Skip to main content
TopAIThreats home TOP AI THREATS
AI Capability

Adversarial Training

A machine learning defense technique in which a model is trained on adversarial examples — inputs specifically crafted to cause misclassification or incorrect outputs — alongside normal training data, with the goal of improving the model's robustness against adversarial attacks at inference time.

Security & Cyber

Definition

Adversarial training is a defense strategy where a model is deliberately exposed to adversarial examples during the training process. The model learns to correctly classify both clean inputs and adversarially perturbed inputs, becoming more robust to attacks encountered during deployment. The technique was formalised by Ian Goodfellow and colleagues in 2015 and remains one of the most widely studied defenses against adversarial attacks. Adversarial training can be applied to image classifiers, natural language models, malware detectors, and other AI systems. However, it typically incurs a trade-off: improved robustness against adversarial inputs often comes at the cost of reduced accuracy on clean, unperturbed data.

How It Relates to AI Threats

Within the Security and Cyber Threats domain, adversarial training is the primary proactive defense against adversarial evasion attacks. AI-powered security systems — malware classifiers, content moderators, fraud detectors — are vulnerable to adversarial perturbations that cause them to misclassify malicious inputs as benign. Adversarial training hardens these models against known attack strategies. However, it does not guarantee robustness against novel or adaptive adversaries. For LLMs, adversarial training principles inform red-teaming practices and RLHF-based safety training, where models are exposed to adversarial prompts during alignment.

Why It Occurs

  • Machine learning models learn decision boundaries that can be exploited by small, targeted input perturbations
  • Standard training on clean data alone produces models that are brittle to distributional shifts and adversarial manipulation
  • The arms race between adversarial attack techniques and defenses drives continuous research into more effective training methods
  • Regulatory requirements (EU AI Act, NIST AI RMF) increasingly mandate robustness testing, creating demand for adversarial training
  • The cost of adversarial training (computational overhead, accuracy trade-offs) limits its adoption despite its effectiveness

Real-World Context

Adversarial training is widely deployed in commercial AI security products, including email spam filters, malware classifiers, and content moderation systems. Research by Madry et al. (2018) established projected gradient descent (PGD) adversarial training as a standard benchmark. Major AI labs use adversarial training principles during red-teaming and safety evaluation. Despite its adoption, no adversarial training method has achieved certified robustness against all possible adversarial strategies, making it one component of a defense-in-depth approach.

Related Threat Patterns

Adversarial Evasion Security & Cyber Data Poisoning Security & Cyber

Related Terms

Adversarial Attack Adversarial Perturbation Robustness Red Teaming
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-04-03