An evasion attack is an inference-time adversarial strategy where an attacker crafts a perturbed input sample specifically designed to bypass a fixed, pre-trained classifier. Unlike data poisoning, the adversary does not modify the training data or the model's weights; they exploit blind spots in the model's learned decision boundaries by adding carefully calculated, often imperceptible noise to a malicious payload, causing it to be misidentified as benign.
Glossary
Evasion Attack

What is Evasion Attack?
An evasion attack is a security violation deployed during the inference phase where an adversary subtly modifies a malicious input sample to cause a misclassification by a trained machine learning model without altering the model's internal parameters or architecture.
In the context of automatic modulation classification, an evasion attack involves transmitting a radio frequency waveform with subtle, adversarial physical-layer perturbations. These perturbations are engineered to force a deep learning-based receiver to misclassify the modulation scheme—for example, confusing a malicious QPSK signal for benign Gaussian noise—while remaining undetectable to traditional signal analysis. This directly undermines the integrity of cognitive radio and spectrum monitoring systems.
Key Characteristics of Evasion Attacks
Evasion attacks exploit the decision boundary of a trained classifier at inference time. Unlike poisoning, the model's parameters remain untouched; the adversary crafts a malicious sample that appears normal to human observers but triggers a targeted misclassification.
Inference-Time Manipulation
The defining characteristic of an evasion attack is its post-training execution. The adversary does not alter the model's weights, architecture, or training pipeline. Instead, they solve an optimization problem to find the minimal perturbation that pushes a malicious input across the decision boundary. This makes the attack stealthy and difficult to detect through model integrity checks alone.
Imperceptible Perturbation Constraints
Adversaries operate within a strict adversarial budget, typically defined by an Lp-norm bound (e.g., L∞ < ε). The goal is to minimize perturbation magnitude while maximizing misclassification confidence.
- L∞ attacks: Constrain the maximum per-pixel or per-sample change.
- L2 attacks: Minimize Euclidean distance of the perturbation.
- L0 attacks: Minimize the number of altered features. In RF domains, this translates to minimal added noise that evades energy detectors.
White-Box vs. Black-Box Access
Evasion attacks are categorized by the adversary's knowledge of the target model:
- White-Box: Full access to architecture, weights, and gradients. Enables powerful gradient-based methods like Projected Gradient Descent (PGD).
- Black-Box: No internal access. The adversary queries the model's confidence scores or hard labels to estimate gradients or train a surrogate model.
- Transferability is the critical property that makes black-box attacks viable—an adversarial example crafted on a surrogate often fools the original target.
Physical-World Realizability
Evasion is not limited to the digital domain. Over-the-air attacks transmit perturbed waveforms through real radio channels, accounting for multipath fading, noise, and hardware impairments. Adversaries must craft perturbations robust to these channel effects, often using Expectation over Transformation (EoT) to optimize across a distribution of physical distortions. This makes RF classifiers deployed on SDRs particularly vulnerable.
Targeted vs. Untargeted Objectives
Evasion attacks are defined by their misclassification goal:
- Untargeted: The adversary simply wants any incorrect class prediction. Easier to achieve with larger perturbation margins.
- Targeted: The adversary forces classification into a specific, attacker-chosen class. This is harder and requires more precise perturbation crafting. In modulation classification, a targeted attack might force a QPSK signal to be classified as BPSK, enabling protocol-aware exploitation downstream.
Adaptive Attack Resilience
A robust evasion attack must defeat not only the base classifier but also any deployed defenses. Adaptive adversaries assume full knowledge of defense mechanisms—such as adversarial training, input transformations, or detection filters—and optimize their perturbations to circumvent them simultaneously. Evaluating against adaptive attacks is the gold standard for measuring true adversarial robustness, as static defenses often create a false sense of security.
Evasion Attack vs. Data Poisoning vs. Model Inversion
A comparative analysis of three fundamental adversarial threat vectors against machine learning systems, distinguished by attack surface, timing, and objective.
| Feature | Evasion Attack | Data Poisoning | Model Inversion |
|---|---|---|---|
Attack Timing | Inference time | Training time | Post-deployment |
Target Component | Input sample | Training dataset | Model parameters |
Adversary Goal | Misclassification | Model corruption / backdoor | Data reconstruction |
Model Integrity Impact | |||
Data Confidentiality Impact | |||
Requires Training Data Access | |||
Requires Model Query Access | |||
Primary Defense | Adversarial training | Data sanitization | Differential privacy |
Frequently Asked Questions
Clear, technical answers to the most common questions about inference-time adversarial attacks against automatic modulation classification systems.
An evasion attack is an adversarial perturbation applied to a malicious input sample at inference time to cause a trained classifier to misclassify it, without altering the model's parameters or training data. The adversary crafts a modified version of the input—such as a radio signal waveform—that appears normal to human observation but triggers an incorrect classification decision. In the context of automatic modulation classification, an evasion attack might add carefully structured noise to a jamming signal so that a cognitive radio misidentifies it as legitimate QPSK traffic. The attack exploits blind spots in the model's decision boundary, typically by moving the input just across a classification threshold in a high-dimensional feature space. Unlike data poisoning or backdoor attacks, evasion attacks occur entirely post-deployment and require no access to the training pipeline.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding evasion attacks requires mapping the broader adversarial landscape. These concepts define the attacker's knowledge, the nature of the perturbation, and the defensive countermeasures.
Adversarial Perturbation
The core mechanism of an evasion attack. A carefully crafted, often imperceptible noise pattern added to a benign input sample at inference time. The perturbation is designed to cross the model's decision boundary while remaining invisible to human analysis or minimizing signal distortion in the RF domain. Lp-norms (L0, L2, L∞) typically constrain the perturbation's magnitude.
Threat Model
A formal characterization defining the attacker's goals, knowledge, and capabilities. This framework specifies the security guarantees a defense must provide. Key axes include:
- White-box: Attacker has full access to model architecture and parameters.
- Black-box: Attacker only observes input-output pairs via queries.
- Targeted vs. Untargeted: Forcing a specific misclassification vs. any incorrect class.
Projected Gradient Descent (PGD)
A powerful multi-step iterative attack considered the benchmark for evaluating empirical robustness. PGD generates an adversarial example by repeatedly taking gradient steps in the direction that maximizes loss, projecting the perturbation back onto an epsilon-ball after each step to constrain distortion. It is a stronger, iterative variant of the Fast Gradient Sign Method (FGSM).
Adversarial Training
The primary defensive technique against evasion attacks. This method injects adversarial examples—typically generated by PGD—into the training dataset. The model learns to correctly classify these perturbed inputs, effectively hardening its decision boundaries. This is framed as a min-max optimization problem: minimizing empirical risk against a maximally perturbed adversary.
Over-the-Air Attack
A physical-world realization of an evasion attack specific to RF systems. The adversary transmits a perturbed waveform through a real radio channel to fool a remote receiver's classifier. The perturbation must survive channel impairments like multipath fading, noise, and hardware distortion, making it significantly more challenging than a digital-domain attack.
Certified Robustness
A formal, mathematical guarantee that a classifier's prediction will remain constant for any input within a verified perturbation bound. Unlike empirical defenses, certified methods provide provable security. Randomized Smoothing is a leading technique that constructs a certifiably robust classifier by adding Gaussian noise and returning the most probable prediction under that noise distribution.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us