The heterogeneity of tabular data—mixing numerical and categorical features—causes adversarial examples to deviate significantly from the original data distribution, rendering them easily detectable. Method: We propose a latent-manifold perturbation framework based on a hybrid-input variational autoencoder (VAE), which jointly models categorical embeddings and numerical features, applies controlled perturbations in the latent space, and enforces reconstruction fidelity and sparsity regularization to preserve semantic consistency. Contribution/Results: We introduce “in-distribution success rate” (IDSR) as a novel evaluation metric ensuring adversarial examples remain strictly within the original data manifold. Experiments across six public tabular datasets and three model architectures demonstrate that our method substantially reduces outlier rates, generating statistically consistent, highly stealthy, and effective adversarial examples. Compared to conventional approaches, it achieves superior practicality and robustness.

Adversarial attacks on tabular data present fundamental challenges distinct from image or text domains due to the heterogeneous nature of mixed categorical and numerical features. Unlike images where pixel perturbations maintain visual similarity, tabular data lacks intuitive similarity metrics, making it difficult to define imperceptible modifications. Additionally, traditional gradient-based methods prioritise $ell_p$-norm constraints, often producing adversarial examples that deviate from the original data distributions, making them detectable. We propose a latent space perturbation framework using a mixed-input Variational Autoencoder (VAE) to generate imperceptible adversarial examples. The proposed VAE integrates categorical embeddings and numerical features into a unified latent manifold, enabling perturbations that preserve statistical consistency. We specify In-Distribution Success Rate (IDSR) to measure the proportion of adversarial examples that remain statistically indistinguishable from the input distribution. Evaluation across six publicly available datasets and three model architectures demonstrates that our method achieves substantially lower outlier rates and more consistent performance compared to traditional input-space attacks and other VAE-based methods adapted from image domain approaches. Our comprehensive analysis includes hyperparameter sensitivity, sparsity control mechanisms, and generative architectural comparisons, revealing that VAE-based attacks depend critically on reconstruction quality but offer superior practical utility when sufficient training data is available. This work highlights the importance of on-manifold perturbations for realistic adversarial attacks on tabular data, offering a robust approach for practical deployment. The source code can be accessed through https://github.com/ZhipengHe/VAE-TabAttack.