In the context of adversarial robustness, a surrogate model is a substitute classifier built by an attacker who has no internal access to the target model's architecture, parameters, or training data. The adversary queries the black-box target with a large set of synthetically generated inputs, collects the corresponding hard-label or soft-label predictions, and trains a local model to mimic the target's decision boundary. This process exploits the transferability property of adversarial examples.
Glossary
Surrogate Model

What is a Surrogate Model?
A surrogate model is a locally trained replica of a black-box target model, constructed by an adversary using synthesized input-output queries to generate transferable adversarial examples.
Once the surrogate model achieves high fidelity to the target, the attacker can craft white-box adversarial perturbations using gradient-based methods like Projected Gradient Descent (PGD) directly on the surrogate. Because these perturbations transfer across model boundaries, they are highly effective at fooling the original black-box system. Defenses against surrogate-based attacks include limiting query access, obfuscating confidence scores, and employing adversarial training to reduce transferability.
Core Characteristics of Surrogate Models
A surrogate model is a locally trained replica of a black-box target classifier, built by an adversary using synthesized queries. Its defining characteristics enable the generation of highly transferable adversarial examples without internal access to the victim model.
Query-Based Distillation
The surrogate is trained on a synthetic dataset labeled by repeatedly querying the target model. The adversary sends crafted inputs and records the output decisions or confidence scores. This input-output mapping allows the surrogate to approximate the target's decision boundary. Label-only attacks are particularly stealthy, requiring only the hard-label prediction rather than continuous confidence scores. The fidelity of the replica depends directly on the query budget and the diversity of the synthetic input distribution.
Architectural Agnosticism
A defining strength of surrogate models is that they do not require knowledge of the target's internal architecture. The adversary can select any differentiable model—often a standard architecture like a ResNet or a simple CNN—as the surrogate. Because adversarial examples exploit blind spots in the learned decision topology rather than specific weight configurations, the transferability property allows perturbations crafted on a structurally different surrogate to still fool the original black-box target.
White-Box Attack Enablement
Once the surrogate is fully trained, the adversary gains a critical asymmetric advantage: they can treat the replica as a white-box model. This grants full access to gradients, loss landscapes, and internal activations. The adversary can then apply powerful gradient-based attacks like Projected Gradient Descent (PGD) or the Carlini-Wagner (CW) attack to craft minimal-distortion adversarial examples. These examples are then transferred directly against the black-box target.
Transferability Maximization
The primary objective of a surrogate model is to generate perturbations that are highly transferable. Techniques to enhance this include:
- Ensemble surrogates: Training multiple replica models and crafting perturbations that fool all of them simultaneously.
- Momentum-based optimization: Integrating momentum into iterative gradient attacks to escape poor local maxima and find more globally effective perturbation directions.
- Input diversity: Applying random resizing and padding to inputs during the attack generation phase to prevent overfitting to the surrogate's specific grid patterns.
Query Efficiency Constraints
The practical viability of a surrogate attack is bounded by the query budget. High-fidelity replicas require millions of queries, making the attack detectable or prohibitively expensive. Research focuses on query-efficient strategies:
- Active learning: Selecting the most informative inputs to query based on the surrogate's current uncertainty.
- Substitute training: Using Jacobian-based dataset augmentation to force the surrogate to query inputs near the target's decision boundary, maximizing information gain per query.
- Natural evolution strategies: Estimating gradients using finite differences with fewer queries than standard zeroth-order optimization.
Defense Evasion and Blind Spots
Surrogate models are specifically designed to probe and bypass defenses. If the target model uses adversarial training, the surrogate must be trained on a dataset that reflects the defended decision boundary. However, surrogate attacks often exploit gradient masking, a phenomenon where a defended model presents a deceptively smooth surface to gradient-based attacks. By crafting attacks on a non-masked surrogate, the adversary can often circumvent defenses that rely on obfuscated gradients, revealing the target's true vulnerability.
Frequently Asked Questions
Explore the mechanics, risks, and defensive strategies surrounding surrogate models—the locally trained replicas adversaries use to craft transferable attacks against black-box automatic modulation classification systems.
A surrogate model is a locally trained replica of a target black-box classifier, constructed by an adversary to generate transferable adversarial examples. The attacker queries the target model with synthesized inputs to collect a labeled dataset of input-output pairs, then trains a substitute model to mimic the target's decision boundary. Because deep neural networks often learn similar feature representations, adversarial perturbations crafted on the surrogate frequently transfer to the original model. In automatic modulation classification, this means an adversary can build a surrogate that approximates a deployed RF classifier's behavior without ever accessing its architecture, weights, or training data, using only over-the-air or API queries to probe the system.
Surrogate Model vs. Other Attack Prerequisites
A feature-level comparison of the knowledge, access, and data requirements needed to execute a transfer attack via a surrogate model versus other common adversarial prerequisites.
| Feature | Surrogate Model | White-Box Access | Query-Based Black-Box |
|---|---|---|---|
Requires target model internals | |||
Requires target model query access | |||
Requires labeled training data | |||
Attack transferability | |||
Typical query budget | 10k-50k | 0 | 50k-1M |
Knowledge of target architecture | |||
Susceptible to query detection | |||
Physical-world deployability |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding the surrogate model requires familiarity with the broader taxonomy of adversarial attacks and defenses in machine learning. These related concepts define the threat landscape and countermeasures relevant to signal classification security.
Black-Box Attack
An attack executed without internal knowledge of the target model's architecture, weights, or training data. The adversary interacts solely through input-output queries.
- Score-based: Attacker receives confidence scores or logits
- Decision-based: Attacker receives only the final hard-label prediction
- Surrogate models are the primary tool for crafting transferable examples in this setting
- Query efficiency is the critical performance metric
Transferability
The property by which an adversarial example crafted to fool one model (the surrogate) also succeeds in fooling a different, independently trained model (the target).
- Exploits shared decision boundaries across architectures
- Higher transferability correlates with surrogate model fidelity
- Ensemble-based surrogate training amplifies this effect
- The foundational phenomenon that makes black-box attacks viable
Adversarial Training
A defensive technique that injects adversarial examples into the training dataset to improve model robustness. The model learns to correctly classify perturbed inputs.
- Formulated as a min-max optimization problem
- Most effective when adversarial examples are generated on-the-fly during training
- Defends against the exact attack used in training; generalization to unseen attacks varies
- Increases computational cost significantly
Projected Gradient Descent (PGD)
A powerful multi-step iterative attack that generates adversarial examples by repeatedly stepping in the gradient direction and projecting back onto an epsilon-ball constraint.
- Considered a first-order universal adversary
- Standard benchmark for evaluating empirical robustness
- Steps:
x_{t+1} = Proj(x_t + α · sign(∇_x L)) - Surrogate models trained with PGD produce highly transferable perturbations
Adversarial Detection
A security mechanism designed to distinguish between legitimate data samples and adversarial inputs before they reach the classification model.
- Primary methods: Feature squeezing, statistical divergence tests, and auxiliary detector networks
- Operates as a pre-classification gatekeeper
- Must avoid high false-positive rates on clean samples
- Often combined with rejection-based defenses
Certified Robustness
A formal guarantee that a classifier's prediction will not change for any input within a mathematically verified perturbation bound.
- Randomized Smoothing: Adds Gaussian noise and returns the most probable prediction
- Interval Bound Propagation: Propagates input bounds through the network
- Provides provable security, unlike empirical defenses
- Typically trades clean accuracy for guaranteed robustness

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us