22.2.1 Theoretical background review

Before you write a single line of code to implement the Fast Gradient Sign Method (FGSM), you must internalize its underlying logic. FGSM is not merely a historical artifact; it’s the conceptual gateway to understanding a vast class of adversarial attacks. It weaponizes the very mechanism a model uses to learn: the gradient.

The Gradient: A Map to Failure

In standard model training, the gradient of the loss function with respect to the model’s weights (∇θJ) tells you how to adjust those weights to reduce the loss. You descend the gradient to find a minimum.

An attacker inverts this thinking. Instead of the weights, you focus on the input data (x). The gradient of the loss function with respect to the input (∇xJ) points in the direction that will most rapidly increase the loss. Following this gradient pushes the input towards a region in the high-dimensional space where the model is most confused, ultimately causing a misclassification.

This is the essence of a white-box attack: using the model’s internal state—its gradients—to craft a malicious input. You are using the model’s own learning map to lead it astray.

Deconstructing the FGSM Formula

The entire attack is elegantly captured in a single expression. Understanding each component is critical to implementing and adapting it.

• x' (x-prime): This is the goal—the final adversarial example. It is the original input plus a carefully crafted, near-imperceptible perturbation.
• x: The original, benign input (e.g., a correctly classified image of a cat).
• ε (epsilon): The perturbation magnitude. This hyperparameter is your primary control. A small ε results in a subtle, stealthy attack that is less likely to succeed. A large ε creates a more potent but also more visually obvious perturbation. As a red teamer, tuning ε is key to finding the boundary of a model’s robustness.
• sign(): The sign function. This is what makes the attack “fast.” Instead of using the full, nuanced gradient vector, you only care about its direction. For each element in the gradient vector, the sign function returns -1 if it’s negative, +1 if it’s positive, and 0 if it’s zero. This simplifies the calculation and applies a uniform nudge to every input feature (pixel).
• ∇x J(θ, x, y): The core of the attack. It represents the gradient of the loss function J (calculated with model parameters θ, input x, and true label y) with respect to the input x. This vector provides the “map to failure” we discussed earlier.

Visualizing the Attack

Imagine the model’s loss as a landscape. Your original input, x, sits in a valley of low loss. The FGSM attack gives it a single, calculated push in the steepest uphill direction to cross a ridge into a different valley, where it gets misclassified.

Why It Works: Exploiting High-Dimensional Linearity

A surprising property of many neural networks is their locally linear behavior. While the overall model is highly non-linear, in the immediate vicinity of a data point, its response can be approximated by a linear function. FGSM exploits this.

In a high-dimensional space (like the pixel space of an image), adding a tiny, coordinated perturbation ε to thousands of features has a significant cumulative effect. Each pixel’s change is insignificant on its own, but their collective, directed push along the gradient is enough to shove the data point over the decision boundary. The sign() function ensures that every pixel contributes equally to this push, maximizing the effect for a given L∞-norm budget (which is defined by ε).

Summary for the Red Teamer

FGSM is your baseline white-box probe. Its speed and simplicity make it an excellent first step in assessing a model’s adversarial robustness. If a model falls to FGSM, it is critically vulnerable. If it resists, you move on to more powerful, iterative methods. Understanding this theory is the foundation for the practical implementation that follows.