Inferensys

Glossary

Evasion Attack

An attack vector where an adversary modifies a malicious sample at inference time to circumvent a trained security model without altering the model itself.
Engineer reviewing vector database search results on laptop, embeddings visualization on screen, home office coding session.
ADVERSARIAL MACHINE LEARNING

What is Evasion Attack?

An evasion attack is an adversarial technique where a malicious input sample is subtly modified at inference time to cause a trained machine learning model to misclassify it, without altering the model's parameters or training data.

An evasion attack targets a deployed model by crafting adversarial perturbations—minute, often imperceptible distortions added to a malicious input. The attacker probes the model's decision boundary to find the minimal noise required to flip the classification, such as causing a spoofed RF transmitter to be authenticated as a legitimate device. This attack vector is particularly dangerous because it requires no access to the training pipeline.

In radio frequency fingerprinting, an adversary uses an evasion attack to modify a cloned waveform's I/Q samples so that a deep learning classifier incorrectly identifies it as an authorized emitter. Defenses include adversarial training, which injects perturbed examples into the training set, and feature squeezing, which reduces the input dimensionality to limit the attacker's degrees of freedom for constructing successful perturbations.

INFERENCE-TIME THREATS

Key Characteristics of Evasion Attacks

Evasion attacks are the most practical threat to deployed RF fingerprinting systems. Unlike poisoning, they don't require access to the training pipeline—only the ability to craft malicious inputs at inference time.

01

Inference-Time Manipulation

The defining characteristic of an evasion attack is that it occurs after model training is complete. The adversary modifies a malicious or spoofed signal at the point of capture to cause misclassification without ever touching the model's weights or architecture.

  • Attack surface is the model input, not the training data
  • Exploits blind spots in the learned decision boundary
  • Requires no privileged access to the training pipeline
  • Often executed through adversarial perturbation of the transmitted waveform
02

Adversarial Perturbation Crafting

Attackers generate carefully calculated noise patterns—often imperceptible to traditional signal analysis—that push the input across the model's decision boundary. These perturbations exploit the high-dimensional linearity of deep neural networks.

  • Fast Gradient Sign Method (FGSM): Single-step perturbation along the gradient
  • Projected Gradient Descent (PGD): Iterative, constrained optimization attack
  • Carlini & Wagner (C&W): Optimization-based attack minimizing perturbation magnitude
  • Perturbations are typically bounded by an L-p norm constraint to remain covert
03

Transferability Across Models

A critical property of evasion attacks: adversarial examples crafted against one fingerprinting model often fool other models trained on similar data. This enables black-box attacks where the adversary has no direct access to the deployed classifier.

  • Attacker trains a substitute model on a proxy dataset
  • Generates perturbations against the substitute
  • Transfers the crafted adversarial signal to the target system
  • Exploits shared vulnerabilities in model architectures and training distributions
04

Physical-World Realizability

Unlike purely digital adversarial examples, RF evasion attacks must survive channel propagation effects—multipath, fading, and noise—between the attacker's transmitter and the defender's receiver. This requires robust perturbation design.

  • Perturbations must remain effective after over-the-air transmission
  • Attacker must account for channel state information (CSI) uncertainty
  • Expectation over Transformation (EoT) techniques average over simulated channel variations
  • Real-world realizability separates theoretical from practical threats
05

Feature Space vs. Input Space Attacks

Evasion attacks can target different stages of the fingerprinting pipeline. Input space attacks modify the raw IQ samples directly, while feature space attacks manipulate extracted signal characteristics before classification.

  • Input space: Direct manipulation of IQ constellation points or waveform samples
  • Feature space: Altering cyclostationary features, higher-order statistics, or time-frequency representations
  • Feature-space attacks are often more efficient but require knowledge of the preprocessing chain
  • Defenders must secure the entire signal processing pipeline, not just the neural network
06

Adaptive Attack Strategies

Sophisticated adversaries employ adaptive attacks that iteratively probe the defense and refine their evasion strategy based on feedback. This arms race dynamic requires continuous model hardening.

  • Attacker queries the model to estimate decision boundary geometry
  • Uses gradient estimation techniques when direct access is unavailable
  • Adapts to known defenses like feature squeezing or defensive distillation
  • Requires defenders to assume an adaptive threat model, not just static attacks
ADVERSARIAL THREAT TAXONOMY

Evasion Attack vs. Related Adversarial Threats

A comparative analysis of distinct adversarial attack vectors targeting RF fingerprinting models, delineating their mechanisms, targets, and operational phases.

FeatureEvasion AttackAdversarial PerturbationFeature Space PoisoningBackdoor Attack

Attack Phase

Inference time

Inference time

Training time

Training time

Model Integrity

Model unchanged

Model unchanged

Model corrupted

Model corrupted

Attacker Goal

Misclassification of a specific sample

Misclassification via crafted noise

Blind spot creation for a class

Triggered misclassification

Input Modification

Modifies malicious sample features

Adds imperceptible noise pattern

Injects poisoned samples into dataset

Inserts hidden trigger pattern

Target Specificity

Sample-specific bypass

Sample-specific bypass

Class-wide degradation

Trigger-specific activation

Defense Strategy

Adversarial training, LID detection

Feature squeezing, distillation

Data provenance, outlier exposure

Neural cleanse, input sanitization

Stealth Requirement

High, must evade detection

High, noise must be imperceptible

Moderate, blends with training data

High, trigger must be covert

EVASION ATTACKS IN RF FINGERPRINTING

Frequently Asked Questions

Explore the mechanics of inference-time attacks designed to bypass radio frequency machine learning classifiers without altering the underlying model, and understand the defensive strategies used to counter them.

An evasion attack is an inference-time adversarial technique where a malicious actor subtly modifies a transmitted waveform to circumvent a trained radio frequency fingerprinting classifier without altering the model's parameters or training data. Unlike data poisoning, which corrupts the learning process, an evasion attack exploits blind spots in a model's learned decision boundaries. The attacker crafts an adversarial perturbation—a carefully calculated noise pattern added to the legitimate signal—that causes the deep learning model to misclassify the emitter. For example, a rogue device might add a specific, imperceptible distortion to its IQ constellation to impersonate an authorized transmitter on a secure network. This attack vector is critical in physical layer authentication because it directly threatens the zero-trust assumption that hardware signatures are unclonable.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.