Let's say we are performing an image classification; in general, we train the model by computing the loss and trying to minimize the loss by calculating gradients of our loss with respect to our model parameters, such as weights, and updating our model parameter. To get the adversarial sample of our image, we calculate the gradients of our loss with respect to the input pixels of our image, instead of the model parameter. So, the adversarial sample of an image is basically the gradient of loss with respect to the image. We take only one gradient step and so it is computationally effective. After calculating the gradients, we take the sign of it.

An adversarial image can be calculated as follows:

In the previous equation, the following applies:

• is the adversarial image
• is the input image
• is the gradient of loss with respect to our input image

As you can see in the following diagram, we have an input image x, and we get the adversarial image by just adding the sign of gradient of our loss with respect to our image, to the actual image: