNIST da ase is a ailable a Gi Hub: h ps://gi -disl.gi hub.io/GTDLBench/
da ase s/mnis _da ase s/.
The Fashion-MNIST da ase is a ailable a Gi Hub: h ps://gi hub.com/
zalando esea ch/ ashion-mnis .
The CIFAR-10 da ase : h ps://www.cs. o on o.edu/~k iz/ci a .h ml.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 32/37

REFERENCES
Abou Khamis R, Shafiq MO, Ma awy A. 2020. In es iga ing esis ance o deep lea ning-based
IDS agains ad e sa ies using min-max op imiza ion. In: ICC 2020–2020 IEEE In e na ional
Con e ence on Communica ions (ICC). Pisca away: IEEE, 1–7.
Aguile a-Ma ínez F, Be zal F. 2025. LLM secu i y: ulne abili ies, a acks, de enses, and
coun e measu es. A Xi DOI 10.48550/a Xi .2505.01177.
Ahmed AA, Echi M. 2021. Hawk-eye: an AI-powe ed h ea de ec o o in elligen su eillance
came as. IEEE Access 9:63283–63293 DOI 10.1109/access.2021.3074319.
Ahmed AA, Nee u N. 2024. A compa a i e analysis o ad e sa ial a ack me hods on machine
lea ning models. In e na ional Jou nal o Scien ific Resea ch in Enginee ing and Managemen
8(008):1–6DOI 10.55041/IJSREM37340.
Alga ni A, Thayanan han V. 2025. Digi al heal h: he cybe secu i y o AI-based heal hca e
communica ion. IEEE Access 13:5858–5870 DOI 10.1109/ACCESS.2025.3526666.
Ap uzzese G, And eolini M, Ma che i M, Colacino VG, Russo G. 2020. AppCon: mi iga ing
e asion a acks o ML cybe de ec o s. Symme y 12(4):653 DOI 10.3390/sym12040653.
A dabili BR, Pazho AD, Nogh e GA, Ne C, Bhaska a ayuni SD, Ra ind an A, Reid S, Tabkhi
H. 2023. Unde s anding policy and echnical aspec s o AI-enabled sma ideo su eillance o
add ess public sa e y. Compu a ional U ban Science 3(1):21 DOI 10.1007/s43762-023-00097-8.
Ayub MA, Johnson WA, Talbe DA, Si aj A. 2020. Model e asion a ack on in usion de ec ion
sys ems using ad e sa ial machine lea ning. In: 2020 54 h Annual Con e ence on In o ma ion
Sciences and Sys ems (CISS). Pisca away: IEEE, 1–6.
Bhagoji AN, Cullina D, Si awa in C, Mi al P. 2018. Enhancing obus ness o machine lea ning
sys ems ia da a ans o ma ions. In: 2018 52nd Annual Con e ence on In o ma ion Sciences and
Sys ems (CISS). Pisca away: IEEE, 1–5.
Biggio B, Nelson B, Lasko P. 2012. Poisoning a acks agains suppo ec o machines. A Xi
DOI 10.48550/a Xi .1206.6389.
Boo h H. 2025. When AI hinks i will lose, i some imes chea s, s udy finds. TIME. A ailable a
h ps:// ime.com/7259395/ai-chess-chea ing-palisade- esea ch/.
Boun akas P, Za as A, Lekidis A, Xenakis C. 2023. De ense s a egies o ad e sa ial machine
lea ning: a su ey. Compu e Science Re iew 49(5):100573 DOI 10.1016/j.cos e .2023.100573.
Ca lini N, Wagne D. 2017. Towa ds e alua ing he obus ness o neu al ne wo ks. In: 2017 IEEE
Symposium on Secu i y and P i acy (SP). Pisca away: IEEE, 39–57.
Cha alambous M, Fa ao A, Kalan zan onakis G, Kanakakis P, Salamanos N, Ko si akos E,
F oudakis E. 2022. Analyzing co e ages o cybe insu ance policies using on ology.
In: P oceedings o he 17 h In e na ional Con e ence on A ailabili y, Reliabili y and Secu i y,1–7.
Chowdhu y A, Ka maka G, Kam uzzaman J, Jol aei A, Das R. 2020. A acks on sel -d i ing ca s
and hei coun e measu es: a su ey. IEEE Access 8:207308–207342
DOI 10.1109/access.2020.3037705.
Chuah J, K uge U, Wang G, Yan P, Hahn J. 2022. F amewo k o es ing obus ness o machine
lea ning-based classifie s. Jou nal o Pe sonalized Medicine 12(8):1314
DOI 10.3390/jpm12081314.
Cla k L. 2025. Cheap ‘n’simple sign icke y will bamboozle sel -d i ing ca s, esh esea ch claims.
The Regis y. A ailable a h ps://www. he egis e .com/2025/03/07/lowcos _malicious_a acks_
on_sel d i ing/.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 33/37
Cui J, Liew LS, Sabaliauskai e G, Zhou F. 2019. A e iew on sa e y ailu es, secu i y a acks, and
a ailable coun e measu es o au onomous ehicles. Ad Hoc Ne wo ks 90(Supplemen
C):101823 DOI 10.1016/j.adhoc.2018.12.006.
Dasgup a P, Collins J. 2019. A su ey o game heo e ic app oaches o ad e sa ial machine
lea ning in cybe secu i y asks. AI Magazine 40(2):31–43 DOI 10.1609/aimag. 40i2.2847.
Dazed. 2025. This ugly AF -shi blocks acial ecogni ion echnology. A ailable a h ps://www.
dazeddigi al.com/science- ech/a icle/49183/1/ his- -shi -blocks- acial- ecogni ion- echnology.
Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J. 2018. Boos ing ad e sa ial a acks wi h
momen um. In: P oceedings o he IEEE Con e ence on Compu e Vision and Pa e n
Recogni ion. Pisca away: IEEE, 9185–9193.
D i soula L, Loiseau P, Musacchio J. 2017. A game- heo e ic analysis o ad e sa ial classifica ion.
IEEE T ansac ions on In o ma ion Fo ensics and Secu i y 12(12):3094–3109
DOI 10.1109/ i s.2017.2718494.
Fang C-Y, Chen S-W, Fuh C-S. 2003. Road-sign de ec ion and acking. IEEE T ansac ions on
Vehicula Technology 52(5):1329–1341 DOI 10.1109/ .2003.810999.
Fa ao A, N an ogian C, Ka agiannis S, Magkos E, D i sa A, Xenakis C. 2024. NITRO: an
in e connec ed 5G-IoT cybe ange. In: P oceedings o he 19 h In e na ional Con e ence on
A ailabili y, Reliabili y and Secu i y,1–6.
Gao L, Yan Z, Liang X, Xu X, Wang J, Ding W, Yang LT. 2023. Taxonomy and ecen ad ance o
game heo e ical app oaches in ad e sa ial machine lea ning: a su ey. ACM T ansac ions on
Senso Ne wo ks. Epub ahead o p in 8 May 2023 DOI 10.1145/3600094.
Good ellow I, Bengio Y, Cou ille A, Bengio Y. 2016. Deep lea ning. Camb idge: MIT P ess.
Good ellow IJ, Shlens J, Szegedy C. 2014. Explaining and ha nessing ad e sa ial examples. A Xi
DOI 10.48550/a Xi .1412.6572.
Hassan M, Younis S, Rasheed A, Bilal M. 2022. In eg a ing single-sho as g adien sign me hod
(FGSM) wi h classical image p ocessing echniques o gene a ing ad e sa ial a acks on deep
lea ning classifie s. In: Fou een h In e na ional Con e ence on Machine Vision (ICMV 2021).
Vol. 12084. Bellingham: SPIE, 323–334.
Hin on G, Vinyals O, Dean J. 2015. Dis illing he knowledge in a neu al ne wo k. A Xi
DOI 10.48550/a Xi .1503.02531.
Hussain M, Shang Z, Hong J-E. 2025. Adap i e p ecision laye ing o e ficien ad e sa ial aining
o deep lea ning models in in elligen ehicles. Expe Sys ems wi h Applica ions 272(1):126752
DOI 10.1016/j.eswa.2025.126752.
Jiang H, Lin J, Kang H. 2022. FGMD: a obus de ec o agains ad e sa ial a acks in he IoT
ne wo k. Fu u e Gene a ion Compu e Sys ems 132:194–210 DOI 10.1016/j. u u e.2022.02.019.
Joshi S, Ka a ia S, Shao Y, Zelasko P, Villalba J, Khudanpu S, Dehak N. 2022. De ense agains
ad e sa ial a acks on hyb id speech ecogni ion using join ad e sa ial fine- uning wi h
denoise . A Xi DOI 10.48550/a Xi .2204.03851.
Ko yan S. 2023. A eading su ey on ad e sa ial machine lea ning: ad e sa ial a acks and hei
unde s anding. A Xi DOI 10.48550/a Xi .2308.03363.
K izhe sky A. 2009. Lea ning mul iple laye s o ea u es om iny images. A ailable a h ps://api.
seman icschola .o g/Co pusID:18268744.
K izhe sky A, Su ske e I, Hin on GE. 2012. ImageNe classifica ion wi h deep con olu ional
neu al ne wo ks. Communica ion o he ACM 60(6):84–90 DOI 10.1145/3065386.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 34/37
Lecun Y, Bo ou L, Bengio Y, Ha ne P. 1998. G adien -based lea ning applied o documen
ecogni ion. P oceedings o he IEEE 86(11):2278–2324 DOI 10.1109/5.726791.
Lee H, Bae H, Yoon S. 2020. G adien masking o label smoo hing in ad e sa ial obus ness. IEEE
Access 9:6453–6464 DOI 10.1109/access.2020.3048120.
LF AI Founda ion. 2025. Ad e sa ial obus ness oolbox. A ailable a h ps://gi hub.com/T us ed-
AI/ad e sa ial- obus ness- oolbox.
Li A, Zhou Y, Raghu am VC, Golds ein T, Goldblum M. 2025. Comme cial LLM agen s a e
al eady ulne able o simple ye dange ous a acks. A Xi DOI 10.48550/a Xi .2502.08586.
Lin Y-C, Hong Z-W, Liao Y-H, Shih M-L, Liu M-Y, Sun M. 2017. Tac ics o ad e sa ial a ack on
deep ein o cemen lea ning agen s. A Xi DOI 10.48550/a Xi .1703.06748.
Mad y A, Makelo A, Schmid L, Tsip as D, Vladu A. 2017. Towa ds deep lea ning models
esis an o ad e sa ial a acks. A Xi DOI 10.48550/a Xi .1706.06083.
Mahimai LD, Gunaseka an M, Kim J, Kad y S. 2025. Ad e sa ial obus ness enhancemen in
deep lea ning-based b eas cance classifica ion: a mul i- ace ed app oach o poisoning and
e asion a ack mi iga ion. Alexand ia Enginee ing Jou nal 115(1):65–82
DOI 10.1016/j.aej.2024.11.089.
Meng D, Chen H. 2017. MagNe : a wo-p onged de ense agains ad e sa ial examples.
In: P oceedings o he 2017 ACM SIGSAC Con e ence on Compu e and Communica ions
Secu i y, 135–147.
Moosa i-Dez ooli S-M, Fawzi A, F ossa d P. 2016. DeepFool: a simple and accu a e me hod o
ool deep neu al ne wo ks. In: P oceedings o he IEEE Con e ence on Compu e Vision and
Pa e n Recogni ion.
Ning L-B, Wang S, Fan W, Li Q, Xu X, Chen H, Huang F. 2024. Chea Agen : a acking
LLM-empowe ed ecommende sys ems ia LLM agen . In: P oceedings o he 30 h ACM
SIGKDD Con e ence on Knowledge Disco e y and Da a Mining, 2284–2295.
Palme G, Chu ch P. 2024. The muah.AI da a b each—ex o ion h ea s and cybe ulne abili ies.
Linkla e s. A ailable a h ps://www.linkla e s.com/en/insigh s/blogs/digilinks/2024/oc obe / he-
muah-ai-da a-b each—ex o ion- h ea s-and-cybe - ulne abili ies.
Pan elakis V, Boun akas P, Fa ao A, Xenakis C. 2023. Ad e sa ial machine lea ning a acks on
mul iclass classifica ion o IoT ne wo k a fic. In: P oceedings o he 18 h In e na ional
Con e ence on A ailabili y, Reliabili y and Secu i y,1–8.
Pape no N, McDaniel P, Good ellow I, Jha S, Celik ZB, Swami A. 2017. P ac ical black-box
a acks agains machine lea ning. In: P oceedings o he 2017 ACM on Asia Con e ence on
Compu e and Communica ions Secu i y. New Yo k: ACM, 506–519.
Pape no N, McDaniel P, Wu X, Jha S, Swami A. 2016. Dis illa ion as a de ense o ad e sa ial
pe u ba ions agains deep neu al ne wo ks. In: 2016 IEEE Symposium on Secu i y and P i acy
(SP). Pisca away: IEEE, 582–597.
Paudice A, Muñoz-González L, Gyo gy A, Lupu EC. 2018. De ec ion o ad e sa ial aining
examples in poisoning a acks h ough anomaly de ec ion. A Xi
DOI 10.48550/a Xi .1802.03041.
Pawlicki M, Cho aśM, Kozik R. 2020. De ending ne wo k in usion de ec ion sys ems agains
ad e sa ial e asion a acks. Fu u e Gene a ion Compu e Sys ems 110(11):148–154
DOI 10.1016/j. u u e.2020.04.013.
Pe ihakis G, Fa ao A, Boun akas P, Sabazio i A, Polley J, Xenakis C. 2024. AIAS: AI-assis ed
cybe secu i y pla o m o de end agains ad e sa ial AI a acks. In: P oceedings o he 19 h
In e na ional Con e ence on A ailabili y, Reliabili y and Secu i y,1–7.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 35/37
PyTo ch Founda ion. 2025. o ch ision. A ailable a h ps://py o ch.o g/ ision/s able/index.h ml.
Rahman M, Roy P, F izell S, Qian L. 2025. E alua ing p e ained deep lea ning models o image
classifica ion agains indi idual and ensemble ad e sa ial a acks. IEEE Access 13:35230–35242
DOI 10.1109/ACCESS.2025.3544107.
Rosenbe g I, Shab ai A, Elo ici Y, Rokach L. 2019. De ense me hods agains ad e sa ial examples
o ecu en neu al ne wo ks. A Xi DOI 10.48550/a Xi .1901.09963.
Sa ka TR, Das N, Mai a PS, Some B, Saha R, Adhika y O, Bose B, Sen J. 2024. E alua ing
ad e sa ial obus ness: a compa ison o FGSM, Ca lini-Wagne a acks, and he ole o
dis illa ion as de ense mechanism. A Xi DOI 10.48550/a Xi .2404.04245.
Sen J, Dasgup a S. 2023. Ad e sa ial a acks on image classifica ion models: FGSM and pa ch
a acks and hei impac . A Xi DOI 10.48550/a Xi .2307.02055.
Shaheen MY. 2021. Applica ions o a ificial in elligence (AI) in heal hca e: a e iew. Be lin,
Ge many: ScienceOpen.
Sha ma S. 2025. Hacke allegedly pu s massi e OmniGPT b each da a o sale on he da k web.
CSO. A ailable a h ps://www.csoonline.com/a icle/3822911/hacke -allegedly-pu s-massi e-
omnigp -b each-da a- o -sale-on- he-da k-web.h ml.
Sha ma N, Kaushik P. 2025. In eg a ion o AI in heal hca e sys ems—a discussion o he
challenges and oppo uni ies o in eg a ing AI in heal hca e sys ems o disease de ec ion and
diagnosis. In: AI in Disease De ec ion: Ad ancemen s and Applica ions. Hoboken, New Je sey,
U.S.: Wiley, 239–263.
Shok i R, S ona i M, Song C, Shma iko V. 2017. Membe ship in e ence a acks agains machine
lea ning models. In: 2017 IEEE Symposium on Secu i y and P i acy (SP). Pisca away: IEEE, 3–18.
Suciu G, Fa ao A, Be na dine i G, Palamà I, Sachian M-A, Vulpe A, Vochin M-C, Mu esan P,
Bampa sikos M, Muñoz A, Xenakis C. 2022. SAMGRID: secu i y au ho iza ion and
moni o ing module based on SealedGRID pla o m. Senso s 22(17):6527
DOI 10.3390/s22176527.
Szegedy C. 2013. In iguing p ope ies o neu al ne wo ks. A Xi DOI 10.48550/a Xi .1312.6199.
Tahe i R, Ja idan R, Shoja a M, Poo anian Z, Mi i A, Con i M. 2020. On de ending agains
label flipping a acks on malwa e de ec ion sys ems. Neu al Compu ing and Applica ions
32(18):14781–14800 DOI 10.1007/s00521-020-04831-9.
The Linux Founda ion. 2025. PyTo ch. A ailable a h ps://py o ch.o g/.
T amè F, Zhang F, Juels A, Rei e MK, Ris enpa T. 2016. S ealing machine lea ning models ia
p edic ion {APIs}. In: 25 h USENIX Secu i y Symposium (USENIX Secu i y 16), 601–618.
Villegas-Ch W, Ja amillo-Alcáza A, Luján-Mo a S. 2024. E alua ing he obus ness o deep
lea ning models agains ad e sa ial a acks: an analysis wi h FGSM, PGD and CW. Big Da a and
Cogni i e Compu ing 8(1):8 DOI 10.3390/bdcc8010008.
Wang Y, Sun T, Li S, Yuan X, Ni W, Hossain E, Poo HV. 2023. Ad e sa ial a acks and de enses
in machine lea ning-empowe ed communica ion sys ems and ne wo ks: a con empo a y su ey.
IEEE Communica ions Su eys & Tu o ials 25:2245–2298 DOI 10.1109/COMST.2023.3319492.
Wu B, Wei S, Zhu M, Zheng M, Zhu Z, Zhang M, Chen H, Yuan D, Liu L, Liu Q. 2023. De enses
in ad e sa ial machine lea ning: a su ey. A Xi DOI 10.48550/a Xi .2312.08890.
Xiao H, Rasul K, Vollg a R. 2017. Fashion-MNIST: a no el image da ase o benchma king
machine lea ning algo i hms. A Xi DOI 10.48550/a Xi .1708.07747.
Xu W, E ans D, Qi Y. 2017. Fea u e squeezing: de ec ing ad e sa ial examples in deep neu al
ne wo ks. A Xi DOI 10.48550/a Xi .1704.01155.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 36/37
Xu X, Kong K, Liu N, Cui L, Wang D, Zhang J, Kankanhalli M. 2023. An LLM can ool i sel : a
p omp -based ad e sa ial a ack. A Xi DOI 10.48550/a Xi .2310.13345.
Zhang K, Cheng S, Shen G, Ribei o B, An S, Chen P-Y, Zhang X, Li N. 2025. CENSOR: de ense
agains g adien in e sion ia o hogonal subspace bayesian sampling. A Xi
DOI 10.48550/a Xi .2501.15718.
Za as e al. (2025), Pee J Compu . Sci., DOI 10.7717/pee j-cs.3330 37/37