Visual Adversarial Examples

The vision encoder maps images to embedding vectors. Adversarial perturbations — imperceptible pixel-level modifications — shift the embedding to an attacker-chosen region of the embedding space. Unlike typographic injection (T9-AT-001) which embeds human-readable text, adversarial examples operate in the model's internal representation space: the perturbed image looks identical to humans but produces a completely different embedding that the language decoder interprets as containing specific instructions.

• Adversarial perturbation detection: Statistical analysis of pixel distributions to detect non-natural noise patterns
• Image preprocessing defenses: JPEG compression, spatial smoothing, random resizing before processing to destroy adversarial perturbations
• Ensemble evaluation: Process the image through multiple vision encoders and flag divergent interpretations
• Input gradient analysis: High gradient norms on input pixels indicate adversarial perturbation

Visual adversarial examples chain into T9-AT-001 (Image Injection) when perturbations augment typographic injection for higher ASR. Chain into T9-AT-017 (Malicious Image Patches) as the core technique for physical-world patch attacks.