Inferensys

Glossary

Transferability

The property by which adversarial examples generated to mislead one machine learning model also cause misclassification in other, independently trained models.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL PROPERTY

What is Transferability?

Transferability is the phenomenon where adversarial examples generated to fool one machine learning model also induce misclassification in other independently trained models, even if they have different architectures or training data.

Transferability is the property by which an adversarial example crafted against a specific source model retains its malicious efficacy against a distinct target model. This cross-model vulnerability arises because different neural networks often learn similar decision boundaries and feature representations, making the perturbations geometrically meaningful across architectures.

This property is the foundation of black-box attacks, where an adversary with no internal access to a target system trains a local substitute model, generates adversarial examples against it, and transfers them to the victim model. The degree of transferability depends on the architectural similarity between models and the attack's optimization strength, with multi-step methods like Projected Gradient Descent (PGD) typically exhibiting higher transfer rates than single-step attacks.

CROSS-MODEL VULNERABILITY

Key Factors Influencing Transferability

The degree to which an adversarial example transfers between models is not arbitrary. It is governed by specific architectural, data, and optimization factors that security researchers must understand to accurately assess system risk.

01

Model Architectural Similarity

Adversarial examples transfer most effectively between models with homogeneous architectures. A perturbation crafted for a ResNet-50 will transfer to another ResNet-50 with high probability, but transfer drops significantly when targeting a Vision Transformer (ViT). This occurs because similar architectures learn correlated decision boundaries and feature representations. Key architectural factors include:

  • Depth and width: Deeper networks with similar capacity share more vulnerable subspaces.
  • Activation functions: ReLU-based networks exhibit more transferable adversarial subspaces than smooth activations like GELU or Swish.
  • Normalization layers: BatchNorm statistics create dataset-specific loss geometries that can either amplify or inhibit transferability.
> 80%
Transfer rate between identical architectures
< 30%
Transfer rate across disparate architectures
02

Gradient Alignment and Loss Landscape Geometry

Transferability is fundamentally a property of gradient correlation between source and target models. When the loss gradients of two models point in similar directions for a given input, perturbations crafted on one will deceive the other. This phenomenon is explained by the local linearity hypothesis: neural networks behave approximately linearly in the vicinity of training points, and these linear approximations overlap across independently trained models. Techniques that explicitly maximize gradient alignment—such as gradient matching attacks and intermediate feature attacks—can dramatically increase cross-model transfer rates by targeting shared representational subspaces rather than model-specific decision boundaries.

2-3x
Transfer boost from gradient alignment optimization
03

Training Data Distribution Overlap

Models trained on overlapping or identical datasets exhibit significantly higher adversarial transferability. This is because shared training data induces convergent learning dynamics—both models converge toward similar Bayes optimal decision boundaries. The phenomenon is particularly pronounced when:

  • Models are trained on the same benchmark datasets (ImageNet, CIFAR-10).
  • Data augmentation strategies are identical or highly similar.
  • Class label semantics and granularity are consistent.

Conversely, models trained on disjoint data distributions—even with identical architectures—show markedly reduced transferability. This has critical implications for black-box attack surface analysis: an attacker with knowledge of the training data distribution can select a surrogate model that maximizes expected transfer.

60-90%
Transfer rate with shared training data
10-25%
Transfer rate with disjoint training data
04

Perturbation Budget and Optimization Iterations

The Lp-norm perturbation budget (epsilon) directly modulates transferability. Larger perturbation magnitudes increase the likelihood of crossing decision boundaries in both source and target models, but at the cost of perceptual detectability. The relationship is non-linear:

  • Small epsilon (e.g., 4/255): Transfer is highly architecture-dependent; only models with near-identical decision boundaries are fooled.
  • Large epsilon (e.g., 16/255): Transfer rates plateau as perturbations enter universal adversarial subspaces—directions in input space that are orthogonal to data manifold variations.

Additionally, multi-step iterative attacks (PGD, MI-FGSM) generate more transferable examples than single-step methods (FGSM) by more precisely navigating the loss landscape. Momentum-based optimization (MI-FGSM) and input diversity techniques (DIM) further stabilize gradient directions, preventing overfitting to the surrogate model's specific geometry.

8/255
Standard L-infinity budget for ImageNet
40-60%
FGSM transfer rate
70-95%
MI-FGSM transfer rate
05

Ensemble-Based Surrogate Strategies

Crafting adversarial examples against an ensemble of surrogate models is the most reliable method for maximizing black-box transferability. By optimizing perturbations that simultaneously fool multiple architectures, the attack converges on shared vulnerable subspaces rather than model-specific weaknesses. The ensemble approach exploits the fact that while individual models have unique decision boundaries, the intersection of their adversarial regions often aligns with the target model's vulnerabilities. Effective ensemble strategies include:

  • Logit fusion: Averaging output logits before computing the loss.
  • Loss fusion: Summing individual model losses with equal or learned weighting.
  • Feature-level attacks: Maximizing disruption of intermediate representations across all surrogate models.

This technique is the foundation of state-of-the-art black-box attacks and is a standard baseline in robustness evaluation benchmarks like RobustBench.

95%+
Transfer rate with 4+ model ensembles
3-5
Optimal number of surrogate models
06

Input Transformation and Defense Evasion

Transferability is not only a function of the source and target models—it is also influenced by input preprocessing pipelines and defensive mechanisms deployed at inference time. Defenses that randomize inputs (e.g., randomized smoothing, JPEG compression, bit-depth reduction) disrupt the precise perturbation patterns crafted on the surrogate model, reducing transfer rates. However, expectation-over-transformation (EOT) attacks can circumvent these defenses by optimizing adversarial examples to remain effective across a distribution of input transformations. This creates a continuous arms race: defenders deploy stochastic preprocessing to break transferability, while attackers incorporate those same transformations into their optimization loop to restore cross-model efficacy.

30-50%
Transfer reduction from input randomization
70-90%
Transfer recovery with EOT optimization
TRANSFERABILITY DEEP DIVE

Frequently Asked Questions

Explore the mechanics and implications of adversarial example transferability, a critical phenomenon that undermines the security of machine learning systems by allowing attacks to cross model boundaries.

Transferability is the property by which an adversarial example crafted to fool one specific model (the surrogate) also induces misclassification in other independently trained models (the targets), even if they have different architectures or training data. This phenomenon occurs because distinct models often learn similar decision boundaries and rely on comparable, non-robust features. An attacker can generate perturbations on a local white-box model and deploy them against a remote black-box API without any query access, completely bypassing security measures. The existence of transferability demonstrates that vulnerabilities are not isolated bugs but systemic properties of the learned feature space.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.