Inferensys

Glossary

Evasion Attack

An adversarial machine learning attack where an input signal is subtly perturbed to cause a trained emitter identification model to misclassify it, testing the model's robustness in an electronic warfare context.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL MACHINE LEARNING

What is Evasion Attack?

An evasion attack is a class of adversarial machine learning attack where a malicious actor subtly perturbs an input signal at inference time to cause a trained model, such as an emitter identification classifier, to make an incorrect prediction without altering the model itself.

An evasion attack targets a deployed model by crafting adversarial perturbations—minute, often imperceptible modifications to the input—that exploit blind spots in the learned decision boundary. In the context of RF fingerprinting, an attacker intentionally distorts their transmitted waveform to fool a specific emitter identification (SEI) system into misclassifying them as a legitimate, authorized device, thereby bypassing physical layer authentication.

Unlike data poisoning, which corrupts the training pipeline, evasion attacks occur strictly at inference time and do not require access to the training data. The attacker may operate under a white-box threat model, where they possess full knowledge of the neural network's architecture and gradients to compute an optimal perturbation, or a more realistic black-box setting, where they probe the model's responses to iteratively approximate an adversarial example. Robustness against these attacks is quantified through adversarial training and formal verification of the model's adversarial robustness.

ADVERSARIAL THREAT TAXONOMY

Common Evasion Attack Methods

Evasion attacks target a trained model at inference time by subtly perturbing the input signal to induce misclassification. In the RF domain, these perturbations must remain within the constraints of the transmitter hardware and spectral mask regulations.

01

Gradient-Based White-Box Attacks

Assumes the adversary has full knowledge of the model architecture and parameters. The attacker computes the gradient of the loss function with respect to the input IQ samples and applies a small perturbation in the direction that maximizes classification error.

  • Fast Gradient Sign Method (FGSM): A single-step attack that applies a perturbation proportional to the sign of the gradient. Computationally cheap but often less effective against robust models.
  • Projected Gradient Descent (PGD): An iterative, multi-step variant of FGSM that projects the perturbed signal back onto an epsilon-ball around the original input after each step. Considered a universal first-order adversary and a standard benchmark for empirical robustness evaluation.
  • Carlini & Wagner (C&W) Attack: An optimization-based attack that minimizes the perturbation magnitude subject to a misclassification constraint, often producing smaller distortions than PGD.
ε = 0.01
Typical IQ Perturbation Magnitude
02

Score-Based Black-Box Attacks

The adversary can only query the model and receive output probabilities or confidence scores, without access to gradients. Attackers estimate gradients through finite differences or train a surrogate model on query responses.

  • Zeroth-Order Optimization (ZOO): Estimates the gradient by perturbing each input dimension individually and observing the change in the confidence score. Computationally expensive but effective against models that expose softmax outputs.
  • Natural Evolution Strategies (NES): Uses a population-based search algorithm to estimate the gradient by sampling perturbations from a Gaussian distribution and weighting them by the resulting loss.
  • Surrogate Model Training: The attacker builds a local substitute model by querying the target model with a synthetic dataset, then crafts white-box adversarial examples on the surrogate that transfer to the target.
03

Decision-Based Black-Box Attacks

The most restrictive threat model: the adversary only receives the final hard-label prediction, not confidence scores. These attacks rely on random walks and boundary exploration to find the nearest decision boundary.

  • Boundary Attack: Starts with a large perturbation that already causes misclassification and iteratively reduces the perturbation magnitude while staying on the adversarial side of the decision boundary through a random walk with rejection sampling.
  • HopSkipJumpAttack: A more efficient decision-based attack that combines binary search for boundary proximity with gradient direction estimation using Monte Carlo sampling, significantly reducing the number of queries required.
  • Relevance to RF: Decision-based attacks are particularly relevant for tactical RF systems where only a demodulated symbol or emitter label is observable by an adversary.
04

Universal Adversarial Perturbations

A single, signal-agnostic perturbation vector that causes misclassification across a large fraction of input samples when added to any signal. This is particularly dangerous in RF systems where a jammer could broadcast a fixed perturbation waveform.

  • Crafting Method: Computed by aggregating per-sample perturbation vectors using an iterative algorithm that enforces a global norm constraint while maximizing the fooling rate across the training distribution.
  • Transferability: Universal perturbations often transfer across different model architectures trained on the same task, enabling black-box attacks without query access.
  • Physical Realizability: In RF, the perturbation must be constrained to respect spectral emission masks and peak-to-average power ratio limits, requiring a projection step onto the feasible set of transmittable waveforms.
>80%
Fooling Rate Achievable
05

Channel-Aware Adversarial Perturbations

Standard adversarial examples crafted in the digital domain often fail to survive propagation through a physical wireless channel. Channel-aware attacks incorporate the channel impulse response into the perturbation optimization.

  • Over-the-Air Robustness: The perturbation is convolved with an estimated or measured channel matrix during optimization, ensuring the adversarial effect persists after multipath fading and noise are applied.
  • EIRP Constraints: The effective isotropic radiated power of the perturbation is constrained to prevent the adversary from simply increasing transmit power to overcome channel effects.
  • Waveform-Specific Masking: Perturbations are projected onto the subspace of valid waveforms for the target modulation scheme, ensuring the adversarial signal remains demodulable by unintended receivers and evades anomaly detectors.
06

Adaptive Attacks Against Defenses

An evaluation methodology where the attacker is assumed to have full knowledge of the defense mechanism and tailors the attack to circumvent it. This is the gold standard for empirically validating adversarial robustness claims.

  • Obfuscated Gradient Bypass: Many defenses rely on non-differentiable components or randomized transformations that cause gradient masking. Adaptive attackers replace these with differentiable approximations or compute gradients via Backward Pass Differentiable Approximation (BPDA).
  • Expectation over Transformation (EoT): When a defense applies random input transformations, the attacker computes the gradient over the expected value of the transformed input, neutralizing the stochasticity.
  • Defense-Aware Loss Functions: The attack optimization explicitly penalizes the defense's detection mechanism, jointly optimizing for misclassification and evasion of the anomaly detector.
ADVERSARIAL ROBUSTNESS

Frequently Asked Questions

Explore the critical attack vectors that test the resilience of RF fingerprinting systems. These questions address how malicious actors attempt to evade emitter identification and the defensive strategies used to counter them.

An evasion attack is an adversarial machine learning technique where a malicious transmitter intentionally perturbs its emitted signal to cause a trained Specific Emitter Identification (SEI) model to misclassify it. Unlike poisoning attacks that corrupt the training data, evasion attacks occur at inference time. The attacker crafts subtle, often imperceptible modifications to the waveform—such as injecting carefully calculated noise or altering pulse shaping—that exploit blind spots in the neural network's decision boundary. In an electronic warfare context, this allows a hostile radar or communication node to impersonate a friendly asset or disappear from classification entirely, directly challenging the model's adversarial robustness.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.