"

1.3 Adversarial Attack Types: Knowledge of Adversary

Adversarial attacks rely on the adversary’s knowledge of the ML model under attack. When designing an adversarial attack, the adversary can have complete to zero knowledge of the target. The design of machine learning adversarial attacks is highly dependent on the knowledge of the adversary.

 

Black Box Attack
Gray Box Attack
White Box Attack

Black Box Attack

A black box attack is an adversarial attack for which the adversary has zero knowledge of the victim (Bai et al., 2023; Yu & Sun, 2022; Sun et al.,2022) that is put under attack. The targeted system is considered a black box for the adversary, which is the most realistic scenario because the adversary usually does not know the target system. Threat models and attack vectors are considered untargeted with the adversary’s intention to reduce the overall accuracy of the targeted model. Targeted attacks can not be the scenario with the black box attack model, as the adversary does not know the victim model to exploit it with a specific targeted attack vector.

Gray Box Attack

When an adversary has partial knowledge of the target system, that kind of attack is called a gray box attack. In this case, an adversary may have some knowledge either regarding the dataset, dataset distribution, or some settings of the machine learning system that is to be attacked (Wang et al., 2021; Aafaq et al., 2022; Lapid & Sipper, 2023). This type of attack is more applicable to open-source systems or systems with low security measures applied to them.

White Box Attack

A white box attack is an adversarial attack where an adversary has complete knowledge of the targeted system (Patterson et al., 2022; Agnihotri et al., 2023; Wu et al., 2023). This attack type is an ideal scenario where the assumption relies on the adversary having all the details of the system to be attacked. Threat models for this attack are developed considering the adversary has complete configurational knowledge of the targeted system. The white box attacks are primarily designed to achieve a specific target. These types of attacks are more applicable to poisoning and evasion attacks.

Machine learning security and privacy: a review of threats and countermeasures” by Anum Paracha, Junaid Arshad, Mohamed Ben Farah & Khalid Ismail is licensed under a  Creative Commons Attribution 4.0 International license

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Winning the Battle for Secure ML Copyright © 2025 by Bestan Maaroof is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book