Transferability is the property by which an adversarial perturbation computed against a specific surrogate model retains its efficacy when applied to a distinct target model. This occurs because different neural networks, even those with varying architectures or training data subsets, often learn similar decision boundaries and feature representations. The adversary exploits these shared geometric vulnerabilities in high-dimensional space, crafting a single input that traverses the blind spots of multiple classifiers simultaneously.
Glossary
Transferability

What is Transferability?
Transferability is the phenomenon where an adversarial example generated to mislead one machine learning model also succeeds in fooling a different, independently trained model.
This property is the cornerstone of practical black-box attacks, where an attacker has no internal access to the deployed model. By training a local surrogate on synthesized input-output pairs, the adversary generates transferable examples and launches them against the remote target. The degree of transferability depends on the architectural similarity between models and the specific attack algorithm used; iterative methods like Projected Gradient Descent (PGD) typically exhibit lower transferability than single-step methods like FGSM, due to overfitting to the surrogate's loss landscape.
Key Factors Influencing Transferability
The success of a transfer attack hinges on the geometric and statistical similarities between the surrogate model and the target model. Understanding these factors is critical for both designing robust attacks and engineering resilient defenses.
Model Architecture Similarity
Adversarial examples transfer most effectively between models sharing similar architectural inductive biases. Convolutional neural networks (CNNs) exhibit high transferability among themselves, while attacks crafted on a ResNet-50 often transfer well to a VGG-19 but poorly to a Vision Transformer (ViT). This occurs because different architectures learn fundamentally different decision boundaries and feature representations. Key insight: The gradient directions exploited by an attack are highly correlated across models with analogous building blocks.
- High transferability: CNN → CNN, Transformer → Transformer
- Low transferability: CNN → MLP, CNN → ViT
- Mechanism: Shared architectural priors lead to similar loss landscape geometry
Training Data Overlap
When the surrogate and target models are trained on identical or heavily overlapping datasets, transferability increases dramatically. Models trained on ImageNet-1K share similar learned feature spaces, making them vulnerable to cross-model attacks. Conversely, a classifier trained exclusively on synthetic RF signals may resist attacks from a surrogate trained on over-the-air captures due to distributional mismatch. The attack exploits features that are universal to the underlying data manifold rather than idiosyncrasies of a single model.
- Maximum risk: Identical training sets
- Reduced risk: Disjoint data sources
- Defense strategy: Diversifying training data provenance reduces shared blind spots
Gradient Alignment and Loss Landscape Geometry
Transferability is fundamentally governed by the alignment of loss gradient directions between models. When the angle between the surrogate's gradient and the target's gradient is small, a perturbation crafted on the surrogate pushes the target's input across its decision boundary. Sharp minima produce highly directional gradients that overfit to the surrogate, while flat minima yield more generalized perturbation directions. Techniques like Sharpness-Aware Minimization (SAM) reduce transferability by flattening the loss landscape.
- High transferability: High gradient cosine similarity
- Low transferability: Orthogonal or opposing gradient directions
- Metric: Cosine similarity between surrogate and target loss gradients
Attack Strength and Perturbation Budget
Stronger attacks with larger Lp-norm perturbation budgets transfer more reliably. A single-step Fast Gradient Sign Method (FGSM) attack with epsilon=8/255 may fail to transfer, while a multi-step Projected Gradient Descent (PGD) attack with 20 iterations and the same epsilon budget succeeds. However, excessive perturbation magnitude reduces imperceptibility. Carlini-Wagner attacks optimize for minimal distortion, sometimes sacrificing raw transferability for stealth.
- Weak transfer: Single-step FGSM, small epsilon
- Strong transfer: Iterative PGD, momentum-boosted attacks
- Trade-off: Perturbation visibility vs. cross-model efficacy
Ensemble-Based Surrogate Construction
Crafting adversarial examples against an ensemble of diverse surrogate models significantly boosts transferability. By optimizing a perturbation that simultaneously fools multiple architectures, the attack captures a more generalized adversarial direction less tied to any single model's quirks. This technique is a standard benchmark in black-box attack evaluations and often defeats defensively distilled networks.
- Method: Average loss gradients across multiple surrogate models
- Result: Perturbation aligns with shared, universal vulnerability
- Defense implication: Ensemble diversity in deployment mirrors attacker strategy
Input Transformation Robustness
Applying random input transformations—such as resizing, padding, or JPEG compression—during attack generation creates perturbations invariant to these preprocessing steps. This Expectation over Transformation (EoT) approach ensures the adversarial example survives the unknown preprocessing pipelines of a target model. In signal classification, transformations like frequency offset or noise addition during crafting improve over-the-air transferability.
- EoT attack: Optimize over a distribution of input transformations
- Benefit: Robustness to unknown target preprocessing
- RF domain: Simulate channel impairments during perturbation crafting
Frequently Asked Questions
Explore the mechanics and implications of adversarial transferability in signal classification systems, a critical concern for security engineers hardening deep learning models against black-box evasion attacks.
Transferability is the property by which an adversarial example crafted to fool one specific model (the surrogate) also succeeds in fooling a different, independently trained model (the target). This phenomenon occurs because distinct models often learn similar decision boundaries and feature representations, especially when trained on comparable data distributions. In the context of automatic modulation classification, a perturbation generated against a local surrogate convolutional neural network can transfer over-the-air to a remote, black-box classifier deployed on a different hardware platform, enabling an evasion attack without any internal knowledge of the target system. The degree of transferability depends on architectural similarity, training data overlap, and the optimization method used to generate the adversarial perturbation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding the property that allows an attack developed against one model to compromise another requires a deep dive into the underlying mechanisms, threat models, and defensive postures.
The Surrogate Model Strategy
In black-box attacks, an adversary cannot access the target model's gradients. They build a surrogate model—a locally trained replica using synthesized input-output pairs from querying the target. The adversary crafts white-box attacks against this surrogate. The attack's success on the real target hinges entirely on transferability. High architectural similarity between the surrogate and target models increases the attack's cross-model efficacy.
Geometric Foundations of Transferability
Transferability is not random; it is rooted in the geometry of the loss landscape. Adversarial examples often exploit directions of high curvature in the decision boundary that are common across independently trained models. Techniques like Sharpness-Aware Minimization (SAM) explicitly flatten the loss landscape during training. Flatter minima reduce the overlap of sensitive directions between models, directly degrading the transferability of adversarial perturbations.
Ensemble-Based Attacks
To maximize transferability against an unknown black-box target, adversaries craft perturbations against an ensemble of diverse surrogate models simultaneously. The optimization process, often using iterative methods like Projected Gradient Descent (PGD), finds a single perturbation that fools multiple architectures (e.g., ResNets, VGGs, DenseNets) at once. This exploits the shared decision-boundary vulnerabilities across the ensemble, dramatically increasing the likelihood of a successful transfer to a held-out target model.
Input Transformation Resilience
A common defense against transferable attacks is to randomize the input to the classifier. Techniques include random resizing, padding, or JPEG compression before inference. These transformations disrupt the precise spatial structure of the adversarial perturbation. However, Expectation over Transformation (EOT) attacks counter this by optimizing the perturbation to remain effective across a distribution of such transformations, restoring transferability even against models with randomized preprocessing pipelines.
Feature-Level Disruption
Standard attacks optimize for misclassification in the final output layer. Intermediate-layer attacks target the feature representations in the middle of a network. By maximizing the discrepancy between the feature maps of a clean image and its adversarial counterpart on the surrogate model, the perturbation disrupts fundamental, transferable feature extractors. This approach is highly effective for transferability because internal feature representations are more universally shared across models than final decision logits.
Domain-Specific Transfer: RF Signals
In Automatic Modulation Classification (AMC), transferability manifests over-the-air. An adversarial perturbation crafted to fool a software-defined radio classifier in a lab can transfer to a different, remote receiver hardware platform. The perturbation must survive the physical channel impairments (fading, multipath) of an over-the-air attack. Transferability in this domain depends on the robustness of the perturbation to hardware-specific non-linearities and channel distortion not present in the surrogate training environment.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us