P-ASR: Proportional Attack Success Rate

• P-ASR is defined as the ratio of successful adversarial attacks weighted by factors like cost, perceptual distortion, or sample difficulty.
• It incorporates diverse methodologies such as steady-state Markov analysis, query efficiency measurements, and perceptual quality balancing across domains.
• P-ASR informs robustness assessments by quantifying nuanced trade-offs between attack success, resource expenditure, and defensive strategies.

Proportional Attack Success Rate (P-ASR) quantifies the effectiveness of adversarial attacks by measuring the ratio or probability of successful attacks, often contextualized to be proportional to certain aspects such as the severity of the attack, resource cost, or the degree to which specific constraints (e.g., imperceptibility, efficiency, transferability) are satisfied. While the explicit term “Proportional Attack Success Rate” is not universally standardized, it has emerged as a natural generalization of plain Attack Success Rate (ASR) in several research domains, including adversarial robustness for ASR models, computer vision, face recognition, multi-step cyber kill chains, red-teaming of LLMs, and black-box query attacks. The metric is intrinsically linked to more nuanced evaluations that go beyond the binary paradigm of “attack succeeded or failed,” incorporating proportionality factors such as attack cost, sample difficulty, perceptual distortion, or other domain-specific criteria.

1. Formal Definition and Variants of Attack Success Rate

In its standard form, Attack Success Rate (ASR) is defined as the fraction of attempted adversarial samples that achieve a specified adversarial objective. For targeted attacks, ASR is calculated as:

$\text{ASR} = \frac{\text{# successful attacks}}{\text{# total attacks}}$

For example, in targeted audio adversarial attacks on ASR systems, an attack is considered successful if the ASR model’s transcription exactly matches the attacker’s target phrase, giving a binary outcome per sample (Das et al., 2018). In more complex multi-step or multi-metric contexts (e.g., Markov processes over attacker-defender interactions), the notion is extended to the steady-state occupation probability of an attacker being in a “success” state (Outkin et al., 2021).

Proportional Attack Success Rate (P-ASR), as encountered in recent literature, denotes either of the following (context dependent):

• The fraction of attacks that are successful in a sense weighted (proportional) to a continuous or resource-coupled attribute (e.g., the difficulty of the attacked sample, the degree of deviation surpassing a threshold, area of applied perturbation, or normalized by computational cost).
• A steady-state probability or time-based occupancy proportion in Markov-based adversarial scenarios, such as the fraction of time an attacker spends in a high-risk “ready” state (Outkin et al., 2021).
• A trade-off metric combining success counts and proportional resource or perceptual budgets (e.g., the number of queries required for success or the perturbation magnitude (Jun et al., 2023)).

2. Methodological Approaches to Measuring P-ASR

Several methodologies embody P-ASR computation across domains:

Domain	P-ASR Definition	Representative Paper
Audio/ASR Attacks	Exact match ratio for targeted transcriptions per attack sample	(Das et al., 2018)
Cyber/Kill Chain Modeling	Steady-state prob. in "Ready" Markov state as long-term P-ASR	(Outkin et al., 2021)
Perceptual Attacks (Vision)	ASR jointly with weighted perceptual quality (e.g., SSIM, λ-tuning)	(Yang et al., 2021)
Black-Box/Query Efficiency	ASR normalized by mean query count per success	(Jun et al., 2023, Schoepf et al., 8 Mar 2025)
Physical Patch Attacks	ASR for a patch, proportional to area or region sensitivity	(Cheng et al., 2022, Chen et al., 4 Nov 2024)
LLM Red-Teaming	ASR adjusted by cost (queries), context type, or attack diversity	(Schoepf et al., 8 Mar 2025, Lin et al., 17 Jul 2025)

For instance, in industrial defender settings, P-ASR is operationalized as the occupation probability π_ready in a Markov chain modeling the attack chain, i.e.,

$\text{P-ASR} = \pi_{\text{ready}}$

where π_ready is the steady-state probability of an attacker having completed all but the final attack step given a defender resource allocation (Outkin et al., 2021).

In computer vision adversarial benchmarks, P-ASR often measures the number of successful attacks per query or per perturbation area, such as a 93% ASR achieved with just 1/9th of a vehicle’s rear area adversarial patch (Cheng et al., 2022). In perceptual attacks, P-ASR is conceptually high when high ASR is achieved with minimal, high-quality (low-distortion) changes (Yang et al., 2021).

3. Optimization and Trade-Offs: Proportionality in Adversarial Success

Several attack frameworks now include explicit mechanisms to maximize ASR while minimizing or proportionally balancing other resource or fidelity costs:

• In perceptual distortion reduction, the adversarial objective is

$$L_{\text{total}} = L_{\text{mis}} + \lambda \cdot L_{\text{PD}}$$

where L_mis is the misclassification loss and L_PD is a perceptual quality regularizer, with λ adaptively tuned per-sample to avoid over-perturbation (Yang et al., 2021). This ensures P-ASR is high across samples of varying difficulty without gratuitous distortion.

• In query-based black-box attacks, proportionality is achieved by maximizing successful attacks per query, e.g., DifAttack achieves 100% ASR in fewer queries than comparable methods, making its P-ASR (ASR per query) superior (Jun et al., 2023).
• Physical-world object attacks (LiDAR, MDE, person detection) similarly report ASR proportional to perturbation region or volume as a proxy for attack efficiency and stealth (Cheng et al., 2022, Chen et al., 4 Nov 2024, Li et al., 10 Jan 2025).

These trade-offs are further formalized in advanced LLM red-teaming and ambiguity-based attacks, where proportional metrics account for attack style diversity, the number of queries, and contextual dependencies (Schoepf et al., 8 Mar 2025, Lin et al., 17 Jul 2025).

4. Empirical Results and Experimental Implications

P-ASR-centric evaluations yield strong empirical trends:

• In ADAGIO’s audio adversarial experiments, the “targeted attack success rate” (i.e., attack yielding precisely the target output) drops from 92.45% to 0% with AMR/MP3 compression—indicating that even high-proportion attacks can be fundamentally disrupted by domain-knowledge defenses (Das et al., 2018).
• In physical attacks on monocular depth estimation, a patch covering only 1/9 of the vehicle’s rear yields a 93% ASR, highlighting non-linear proportionality between patch region and functional attack success (Cheng et al., 2022).
• LiDAttack for LiDAR detectors models stealth via fitness functions, adding terms such as

$\alpha \frac{1}{1+d_1} + \beta \frac{1}{1+d_2}$

to penalize perturbations distant from or spread over the target, effectively ensuring that high ASR is proportional to minimal and localized changes (Chen et al., 4 Nov 2024).

• In LLM red-teaming (e.g., MAD-MAX, Paper Summary Attack), P-ASR is inferred from high ASR per query, high attack diversity, and the propensity to exploit context-conditioned vulnerabilities, e.g., achieving 97-98% ASR with under 11 queries per goal on GPT-4o (Schoepf et al., 8 Mar 2025) and 97-98% ASR for academic-contextualized attacks on reasoning models (Lin et al., 17 Jul 2025).

5. Domain-Specific Variants and Defensive Perspectives

P-ASR admits domain-specific interpretations and defensive utility:

• In LLM safety evaluation, fast proxy metrics (embedding-space attacks, direct prompting) produce ASR values tightly correlated with true ensemble-based P-ASR (Spearman r_s = 0.94), offering cost-efficient robustness approximations (Beyer et al., 14 Feb 2025).
• For multi-stage cyberattacks, P-ASR quantifies residual attacker advantage; defender investments targeting steps with low detection (high π_ready) yield maximal reduction in proportional risk (Outkin et al., 2021).
• Context-sensitive jailbreaks (e.g., TopicAttack, AIR, VisCo, Paper Summary Attack) reveal attack success rates highly dependent on tailored context, transition, attention allocation, and trusted content. Correspondingly, P-ASR in these domains may reflect the proportion of successful attacks per context type, with proportional dependency on model attention or context relevance (Wu et al., 4 Oct 2024, Lin et al., 17 Jul 2025, Chen et al., 18 Jul 2025, Miao et al., 3 Jul 2025).

A plausible implication is that as models and defensive paradigms become more sophisticated, P-ASR will increasingly act as a critical comparative and diagnostic measure, capturing nuanced adversarial risk not visible in undifferentiated ASR statistics.

6. Implications for Robustness Assessment and Future Directions

P-ASR's evolution reflects the need for multidimensional, operationally relevant success metrics in adversarial research. The following insights are prominent:

• Evaluating robustness purely in terms of raw ASR underestimates the true security landscape, as attacks can exploit proportional vulnerabilities (cost, region, context, perceptual quality).
• Domain-adapted P-ASR metrics—such as per-query success rates, area/volume-proportionality, or context-weighted measurements—enable more actionable model diagnostics.
• Defensive strategies that minimize P-ASR (by targeting proportional weak links, structurally influential attack surfaces, or context-aware vectors) are likely to provide more meaningful risk mitigation than those tuned to raw ASR.
• The design of benchmarking frameworks (e.g., StructTransform Bench, paper-contextualized attacks, query-efficiency competitions) is evolving to explicitly report and optimize for P-ASR, encouraging both rigorous evaluation and transparent reporting standards.

The P-ASR framework is thus central to the comparative assessment of adversarial effectiveness and defense across modalities. Its adoption underscores a shift toward more granular, context-aware, and resource-sensitive security evaluation in contemporary machine learning systems.