Transferability is a critical phenomenon in adversarial machine learning where an attack crafted against a surrogate model generalizes to a distinct target model. This occurs because different models, despite having unique architectures or training data, often learn similar decision boundaries and feature representations. The adversarial perturbation exploits these shared, high-dimensional linear vulnerabilities, making it an effective strategy for executing black-box attacks where the target's internals are unknown.
Glossary
Transferability

What is Transferability?
Transferability is the property by which an adversarial example generated to fool one machine learning model also causes misclassification in a different, independently trained model, even if the attacker had no access to the second model.
The degree of transferability is influenced by the architectural similarity between the source and target models, the attack algorithm used, and the dataset. Iterative attacks like Projected Gradient Descent (PGD) often exhibit lower transferability due to overfitting to the surrogate, while single-step methods like Fast Gradient Sign Method (FGSM) can transfer more effectively. Mitigating this property is a primary goal of adversarial training and robustness certification.
Key Factors Influencing Transferability
The degree to which an adversarial example transfers between models is not arbitrary. It is governed by specific architectural, data, and optimization factors that dictate the overlap in their learned decision boundaries.
Model Architecture Similarity
Adversarial examples transfer most effectively between models with homogeneous architectures. A perturbation crafted for a ResNet-50 will transfer to another ResNet-50 with high success, but its effectiveness degrades against a Vision Transformer (ViT) or a DenseNet. This occurs because similar architectures induce similar loss surface geometries, causing the adversarial subspace to align. The phenomenon is rooted in the shared inductive biases of the architectural family.
- High Transfer: ResNet-50 → ResNet-101
- Low Transfer: CNN → Vision Transformer (ViT)
- Mechanism: Shared gradient directions in the loss landscape
Training Data Overlap
Models trained on disjoint or non-overlapping datasets exhibit significantly reduced transferability. If the source and target models are trained on the same dataset (e.g., ImageNet-1k), the adversarial subspace is heavily shared. However, if the target model is fine-tuned on a specialized domain-specific corpus, the feature representations diverge, and the adversarial perturbation becomes a noisy artifact rather than a targeted exploit. Data distribution alignment is a primary predictor of transfer success.
Attack Optimization Strength
The intensity and iteration count of the attack algorithm directly modulates transferability. Weak, single-step attacks like Fast Gradient Sign Method (FGSM) often underfit to the source model's specific loss landscape, limiting transfer. In contrast, highly optimized iterative attacks like Projected Gradient Descent (PGD) or Carlini & Wagner (C&W) with many restarts find more generalized adversarial directions that align with the true underlying data manifold, dramatically boosting cross-model efficacy.
Input Transformation Resilience
Applying input diversity techniques during the attack generation phase significantly enhances transferability. By randomly resizing, padding, or adding noise to the input before each gradient calculation, the attacker prevents the perturbation from overfitting to the source model's specific grid patterns. This forces the attack to exploit scale-invariant and translation-invariant features that are more likely to be shared across different target models, effectively creating a universal adversarial pattern.
Ensemble-Based Attack Strategies
Generating adversarial examples against an ensemble of diverse source models is a highly effective method for maximizing transferability. If a perturbation can simultaneously fool a ResNet, a VGG, and an Inception network, it is statistically likely to reside in a universal adversarial subspace rather than a model-specific crevice. This technique leverages the intersection of decision boundaries, leaving the target model with no safe gradient direction to escape the misclassification.
Defensive Mechanism Impact
The presence of robustness defenses in the target model directly impedes transferability. Techniques like adversarial training flatten the loss landscape, removing the sharp gradient directions that standard attacks exploit. Similarly, randomized smoothing creates a stochastic prediction barrier. A perturbation that transfers perfectly to a standard undefended model will often fail against a robust model, as the robust model's decision boundary is fundamentally shifted away from the typical adversarial subspace.
Frequently Asked Questions
Core questions about the cross-model generalization of adversarial examples and the security implications of transfer-based attacks.
Adversarial transferability is the property by which an adversarial example generated to fool one specific model (the surrogate) also causes misclassification in a different, independently trained model (the target). This phenomenon occurs because distinct models often learn similar decision boundaries and feature representations when trained on comparable data distributions, causing the adversarial perturbation to align with shared, brittle regions of the feature space. The attack works by crafting a perturbation on a local white-box surrogate model using gradient-based methods like Projected Gradient Descent (PGD) or the Carlini & Wagner (C&W) attack, then directly submitting that same perturbed input to the black-box target model without any modification. Transferability is the foundational mechanism enabling practical black-box attacks against deployed commercial APIs and systems where internal model access is impossible.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the interconnected concepts that define the attack surface of modern AI systems. These cards explore the mechanisms, metrics, and defenses central to understanding transferability.
Robust Accuracy
The primary metric for measuring a model's resilience. Unlike standard 'clean' accuracy on a held-out test set, robust accuracy is the classification accuracy evaluated on an adversarially perturbed version of that same test set. A model with high clean accuracy but near-zero robust accuracy is useless in a security-sensitive environment.
- Benchmarking Transferability: To measure transferability, robust accuracy is calculated on Model B using adversarial examples generated by Model A. A low robust accuracy score in this cross-model test indicates high transferability.
- Robustness Gap: The difference between clean accuracy and robust accuracy is a critical metric. Adversarial training often closes this gap but at the cost of a slight drop in clean accuracy, a phenomenon known as the robustness-accuracy trade-off.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us