**3. Proposed Method**

A2PM was developed with the objective of generating adversarial examples that fulfil both domain and class-specific constraints. It benefits from a modular architecture to assign an independent sequence of adaptative perturbation patterns to each class, which analyze specific feature subsets to create valid and coherent data perturbations. Even though it can be applied in a black-box setting, the most realistic examples are obtained in gray-box, with only knowledge of the feature set. To fully adjust it to a domain, A2PM only requires a simple base configuration for the creation of a pattern sequence. Afterwards, realistic examples can be generated from original data to perform adversarial training or to directly attack a classifier in an iterative process (Figure 1).

**Figure 1.** Adaptative perturbation pattern method (business process model and notation).

The generated examples can be untargeted, to cause any misclassification, or targeted, seeking to reach a specific class. New data perturbations could be generated indefinitely, but it would be computationally expensive. Hence, early stopping is employed to end the attack when the latest iterations could not cause any further misclassifications. Besides static scenarios where the full data is available, the proposed method is also suitable for scenarios where it is provided over time. After the pattern sequences are created for an initial batch of data, these can be incrementally adapted to the characteristics of subsequent batches. If novel classes are provided, the base configuration is used to autonomously create their respective patterns.

The performed feature analysis relies on two key concepts: value intervals and value combinations. The following subsections detail the perturbation patterns built upon these concepts, as well as the advantages of applying them in sequential order.

### *3.1. Interval Pattern*

To perturb uncorrelated numerical variables, the main aspect to be considered is the interval of values each one can assume. This is an intra-feature constraint that can be fulfilled by enforcing minimum and maximum values.

The interval pattern encapsulates a mechanism that records the valid intervals to create perturbations tailored to the characteristics of each feature (Figure 2). It has a configurable 'probability to be applied', in the (0, 1] interval, which is used to randomly determine if an individual feature will be perturbed or not. Additionally, it is also possible to specify only integer perturbations for specific features.

**Figure 2.** Interval pattern (business process model and notation).

Instead of a static interval, moving intervals can be utilized after the first batch to enable an incremental adaptation to new data, according to a configured momentum. For a given feature and a momentum *k* ∈ [0, 1], the updated minimum *mi* and maximum *Mi* of a batch *i* are mathematically defined as:

$$m\_i = m\_{i-1} \* k + \min(x\_i) \* (1 - k) \tag{1}$$

$$M\_i = M\_{i-1} \* k + \max(\mathbf{x}\_i) \* (1 - k) \tag{2}$$

where min(*xi*) and max(*xi*) are the actual minimum and maximum values of the samples *xi* of batch *i*.

Each perturbation is computed according to a randomly generated number and is affected by the current interval, which can be either static or moving. The random number *ε* ∈ (0, 1] acts as a ratio to scale the interval. To restrict its possible values, it is generated within the standard range of [0.1, 0.3], although other ranges can be configured. For a given feature, a perturbation *Pi* of a batch *i* can be represented as:

$$P\_i = (M\_i - m\_i) \* \varepsilon \tag{3}$$

After a perturbation is created, it is randomly added or subtracted to the original value. Exceptionally, if the original value is less or equal to the current minimum, it is always increased, and vice-versa. The resulting value is capped at the current interval to ensure it remains within the valid minimum and maximum values of that feature.
