A threat model is a structured representation of the security context for a machine learning system, formally defining the adversary's objectives, knowledge (white-box or black-box access), and capabilities (e.g., perturbation budget). It establishes the precise boundaries within which a defense must operate, moving security analysis from vague risk to quantifiable guarantees.
Glossary
Threat Model

What is a Threat Model?
A formal characterization of an adversary's goals, knowledge, and capabilities, defining the specific security guarantees a defense must provide.
In modulation classification, a rigorous threat model specifies whether an attacker can manipulate raw IQ samples over-the-air, their maximum L_p-norm adversarial budget, and if they possess full gradient access to the classifier. This formalization is critical for evaluating certified robustness and distinguishing between theoretical vulnerabilities and practical, real-world evasion attacks.
Core Components of a Threat Model
A formal threat model defines the rules of engagement for security analysis. It precisely characterizes the adversary's goals, knowledge, and capabilities, establishing the specific guarantees a defense must provide against evasion attacks on modulation classifiers.
Adversarial Goal
The specific security violation the attacker aims to achieve. In signal classification, this is typically an integrity violation—causing a targeted or untargeted misclassification of a modulation scheme.
- Targeted Attack: The adversary forces the classifier to output a specific incorrect label (e.g., making BPSK appear as QPSK).
- Untargeted Attack: The adversary simply wants any output other than the correct class.
- Confidence Reduction: The attacker degrades the model's prediction confidence without changing the top-1 label, potentially triggering downstream uncertainty protocols.
Adversary Knowledge (White/Gray/Black Box)
The level of access and information the attacker possesses about the target model, which dictates the attack strategy's sophistication.
- White-Box Access: Full knowledge of model architecture, weights, gradients, and training data. Enables powerful gradient-based attacks like Projected Gradient Descent (PGD).
- Black-Box Access: Only input-output query access. The adversary must rely on transferability from a surrogate model or estimate gradients via zeroth-order optimization.
- Gray-Box Access: Partial knowledge, such as the feature extraction pipeline but not the classifier head, or knowledge of the defense mechanism but not the model parameters.
Adversarial Capability (Perturbation Budget)
The constraints limiting how much an adversary can modify the input signal, formalized by an Lp-norm bound on the perturbation magnitude.
- L∞ (Max Norm): Limits the maximum change to any single IQ sample. Common in image domains and directly applicable to waveform samples.
- L2 (Euclidean Norm): Constrains the total energy of the added perturbation across all samples.
- L0 (Sparsity): Limits the number of IQ samples the adversary can modify, relevant for pulsed or burst communication signals.
- Over-the-Air Constraints: The perturbation must survive physical channel effects (fading, multipath) and comply with spectral mask regulations.
Attack Surface & Input Domain
The specific stage in the signal processing pipeline where the adversary injects the perturbation, defining the physical realizability of the threat.
- Baseband IQ Injection: The adversary modifies the raw in-phase and quadrature samples before the receiver's classifier. Assumes direct digital access.
- Over-the-Air (OTA) Waveform: The perturbation is transmitted as a physical waveform through a real radio channel. Must account for channel impairment and synchronization.
- Feature-Level Attack: The adversary modifies extracted features (e.g., cumulants, cyclostationary signatures) rather than raw samples, assuming the feature extractor is compromised.
Defense Objective & Security Guarantee
The formal property the defense mechanism must provably or empirically maintain under the defined threat model.
- Certified Robustness: A mathematical guarantee that the classifier's prediction remains constant for any perturbation within a verified Lp-ball radius. Achieved via randomized smoothing or formal verification.
- Empirical Robustness: Measured accuracy against a specific attack algorithm (e.g., PGD). Does not provide a guarantee against stronger future attacks.
- Detection & Rejection: The defense does not correct the classification but flags adversarial inputs for human review or discarding, using adversarial detection or out-of-distribution detection techniques.
Threat Model Mismatch & Adaptive Attacks
A critical failure mode where the defense is evaluated under a weaker threat model than a real adversary would use, leading to a false sense of security.
- Gradient Obfuscation: A defense that relies on non-differentiable operations or shattered gradients to block gradient-based attacks, but fails against decision-based black-box attacks or Backward Pass Differentiable Approximation (BPDA).
- Adaptive Adversary: An attacker who knows the defense mechanism and modifies their attack accordingly. Evaluating against a static attack without adapting to the defense invalidates the security claim.
- Obfuscated Gradients: A specific sign of gradient masking where the model's loss surface provides no useful signal for first-order optimization, often easily circumvented.
Frequently Asked Questions
A threat model formally defines the security assumptions, adversarial goals, and attack capabilities that a defense mechanism must withstand. Understanding these boundaries is essential for evaluating whether a modulation classification system provides meaningful protection or merely a false sense of security.
A threat model is a formal characterization of an adversary's goals, knowledge, and capabilities that defines the specific security guarantees a defense must provide. In the context of automatic modulation classification, the threat model specifies what the attacker knows about the classifier (white-box vs. black-box access), what perturbation budget they can expend (typically bounded by an Lp-norm constraint), and what constitutes a successful attack (targeted misclassification vs. untargeted evasion). Without a clearly defined threat model, robustness claims are meaningless—a defense that appears strong under one set of assumptions may be trivially broken under another. For example, a modulation classifier hardened against Fast Gradient Sign Method (FGSM) attacks may remain vulnerable to multi-step Projected Gradient Descent (PGD) adversaries operating under the same perturbation budget.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A formal threat model defines the security guarantees a defense must provide by characterizing the adversary's goals, knowledge, and capabilities. The following concepts are essential for constructing and evaluating robust signal classification systems.
Adversarial Budget
The maximum allowable perturbation magnitude an adversary can apply, typically defined by an Lp-norm bound (e.g., L∞ epsilon-ball). This constraint ensures the attack remains imperceptible or physically realizable. In RF domains, the budget may be measured in signal-to-noise ratio (SNR) or error vector magnitude (EVM) rather than pixel-space norms.
- L∞ norm: Limits maximum per-sample perturbation
- L2 norm: Constrains total Euclidean distortion energy
- RF-specific budgets: Peak-to-average power ratio constraints
White-Box vs. Black-Box Access
A critical dimension of any threat model specifying what the adversary knows. White-box assumes full access to model architecture, parameters, and gradients—enabling powerful attacks like PGD. Black-box restricts the adversary to querying input-output pairs only, requiring surrogate model construction or score-based gradient estimation.
- White-box: Gradients, weights, architecture known
- Black-box query: Soft labels or hard labels returned
- Transfer attack: Exploits cross-model vulnerability
Attack Surface: Training vs. Inference
Threat models distinguish between training-time and inference-time attack surfaces. Data poisoning and backdoor attacks compromise model integrity during training by injecting malicious samples. Evasion attacks operate at inference, modifying inputs to bypass a frozen classifier. Defenses must address the correct surface.
- Training-time: Poisoning, backdoor injection, label flipping
- Inference-time: Evasion, model inversion, membership inference
- Over-the-air: Physical channel introduces natural perturbations
Adversarial Goals
The adversary's objective defines the severity of a successful attack. Untargeted attacks simply cause any misclassification. Targeted attacks force the model to output a specific incorrect class—far more dangerous in automatic modulation classification where spoofing a BPSK signal as QAM64 could trigger incorrect demodulation.
- Integrity violation: Evasion causing misclassification
- Availability violation: Inducing denial-of-service through high-confidence errors
- Privacy violation: Extracting training data via model inversion
Certified Robustness Guarantees
A formal threat model enables certified defenses that provide mathematical guarantees. Randomized smoothing constructs a smoothed classifier and certifies prediction invariance within a provable L2 radius. Unlike empirical defenses, certification offers worst-case guarantees against any attack within the defined budget.
- Randomized smoothing: Noise-based certification
- Interval bound propagation: Layer-by-layer bound computation
- SMT/SAT solvers: Exact verification for small networks
Over-the-Air Threat Models
In RF signal classification, the threat model must account for the physical wireless channel. Adversarial perturbations must survive multipath fading, Doppler shift, and receiver noise. An over-the-air attack transmits a crafted waveform through actual hardware, where non-linear amplifier effects and synchronization errors degrade perturbation fidelity.
- Channel-aware attacks: Perturbations designed to survive fading
- Hardware-in-the-loop: SDR-based attack validation
- EVM budget: Constraint on waveform distortion

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us