Inferensys

Glossary

Evasion Attack

An attack deployed at inference time where an adversary modifies a malicious sample to bypass a trained classifier without altering the model itself.
Developer testing AI inference on mobile phone in hand, laptop with optimization code visible, casual tech review moment.
INFERENCE-TIME THREAT

What is Evasion Attack?

An evasion attack is a security violation deployed during the inference phase where an adversary subtly modifies a malicious input sample to cause a misclassification by a trained machine learning model without altering the model's internal parameters or architecture.

An evasion attack is an inference-time adversarial strategy where an attacker crafts a perturbed input sample specifically designed to bypass a fixed, pre-trained classifier. Unlike data poisoning, the adversary does not modify the training data or the model's weights; they exploit blind spots in the model's learned decision boundaries by adding carefully calculated, often imperceptible noise to a malicious payload, causing it to be misidentified as benign.

In the context of automatic modulation classification, an evasion attack involves transmitting a radio frequency waveform with subtle, adversarial physical-layer perturbations. These perturbations are engineered to force a deep learning-based receiver to misclassify the modulation scheme—for example, confusing a malicious QPSK signal for benign Gaussian noise—while remaining undetectable to traditional signal analysis. This directly undermines the integrity of cognitive radio and spectrum monitoring systems.

INFERENCE-TIME THREAT VECTOR

Key Characteristics of Evasion Attacks

Evasion attacks exploit the decision boundary of a trained classifier at inference time. Unlike poisoning, the model's parameters remain untouched; the adversary crafts a malicious sample that appears normal to human observers but triggers a targeted misclassification.

01

Inference-Time Manipulation

The defining characteristic of an evasion attack is its post-training execution. The adversary does not alter the model's weights, architecture, or training pipeline. Instead, they solve an optimization problem to find the minimal perturbation that pushes a malicious input across the decision boundary. This makes the attack stealthy and difficult to detect through model integrity checks alone.

02

Imperceptible Perturbation Constraints

Adversaries operate within a strict adversarial budget, typically defined by an Lp-norm bound (e.g., L∞ < ε). The goal is to minimize perturbation magnitude while maximizing misclassification confidence.

  • L∞ attacks: Constrain the maximum per-pixel or per-sample change.
  • L2 attacks: Minimize Euclidean distance of the perturbation.
  • L0 attacks: Minimize the number of altered features. In RF domains, this translates to minimal added noise that evades energy detectors.
03

White-Box vs. Black-Box Access

Evasion attacks are categorized by the adversary's knowledge of the target model:

  • White-Box: Full access to architecture, weights, and gradients. Enables powerful gradient-based methods like Projected Gradient Descent (PGD).
  • Black-Box: No internal access. The adversary queries the model's confidence scores or hard labels to estimate gradients or train a surrogate model.
  • Transferability is the critical property that makes black-box attacks viable—an adversarial example crafted on a surrogate often fools the original target.
04

Physical-World Realizability

Evasion is not limited to the digital domain. Over-the-air attacks transmit perturbed waveforms through real radio channels, accounting for multipath fading, noise, and hardware impairments. Adversaries must craft perturbations robust to these channel effects, often using Expectation over Transformation (EoT) to optimize across a distribution of physical distortions. This makes RF classifiers deployed on SDRs particularly vulnerable.

05

Targeted vs. Untargeted Objectives

Evasion attacks are defined by their misclassification goal:

  • Untargeted: The adversary simply wants any incorrect class prediction. Easier to achieve with larger perturbation margins.
  • Targeted: The adversary forces classification into a specific, attacker-chosen class. This is harder and requires more precise perturbation crafting. In modulation classification, a targeted attack might force a QPSK signal to be classified as BPSK, enabling protocol-aware exploitation downstream.
06

Adaptive Attack Resilience

A robust evasion attack must defeat not only the base classifier but also any deployed defenses. Adaptive adversaries assume full knowledge of defense mechanisms—such as adversarial training, input transformations, or detection filters—and optimize their perturbations to circumvent them simultaneously. Evaluating against adaptive attacks is the gold standard for measuring true adversarial robustness, as static defenses often create a false sense of security.

ADVERSARIAL THREAT TAXONOMY

Evasion Attack vs. Data Poisoning vs. Model Inversion

A comparative analysis of three fundamental adversarial threat vectors against machine learning systems, distinguished by attack surface, timing, and objective.

FeatureEvasion AttackData PoisoningModel Inversion

Attack Timing

Inference time

Training time

Post-deployment

Target Component

Input sample

Training dataset

Model parameters

Adversary Goal

Misclassification

Model corruption / backdoor

Data reconstruction

Model Integrity Impact

Data Confidentiality Impact

Requires Training Data Access

Requires Model Query Access

Primary Defense

Adversarial training

Data sanitization

Differential privacy

EVASION ATTACKS EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about inference-time adversarial attacks against automatic modulation classification systems.

An evasion attack is an adversarial perturbation applied to a malicious input sample at inference time to cause a trained classifier to misclassify it, without altering the model's parameters or training data. The adversary crafts a modified version of the input—such as a radio signal waveform—that appears normal to human observation but triggers an incorrect classification decision. In the context of automatic modulation classification, an evasion attack might add carefully structured noise to a jamming signal so that a cognitive radio misidentifies it as legitimate QPSK traffic. The attack exploits blind spots in the model's decision boundary, typically by moving the input just across a classification threshold in a high-dimensional feature space. Unlike data poisoning or backdoor attacks, evasion attacks occur entirely post-deployment and require no access to the training pipeline.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.