Perceptron
You cannot meaningfully attack a system you do not understand at the component level. The perceptron is the primitive unit of every neural network. It serves as the foundation for everything from spam filters to large language models. It is a tiny decision engine and its limitations are not historical curiosities, they are the structural constraints that shaped every architecture that followed.
What a perceptron actually does
A perceptron takes a set of numerical inputs, multiplies each one by a weight, sums the results, adds a bias term, and passes the total through an activation function.The output represents a decision such as a binary choice between one and zero or the command to fire instead of remaining still.
The components, in order:
- Inputs (x1, x2, …, xn): numerical features. Each one represents something measurable about the data.
- Weights (w1, w2, …, wn): each input gets a weight that determines how much influence it has on the output. A large positive weight amplifies that input’s vote. A negative weight suppresses it.
- Summation: the weighted inputs are combined:
sum = (w1 * x1) + (w2 * x2) + ... + (wn * xn). - Bias (b): a constant added to the sum. It shifts the decision threshold, allowing the perceptron to activate even when all inputs are zero.
- Activation function (f): introduces a threshold. The simplest version follows a step function logic by producing a one for any total above zero and a zero for everything else.
The entire operation collapses to one line of logic:
output = 1 if (sum(w[i] * x[i]) + bias) > 0 else 0
That is the whole machine. Every layer of every deep network is a variation on this theme, scaled up and stacked.
A concrete example
Abstraction is easier to follow with numbers. Consider a perceptron that decides whether to play tennis based on four weather features, each encoded as integers:
| Feature | Encoding |
|---|---|
| Outlook | Sunny = 0, Overcast = 1, Rainy = 2 |
| Temperature | Hot = 0, Mild = 1, Cool = 2 |
| Humidity | High = 0, Normal = 1 |
| Wind | Weak = 0, Strong = 1 |
The weights and bias are predefined:
w1 (Outlook) = 0.3
w2 (Temperature) = 0.2
w3 (Humidity) = -0.4
w4 (Wind) = -0.2
bias = 0.1
Notice what the weights encode. Humidity and wind carry negative weights, meaning high humidity and strong wind push the output toward “don’t play.” The bias of 0.1 gives a slight default lean toward playing. These are not arbitrary numbers. In a trained model, they would be the product of an optimisation algorithm adjusting them over hundreds or thousands of examples.
Now feed in a specific day: Sunny (0), Mild (1), High humidity (0), Weak wind (0).
weighted_sum = (0.3 * 0) + (0.2 * 1) + (-0.4 * 0) + (-0.2 * 0)
# weighted_sum = 0.2
total = weighted_sum + 0.1
# total = 0.3
output = 1 if 0.3 > 0 else 0
# output = 1 -> Play tennis
The perceptron says play. Change the humidity to High (encoded differently, or adjust the encoding so High = 1), and that -0.4 weight starts dragging the sum below zero. The decision flips. This is how weights create a decision boundary: a line in feature space that separates “play” from “don’t play.”
In full Python:
def step_activation(x):
return 1 if x > 0 else 0
# Inputs
outlook, temperature, humidity, wind = 0, 1, 0, 0
# Weights and bias
weights = [0.3, 0.2, -0.4, -0.2]
inputs = [outlook, temperature, humidity, wind]
bias = 0.1
# Forward pass
weighted_sum = sum(w * x for w, x in zip(weights, inputs))
output = step_activation(weighted_sum + bias)
print(f"Decision: {'Play' if output == 1 else 'Stay home'}")
This is a forward pass. Data enters, flows through one computation, and a decision exits the other end. Every inference call to every neural network follows this pattern, repeated across millions of parameters instead of four.
Where it breaks
A single perceptron can only learn problems where the two classes can be separated by a straight line (or, in higher dimensions, a hyperplane). This constraint is called linear separability, and it is the reason a single perceptron cannot solve the XOR problem.
XOR returns 1 when exactly one of two inputs is true:
| Input A | Input B | XOR Output |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
Plot these on a 2D grid. The 1s sit on opposite corners. No single straight line can separate them from the 0s. A perceptron, limited to drawing one line, fails completely.
This limitation was identified in 1969 by Marvin Minsky and Seymour Papert in their book Perceptrons. The publication nearly killed neural network research for a decade. The result was the first AI winter and a period of time when the industry largely abandoned neural approaches as a dead end.
The fix, when it arrived, was simple in concept. Stack multiple perceptrons into layers. A hidden layer between input and output can learn intermediate representations that are linearly separable even when the raw inputs are not. Two perceptrons can each draw a line. A third can combine those lines into a non-linear decision boundary. This is the multi-layer perceptron (MLP), and it is the architectural template for every deep network that followed.
Why this matters for red teaming
Understanding the perceptron is not an academic exercise for this series. Three properties of single perceptrons translate directly into attack surfaces at scale:
Weights encode priorities. In a trained model, weights reflect what the training data rewarded. If the training data contained biases, those biases are baked into the weights. Adversarial attacks exploit this: craft inputs that manipulate the weighted sum just enough to flip the decision across the boundary. The attacker does not need to understand the full model. They need to understand how small input perturbations shift the sum.
The decision boundary is a geometric surface. Every classifier, no matter how complex, partitions its input space with decision boundaries. Adversarial examples work by finding inputs that sit near those boundaries and nudging them across. A perceptron makes this geometry visible. A deep network hides it behind layers of abstraction, but the principle is identical.
Activation functions gate information flow. The choice of activation function determines what signals pass through a neuron and what gets suppressed. In modern networks, ReLU, sigmoid, and softmax each create different failure modes. Understanding the step function in a perceptron gives you the mental model for reasoning about how activation choices affect model behaviour under adversarial conditions.