An over-the-air attack translates a digital adversarial perturbation into a physical radio frequency waveform and transmits it through antennas to a victim receiver. Unlike simulated attacks, the perturbation must survive channel impairments—multipath fading, noise, and hardware distortion—while remaining covert within the adversarial budget to induce a targeted misclassification by the remote automatic modulation classifier.
Glossary
Over-the-Air Attack

What is Over-the-Air Attack?
An over-the-air attack is a physical-world adversarial attack where a perturbed waveform is transmitted through a real radio channel to fool a remote receiver's classifier.
This attack validates real-world threat models by bridging the gap between algorithmic vulnerabilities and operational electronic warfare. The adversary must account for over-the-air propagation effects that distort the crafted perturbation, often requiring iterative optimization or a surrogate model trained on channel feedback to generate a robust, transferable adversarial waveform capable of evading detection.
Key Characteristics of Over-the-Air Attacks
An over-the-air attack translates digital adversarial perturbations into the physical world, transmitting a malicious waveform through a real radio channel to deceive a remote receiver's classifier.
Physical Waveform Propagation
Unlike purely digital attacks, the perturbation must survive the wireless channel. The adversary transmits a crafted IQ waveform that, after undergoing multipath fading, Doppler shift, and thermal noise, still induces a misclassification at the receiver. This requires the attacker to model or estimate the channel's impulse response to pre-distort the signal, ensuring the perturbation arrives intact at the target's feature space.
Channel-Invariant Adversarial Perturbations
A critical challenge is designing a perturbation robust to unknown channel conditions. Techniques include:
- EOT (Expectation Over Transformation): Optimizing the perturbation over a distribution of simulated channel effects.
- Universal Adversarial Perturbations (UAPs): Crafting a single perturbation waveform that causes misclassification across a wide range of input signals and channel realizations.
- Cyclic Prefix Exploitation: Embedding the perturbation within the guard interval of an OFDM waveform to maintain synchronization.
Black-Box Threat Model
The attacker typically operates under a black-box assumption with no access to the receiver's model architecture or parameters. The attack relies on transferability: an adversarial example generated on a local surrogate model trained on similar modulation data is transmitted over-the-air, hoping it transfers to the remote target classifier. Query-based attacks are often infeasible due to the one-way nature of many RF links.
Synchronization and Timing Constraints
The attack must align precisely with the target receiver's sampling window. A perturbation misaligned by even a fraction of a symbol period may be ineffective or only inject noise. Sophisticated attacks incorporate blind synchronization techniques or exploit known preamble structures to ensure the adversarial waveform is coherently combined with the legitimate signal at the classifier's input.
Hardware Impairment Exploitation
The attacker's own transmitter hardware introduces non-linear distortions (e.g., power amplifier non-linearity, I/Q imbalance) that can degrade the perturbation. Conversely, an attacker can intentionally exploit the receiver's automatic gain control (AGC) or carrier frequency offset (CFO) correction loops. By crafting a signal that saturates the AGC or biases the CFO estimator, the attacker can create a secondary denial-of-service or misclassification vector.
Defensive Countermeasures
Defenses against over-the-air attacks include:
- Adversarial Training with Channel Models: Augmenting the training set with adversarial examples passed through simulated channel models.
- RF Anomaly Detection: Monitoring the raw IQ stream for statistical anomalies inconsistent with nominal hardware and channel behavior.
- Certified Robustness via Randomized Smoothing: Adding Gaussian noise at the receiver's front-end to create a provably smooth decision boundary, though this trades off sensitivity.
Frequently Asked Questions
Explore the mechanics, threat models, and defensive strategies for adversarial attacks transmitted through real radio channels to fool remote modulation classifiers.
An over-the-air attack is a physical-world adversarial attack where a perturbed waveform is transmitted through a real radio channel to fool a remote receiver's automatic modulation classification (AMC) system. Unlike purely digital adversarial examples, this attack must survive the non-linear distortions of multipath fading, hardware impairments, and thermal noise. The adversary crafts a perturbation—often constrained by an adversarial budget defined by an Lp-norm—and injects it into a legitimate modulated signal. The resulting waveform propagates through the ether, and if successful, the distant classifier misidentifies a QPSK transmission as 16-QAM, for instance. This bridges the gap between theoretical evasion attacks and practical electronic warfare, demonstrating that adversarial robustness must account for the stochastic nature of the physical layer.
Over-the-Air Attack vs. Digital Adversarial Attack
A comparison of physical-world over-the-air attacks against purely digital adversarial attacks targeting automatic modulation classification systems.
| Feature | Over-the-Air Attack | Digital Adversarial Attack |
|---|---|---|
Attack Domain | Physical radio channel | Digital signal processing |
Channel Effects Present | ||
Requires SDR Hardware | ||
Perturbation Fidelity | Degraded by multipath and noise | Pristine, lossless injection |
Adversarial Budget Constraint | Must account for channel distortion | Exact Lp-norm bound enforced |
Transferability Success Rate | 0.3% | 0.5% |
Real-World Deployability | ||
Defense Strategy | Channel-robust adversarial training | Standard adversarial training |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the core concepts and methodologies that define physical-world adversarial threats against RF machine learning systems.
Evasion Attack
An attack deployed at inference time where an adversary modifies a malicious sample to bypass a trained classifier without altering the model itself. Unlike poisoning, the model's integrity remains intact, but its output is compromised. Key characteristics include:
- No training data access: The attacker only interacts with the deployed model.
- Real-time execution: The perturbation is computed and transmitted live.
- Stealth focus: The goal is to be misclassified as benign or a specific target class.
Threat Model
A formal characterization of an adversary's goals, knowledge, and capabilities, defining the specific security guarantees a defense must provide. A rigorous threat model for an over-the-air attack specifies:
- Adversary's Goal: Targeted misclassification (e.g., BPSK to 8-PSK) vs. untargeted denial-of-service.
- Knowledge: White-box (full access to model weights and architecture) vs. Black-box (only query access via spectrum observation).
- Capability: The maximum perturbation power budget (e.g., an epsilon bound on the L2-norm of the added waveform) and the adversary's channel state information.
Black-Box Attack
An attack executed without internal knowledge of the target model's architecture or parameters, relying solely on querying input-output pairs. In an over-the-air context, this is the most realistic threat scenario. The attacker transmits a signal and observes the system's reaction (e.g., a change in modulation and coding scheme). Techniques include:
- Score-based: Using softmax confidence scores to estimate gradients.
- Decision-based: Using only the hard-label prediction to guide a random walk toward an adversarial example.
- Transfer-based: Training a local surrogate model on synthesized I/Q data to generate transferable perturbations.
Adversarial Budget
The maximum allowable magnitude of a perturbation, typically defined by an Lp-norm bound, within which an adversary is constrained to operate. This constraint ensures the attack remains covert and does not simply jam the channel. Common formulations include:
- L∞-norm: Limits the maximum instantaneous amplitude of the perturbation waveform.
- L2-norm: Limits the total energy of the perturbation added to the I/Q samples.
- Signal-to-Noise Ratio (SNR): A practical RF budget defining the perturbation power relative to the original signal power, ensuring the adversarial waveform hides below the noise floor.
Adversarial Training
A defensive technique that injects adversarial examples into the training dataset to improve a model's robustness against future attacks. For over-the-air resilience, this involves:
- Dynamic generation: Using Projected Gradient Descent (PGD) to create worst-case perturbations during each training epoch.
- Channel augmentation: Applying realistic fading and noise models to the adversarial examples to ensure robustness generalizes to the physical channel.
- Trade-off: Acknowledging that this defense often reduces accuracy on clean, unperturbed signals.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us