An evasion attack targets a deployed model by crafting adversarial perturbations—minute, often imperceptible modifications to the input—that exploit blind spots in the learned decision boundary. In the context of RF fingerprinting, an attacker intentionally distorts their transmitted waveform to fool a specific emitter identification (SEI) system into misclassifying them as a legitimate, authorized device, thereby bypassing physical layer authentication.
Glossary
Evasion Attack

What is Evasion Attack?
An evasion attack is a class of adversarial machine learning attack where a malicious actor subtly perturbs an input signal at inference time to cause a trained model, such as an emitter identification classifier, to make an incorrect prediction without altering the model itself.
Unlike data poisoning, which corrupts the training pipeline, evasion attacks occur strictly at inference time and do not require access to the training data. The attacker may operate under a white-box threat model, where they possess full knowledge of the neural network's architecture and gradients to compute an optimal perturbation, or a more realistic black-box setting, where they probe the model's responses to iteratively approximate an adversarial example. Robustness against these attacks is quantified through adversarial training and formal verification of the model's adversarial robustness.
Common Evasion Attack Methods
Evasion attacks target a trained model at inference time by subtly perturbing the input signal to induce misclassification. In the RF domain, these perturbations must remain within the constraints of the transmitter hardware and spectral mask regulations.
Gradient-Based White-Box Attacks
Assumes the adversary has full knowledge of the model architecture and parameters. The attacker computes the gradient of the loss function with respect to the input IQ samples and applies a small perturbation in the direction that maximizes classification error.
- Fast Gradient Sign Method (FGSM): A single-step attack that applies a perturbation proportional to the sign of the gradient. Computationally cheap but often less effective against robust models.
- Projected Gradient Descent (PGD): An iterative, multi-step variant of FGSM that projects the perturbed signal back onto an epsilon-ball around the original input after each step. Considered a universal first-order adversary and a standard benchmark for empirical robustness evaluation.
- Carlini & Wagner (C&W) Attack: An optimization-based attack that minimizes the perturbation magnitude subject to a misclassification constraint, often producing smaller distortions than PGD.
Score-Based Black-Box Attacks
The adversary can only query the model and receive output probabilities or confidence scores, without access to gradients. Attackers estimate gradients through finite differences or train a surrogate model on query responses.
- Zeroth-Order Optimization (ZOO): Estimates the gradient by perturbing each input dimension individually and observing the change in the confidence score. Computationally expensive but effective against models that expose softmax outputs.
- Natural Evolution Strategies (NES): Uses a population-based search algorithm to estimate the gradient by sampling perturbations from a Gaussian distribution and weighting them by the resulting loss.
- Surrogate Model Training: The attacker builds a local substitute model by querying the target model with a synthetic dataset, then crafts white-box adversarial examples on the surrogate that transfer to the target.
Decision-Based Black-Box Attacks
The most restrictive threat model: the adversary only receives the final hard-label prediction, not confidence scores. These attacks rely on random walks and boundary exploration to find the nearest decision boundary.
- Boundary Attack: Starts with a large perturbation that already causes misclassification and iteratively reduces the perturbation magnitude while staying on the adversarial side of the decision boundary through a random walk with rejection sampling.
- HopSkipJumpAttack: A more efficient decision-based attack that combines binary search for boundary proximity with gradient direction estimation using Monte Carlo sampling, significantly reducing the number of queries required.
- Relevance to RF: Decision-based attacks are particularly relevant for tactical RF systems where only a demodulated symbol or emitter label is observable by an adversary.
Universal Adversarial Perturbations
A single, signal-agnostic perturbation vector that causes misclassification across a large fraction of input samples when added to any signal. This is particularly dangerous in RF systems where a jammer could broadcast a fixed perturbation waveform.
- Crafting Method: Computed by aggregating per-sample perturbation vectors using an iterative algorithm that enforces a global norm constraint while maximizing the fooling rate across the training distribution.
- Transferability: Universal perturbations often transfer across different model architectures trained on the same task, enabling black-box attacks without query access.
- Physical Realizability: In RF, the perturbation must be constrained to respect spectral emission masks and peak-to-average power ratio limits, requiring a projection step onto the feasible set of transmittable waveforms.
Channel-Aware Adversarial Perturbations
Standard adversarial examples crafted in the digital domain often fail to survive propagation through a physical wireless channel. Channel-aware attacks incorporate the channel impulse response into the perturbation optimization.
- Over-the-Air Robustness: The perturbation is convolved with an estimated or measured channel matrix during optimization, ensuring the adversarial effect persists after multipath fading and noise are applied.
- EIRP Constraints: The effective isotropic radiated power of the perturbation is constrained to prevent the adversary from simply increasing transmit power to overcome channel effects.
- Waveform-Specific Masking: Perturbations are projected onto the subspace of valid waveforms for the target modulation scheme, ensuring the adversarial signal remains demodulable by unintended receivers and evades anomaly detectors.
Adaptive Attacks Against Defenses
An evaluation methodology where the attacker is assumed to have full knowledge of the defense mechanism and tailors the attack to circumvent it. This is the gold standard for empirically validating adversarial robustness claims.
- Obfuscated Gradient Bypass: Many defenses rely on non-differentiable components or randomized transformations that cause gradient masking. Adaptive attackers replace these with differentiable approximations or compute gradients via Backward Pass Differentiable Approximation (BPDA).
- Expectation over Transformation (EoT): When a defense applies random input transformations, the attacker computes the gradient over the expected value of the transformed input, neutralizing the stochasticity.
- Defense-Aware Loss Functions: The attack optimization explicitly penalizes the defense's detection mechanism, jointly optimizing for misclassification and evasion of the anomaly detector.
Frequently Asked Questions
Explore the critical attack vectors that test the resilience of RF fingerprinting systems. These questions address how malicious actors attempt to evade emitter identification and the defensive strategies used to counter them.
An evasion attack is an adversarial machine learning technique where a malicious transmitter intentionally perturbs its emitted signal to cause a trained Specific Emitter Identification (SEI) model to misclassify it. Unlike poisoning attacks that corrupt the training data, evasion attacks occur at inference time. The attacker crafts subtle, often imperceptible modifications to the waveform—such as injecting carefully calculated noise or altering pulse shaping—that exploit blind spots in the neural network's decision boundary. In an electronic warfare context, this allows a hostile radar or communication node to impersonate a friendly asset or disappear from classification entirely, directly challenging the model's adversarial robustness.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts for understanding how evasion attacks threaten RF fingerprinting systems and the defensive techniques used to harden deep learning models against adversarial manipulation in electronic warfare contexts.
Adversarial Robustness
The resilience of an RF fingerprinting model against evasion attacks, where a malicious actor intentionally modifies their transmitted signal to fool the classifier. Robustness is quantified by measuring model accuracy against progressively stronger adversarial perturbations constrained by a maximum distortion budget. Key hardening techniques include:
- Adversarial training: Augmenting the training set with crafted adversarial examples
- Defensive distillation: Training a smoother model less sensitive to input perturbations
- Gradient masking: Obscuring the model's decision boundaries from gradient-based attacks
Transferability of Adversarial Examples
The phenomenon where adversarial perturbations crafted to fool one model (the surrogate) also deceive a different target model with high probability. This enables black-box attacks where the adversary has no direct access to the deployed classifier's architecture or parameters. In electronic warfare, an attacker can:
- Train a local surrogate model on collected RF emissions
- Generate adversarial examples against the surrogate
- Transmit the perturbed signals to evade the operational defender model Transferability is amplified when surrogate and target models share similar architectural inductive biases.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us