Adversarial Illusions in Machine Learning

Updated 2 December 2025

Adversarial illusions are structured perturbations that systematically induce model errors by leveraging non-robust yet predictively useful features ignored by human perception.
They rely on gradient-based and multi-modal optimization methods to generate cross-domain misalignments, demonstrating vulnerability in both digital and physical systems.
Insights from adversarial illusions advance robust model evaluation and security, raising fundamental questions about inference and the trustworthiness of machine-discovered features.

Adversarial illusions are specialized, structured phenomena at the intersection of adversarial machine learning and perceptual science, characterized by the reliable induction of model errors or misalignments through subtle, systematized perturbations. Unlike ordinary adversarial examples, which are sometimes reducible to overfitting or noise, adversarial illusions denote instances where models systematically “perceive” non-robust, yet predictively useful features inaccessible or disregarded by human cognition. The paper of adversarial illusions spans not just digital neural architectures and their artifacts, but also cognitive models, multi-modal embeddings, and physical-world attacks, raising foundational questions about scientific inference, robustness, and the nature of representation.

1. Formal Definitions and Core Phenomena

Adversarial illusions, as articulated by Buckner (Buckner, 2020), are instances where a model confidently relies on non-robust, structured features that are

predictively useful over natural data,
elusive to human perceptual introspection, and
transferable across model architectures and datasets.

The canonical adversarial example for classifier $f: \mathbb{R}^d \rightarrow \{1, ..., K\}$ and input $x$ involves a perturbation $\delta$ with $\|\delta\|_p \leq \epsilon$ such that $f(x + \delta) \neq f(x)$ . Buckner distinguishes adversarial illusions from:

Ordinary errors (random or noisy misclassifications arising from underrepresentation or overfitting);
Artifacts (spurious, architecture-dependent features without ontological standing, e.g., lens flares or checkerboard artifacts).

In multi-modal contexts, adversarial illusions are cross-modal perturbations, e.g., an image or audio input $x + \delta$ whose embedding in a joint space is aligned with an arbitrary, attacker-chosen target $y^*$ in another modality, while remaining perceptually close to $x$ (Zhang et al., 2023). In generative 3D systems, a density-guided illusion is a set of additional Gaussians inserted at low-density loci to introduce viewpoint-specific objects invisible from other perspectives, formalized as optimizing a bi-term loss over poisoned and stealth views (Ke et al., 2 Oct 2025).

In cognitive models, adversarial illusions can be “perceptual puzzles” constructed by optimizing images to maximally mislead a Bayesian inference process, with the posterior over latent variables pulled far from ground truth via differentiable probabilistic programming (Chandra et al., 2022).

2. Intrinsic Features, Artifacts, and the Structure of Illusions

A central distinction is made between features genuinely present in data geometry—"intrinsic features," potentially non-robust yet statistically reliable—and “artifacts,” which result from the peculiarities of the model architecture, loss landscape, or input statistics (Buckner, 2020).

Intrinsic non-robust features: Patterns that exist in the data distribution but are non-salient for humans (e.g., high-frequency textures).
Artifacts: Predictively useful only due to model-architecture interaction (checkerboard patterns in deconvolution, lens flare analogies).
Empirical methodology: Decompose features into robust $\Phi_r$ and non-robust $\Phi_{nr}$ parts by controlled augmentation/suppression during training [Ilyas et al. 2019 cited in (Buckner, 2020)], and measure cross-validation accuracy and adversarial attack success rates to distinguish the classes.

In multi-modal embeddings, the illusion leverages the fact that only embedding-space proximity is used downstream, so any downstream classifier or generator consuming $x + \delta$ is systematically misled if $\theta^{(m)}(x+\delta) \approx \theta^{(\bar m)}(y^*)$ (Zhang et al., 2023).

3. Methodologies for Inducing and Characterizing Illusions

The operational workflow for generating adversarial illusions involves optimization procedures subject to small-norm or plausibility constraints:

Image classification: Projected gradient descent (PGD) under $\|\delta\|_\infty$ or $\|\delta\|_2$ balls, maximizing misclassification loss (Buckner, 2020).
Multi-modal alignment: Minimization of $1 - \cos(\theta^{(m)}(x+\delta), \theta^{(\bar m)}(y^*))$ via PGD, transfer-ensemble surrogates, or black-box cosine-similarity queries; perturbations constrained by $\ell_\infty$ on images or audio (Zhang et al., 2023).
Probabilistic perceptual models: Gradient-based search over image pixels to maximize the discrepancy between inferred and true scene parameters by backpropagating through differentiable MCMC (Chandra et al., 2022).
Physical field: Perception attacks use camera-optics transformations and sensor-in-the-loop optimization (e.g., EvilEye), fitting an explicit, differentiable transfer function $T$ from display to capture, and crafting additive perturbations via gradient descent in the digital domain mapped through $T$ (Han et al., 2023).
3D Generative Models: Poisoning via density-guided Gaussian injection proceeds by kernel density estimation (KDE) to locate low-density “blindspots,” into which illusory objects are backprojected from the adversarial viewpoint, while maintaining innocuous reconstructions from other views (Ke et al., 2 Oct 2025).
LLMs: Gradient-based prompt engineering, including entropy- and semantic-similarity constrained optimization, to trigger specific hallucinations or factual errors (Yao et al., 2023, Wang et al., 1 Apr 2025).

4. Transferability, Robustness, and the Role of Adaptive Defenses

Adversarial illusions manifest highly systematized transfer both within and across architectures:

Transfer across tasks and models: Edge-based adversarial illusions created on HED detectors degrade performance in downstream classifiers and segmenters (e.g., ImageNet models dropping in Top-1 accuracy by 30–60 points) (Cosgrove et al., 2019).
Cross-embedding transfer: Multi-modal adversarial illusions created on one embedding model (e.g., ImageBind) transfer with high attack success rates (ASR) to other embeddings, including commercial, proprietary systems (Zhang et al., 2023).
Model-agnostic illusions: Physical attacks (EvilEye) persist across lighting conditions and recognition backbones; dynamic, sensor-level attacks outperform object or patch-level approaches (Han et al., 2023).

Robustness notions are nuanced:

Multi-task learning and the illusion of robustness: Empirical studies reveal that simply adding more tasks—or tuning weights for apparent robustness—may induce an "adversarial illusion" in the evaluation protocol: nonadaptive attacks yield spurious apparent gains that are erased by stronger, adaptive attacks (Ghamizi et al., 2021).
Certified robustness vs. invariance conflict: For embedding-based systems, bounds that enforce small $\|\delta\|$ give no guarantee that semantically distinct examples cannot be mapped arbitrarily close, making certification intractable (Zhang et al., 2023).

Defenses include both heuristic (JPEG, bitdepth reduction), generative (VAE-/diffusion-based consensus restoration), and semantic reconstructive strategies. Consensus-based generative mitigation, via VAE sampling + majority voting, reduces attack success rates from 62% to near zero without harming clean accuracy (Akbarian et al., 26 Nov 2025), but remains subject to adaptive attacks differentiating through the generative model.

5. Philosophical and Epistemological Implications

Adversarial illusions force a reexamination of inductive inference in machine learning and human cognition, with direct philosophical connections to Goodman’s “new riddle of induction.” The key epistemological dilemma is whether to

accept machine-discovered, human-inscrutable features as “real” and predictive for science, or
require scientific predicates to be human-comprehensible (Buckner, 2020).

Machine learning models may exploit projectible—but non-robust and alien—features to outperform classical predicates in domains such as protein folding or exoplanet detection. The distinction between artifact and intrinsic feature is nontrivial and may demand causal-interventionist criteria: a non-robust feature should count as genuine only if controlled interventions yield reproducible changes in the world, not merely in model outputs.

The illusion–illusion paradigm further highlights the overextension of models from pattern-matched statistical templates, causing them to see illusions where none exist (i.e., reporting illusions on perfectly veridical “near-illusion” stimuli) (Ullman, 7 Dec 2024). This exposes a vulnerability rooted in over-generalization, distinct from adversarial feature exploitation.

6. Applications, Benchmarks, and Extensions

Adversarial illusions are relevant in security-sensitive settings, scientific inference, and model assessment.

Security and autonomy: Physical sensor-level attacks (EvilEye, sensor-induced control illusions) compromise robotics, self-driving cars, and surveillance by modifying perceived reality without altering the environment (Han et al., 2023, Medici et al., 25 Apr 2025).
Perceptual benchmarks: Automated synthesis of perceptual illusions via GANs or differentiable Bayesian programs enables high-throughput psychophysical experiments to map the boundaries of human and model vulnerabilities (Gomez-Villa et al., 2019, Chandra et al., 2022).
Model evaluation: Consensus-based generative restoration, chain-of-thought reconstructive “disillusion” paradigms, and semantic anomaly checks provide new tools for benchmarking and mitigating adversarial illusions (Chang et al., 31 Jan 2025, Akbarian et al., 26 Nov 2025).
Multi-modal safety: In LLMs, prompt-based illusionist attacks bypass current fact-enhancing strategies, establishing the need for more robust, semantics-aware defenses (Wang et al., 1 Apr 2025, Yao et al., 2023).
Robotics and optimal control: Manipulation of sensory readings via optimal adversarial control theory demonstrates the theoretical possibility of inducing persistent navigation illusions with rigorous guarantees (Medici et al., 25 Apr 2025).

7. Open Problems and Research Directions

Several open questions structure the ongoing investigation of adversarial illusions:

Defining and certifying artifact status: Developing operational, perhaps interventionist, definitions that distinguish learnable artifacts from exploitable statistical signals.
Universal, task-agnostic illusion robustness: Achieving robustness against adversarial illusions across different modalities and downstream tasks, as naive adversarial training degrades fine-grained class performance (Zhang et al., 2023).
Theory and practice of semantic restoration: Formalizing semantic loss functions and employing structured generative or reconstructive defenses to counter both pixel-level and higher-order adversarial illusions (Akbarian et al., 26 Nov 2025, Chang et al., 31 Jan 2025).
Integration into model assessment: Embedding adversarial and illusion–illusion controls into benchmarking pipelines, especially for vision–LLMs prone to over-predicting the presence of illusions (Ullman, 7 Dec 2024).
Extension to new modalities: Systematic exploration of adversarial illusions in audio, robotics, signal processing, and beyond, including cross-modal, cross-sensor, and temporal illusions.
Causal and structural analogues: Incorporation of causal Bayesian networks and structural causal models with deep-learned representations to ground the reality of non-robust features (Buckner, 2020).

A comprehensive theory of adversarial illusions, distinguishing artifacts from intrinsic, potentially projectible features, will require commitments from machine learning, cognitive science, and epistemology. This effort aims to guide the principled trust or exclusion of inscrutable model inferences in both scientific and practical domains.