SAR Angle-Invariant Physical Adversarial Attack

• The paper introduces a physics-guided framework using parametric scattering models and simulators to craft physically realizable attacks on SAR ATR systems.
• SAAIPAA achieves over 80% attack success rate across ±30° by optimizing adversarial perturbations that remain robust under varying electromagnetic and imaging conditions.
• The approach leverages multi-angle sampling, gradient-based and finite-difference methods to ensure attack transferability and robust performance in both white-box and black-box scenarios.

A Synthetic Aperture Radar (SAR) Aspect-Angles-Invariant Physical Adversarial Attack (SAAIPAA) is a class of attack strategies that exploit specific physical mechanisms—such as the deployment of corner reflectors, the introduction of adversarial scatterers, or perturbation of target scattering parameters—to cause ML-based automatic target recognition (ATR) systems in SAR imaging pipelines to fail consistently, even as the SAR platform’s aspect angle (azimuth) relative to the target varies. Unlike digital-domain adversarial attacks, SAAIPAA requires a deep understanding of both electromagnetic scattering physics and SAR imaging formation to generate attack perturbations that are physically realizable, robust, and transferable across a wide range of SAR viewing geometries. Recent frameworks leverage parametric scattering models or physics-based simulators to optimize adversarial configurations with strong invariance properties, resulting in state-of-the-art attack success rates (ASR) against state-of-the-art victims, and forming the foundation of adversarial robustness research for SAR ATR (Lemeire et al., 5 Nov 2025, Peng et al., 2022, Cui et al., 2 Mar 2024).

1. Motivation and Historical Context

Adversarial attacks on visual ML systems were first studied in the digital image domain, where imperceptible pixel-level perturbations bias deep neural network (DNN) inference. However, this digital paradigm fails to ensure that successful attacks remain effective after the physically consistent transformations imposed by SAR: electromagnetic (EM) wave propagation, target scattering, coherent summation, and imaging. Physical adversarial attacks (PAAs) thus evolved, whereby adversarial perturbations are embedded at the EM response level—using, for example, the deliberate placement of metallic structures or modified object reflectivity—to impact DL-based ATR under operational SAR scenarios.

The demand for aspect-angles-invariant attacks follows from the mobility and independence of SAR platforms: the attacker generally lacks control over the SAR look-angle distribution. Early PAAs (such as single-angle–optimized adversarial patches, or attacks in 2D “pseudo-physics” images) failed to persist across the natural variability of SAR signatures induced by changing azimuth, elevation, or polarization. SAAIPAA addresses this deficiency by directly embedding invariance into its design.

2. Physical and Parametric Models for Adversarial Perturbation

SAAIPAA frameworks rely on physics-guided parameterizations to ensure both physical realizability and differentiability with respect to the attack objective. Two paradigms have emerged:

Attributed Scattering Center Model (ASCM) (Peng et al., 2022)

The target and its adversarial perturbation are synthesized as a collection of $N$ attributed scattering centers (ASCs), each defined by:

• Amplitude: $A_i \geq 0$
• Location $(x_i, y_i) \in \mathbb{R}^2$ (range/cross-range, e.g., in pixel or meter coordinates)
• Frequency-dependence index: $\alpha_i \in \{-1, -0.5, 0, 0.5, 1\}$
• Aspect-dependence coefficient: $\gamma_i \geq 0$ (for localized returns)
• Extent $L_i \geq 0$ and orientation $\bar{\phi}_i \in [-\pi, \pi]$ (for distributed returns)

Each scatterer’s contribution to the backscattered field at frequency $f$ and angle $\theta$ is:

$$E_i(f,\theta;\theta_i) = A_i \cdot (j f/f_c)^{\alpha_i} \exp\left(-j \frac{4\pi f}{c} (x_i \cos\theta + y_i \sin\theta)\right) \operatorname{sinc}\left(2\pi f L_i/c \cdot \sin(\theta-\bar{\phi}_i)\right) \exp(-2\pi f \gamma_i |\sin\theta|)$$

Summing over all $N$ scatterers and applying the SAR imaging forward model via a 2D inverse Fourier transform yields a differentiable mapping from the scatterer parameters to the SAR image domain.

Real-Physics Parameterization (Cui et al., 2 Mar 2024)

Alternatively, SAAIPAA attacks may operate directly at the 3D model/simulator level: the target is decomposed into $N$ mesh facets, each assigned scattering feature parameters (e.g., specular coefficient $F_{s,i}$, diffuse coefficient $F_{d,i}$, roughness $F_{r,i}$, and brightness $F_{b,i}$). The physical simulator (e.g., RaySAR) computes the echo from each facet, incorporating specular and diffuse returns. Adversarial perturbations $\Delta F_{s,i}$, $\Delta F_{d,i}$ are applied within physical bounds:

$$F_{s,i}^{adv} = F_{s,i} + \Delta F_{s,i}, \quad F_{d,i}^{adv} = F_{d,i} + \Delta F_{d,i}; \quad F_{s,i}^{adv}, F_{d,i}^{adv} \in [0, 1]$$

The collective modified parameter set forms the adversarial target, and multicamera rendering synchronizes attacks across aspect angles.

3. Optimization Strategies for Angle-Invariant Attacks

The central optimization objective in SAAIPAA is to maximize the classification loss for a set of candidate aspect angles $\Theta_{train} = \{\theta_1, ..., \theta_K\}$, ensuring that the attack holds across a predefined angle spread. The generic objective is:

$$\Theta^* = \arg\min_{\Theta \in C_{phys}} \max_{\theta \in \Theta_{train}} L(\Theta; \theta)$$

where $C_{phys}$ encodes physical constraints (e.g., amplitude or scatterer count bounds, geometric deployment region).

Gradient-Based Approaches

• For parametric/differentiable models, gradients with respect to $\Theta$ are computed via the chain rule, leveraging full backpropagation through the imaging pipeline.
• Soft greedy step-size updates and population-based candidate selection (batch optimization) further increase convergence robustness.

Non-Differentiable Simulation

• For non-differentiable physics engines (e.g., RaySAR), gradients are approximated via finite differences in parameter space, with minibatched updates and gradient clipping.

Multi-Angle Sampling and Robustification

• During each optimization step, the loss is evaluated over a sampled subset of aspect angles. Multi-angle training, as opposed to single-angle approaches, dramatically enhances invariance: average ASR rises from 56% (single-angle) to 89% (multi-angle) over a $\pm30^\circ$ span (Peng et al., 2022).
• Additional robustification methods include randomized smoothing (adding noise or speckle during optimization), adversarial training of the target DNN, and $L_2$ or $L_1$ regularization of perturbation parameters.

4. Attack Realization and Experimental Evaluation

Evaluation of SAAIPAA systems centers on the MSTAR dataset (10-class, depression angle 17° for training, 15° for testing), with SAR images either simulated or measured across fine aspect grids (e.g., $-30^\circ$ to $+30^\circ$ in $5^\circ$ steps) (Peng et al., 2022, Cui et al., 2 Mar 2024).

Implementation Workflow

Step	Description	Notes
Physical Model Initialization	Place ASCs or modify facet parameters in 3D/2D	Within geometric/physical bounds
Multi-Angle Forward Simulation	Render SAR image(s) at sampled angles $\theta \in \Theta_{train}$	Different pipeline for parametric and simulator-based frameworks
Loss Computation and Backpropagation	Evaluate DNN cross-entropy loss, compute (approximate) gradient	Differentiable or finite-difference
Parameter Update with Constraints	Projected gradient ascent; keep batch best	Step-size adaptation
Evaluation over Test Angles	Measure attack success rate (ASR) vs. aspect angle	White-box and black-box settings

Performance Metrics

Attack Success Rate (ASR) is the predominant metric, measured as the fraction of attacked images that result in misclassification.

Example Results

• ASR for SAAIPAA ($N=1$ scatterer, tested on AConvNet):

| $\theta$ | $-30^\circ$ | $-15^\circ$ | $0^\circ$ | $+15^\circ$ | $+30^\circ$ | |-------------|-------------|-------------|-----------|-------------|-------------| | SAAIPAA | 82% | 88% | 91% | 87% | 83% | | PGD-$\ell_\infty$ | 23% | 45% | 51% | 42% | 18% |

• SAAIPAA yields ASR >80% across all angles with $N=1$; with $N\geq2$ scatterers, ASR remains $\sim$90% over the full $\pm30^\circ$ span.
• DeepFool achieves near-perfect ASR at all angles but is unconstrained in physical realizability.
• SAR-AE-SFP achieves ASR $\sim$84\% in favorable azimuth ranges and demonstrates strong transfer across DNN architectures: cross-model transfer yields 70–90% ASR between CNNs and 30–60% for Transformers (Cui et al., 2 Mar 2024).
• SAAIPAA achieves average fooling rates of over 80% for DenseNet-121 and ResNet50 in the white-box setting; when the aspect angle is known to the attacker, $\bar{\text{ASR}} = 99.2\%$ is attainable (Lemeire et al., 5 Nov 2025).

5. Physical Realizability, Generalization, and Deployment

SAAIPAA’s central innovation is its focus on physically realizable mechanism design. Adversarial perturbations must be constructible via domain mechanisms (e.g., corner reflector placement, object coatings, or modification of scattering facet parameters) and must persist under the signal propagation, imaging, and ATR chain. Notably:

• Adversarial scatterers can be realized using a small number of deployable reflectors, whose positions and orientations are optimized for angle invariance.
• Physics-based parameter perturbations can be implemented by modifying target surface properties (e.g., via coatings, engineered scattering panels, or temporarily attached structures) to match optimized scattering coefficients.

A unique feature is the ability to achieve strong attack performance even when the attacker lacks precise knowledge of the SAR platform’s trajectory. By ensuring at least one adversarial element is present in every azimuthal quadrant and optimizing over a sampled angle set, SAAIPAA remains robust over a range of plausible deployment scenarios (Lemeire et al., 5 Nov 2025).

6. Transferability, Robustness, and Limitations

SAAIPAA and SAR-AE-SFP are effective both in white-box (model-known) and to varying degrees in black-box (model-unknown) regimes. For example, adversarial perturbations optimized on ResNet50 transfer well to DenseNet121 but less so to MobileNetV2 (Lemeire et al., 5 Nov 2025). Attacks exhibit diminished ASR for targets with complex or uncharacteristic scattering features and in certain azimuth ranges (side or rear views), as in SAR-AE-SFP for 120°–179° azimuth bin (Cui et al., 2 Mar 2024). Robustification strategies targeting these weaknesses include richer multi-angle optimization and regularization of ASR variance across angles.

A practical outcome from recent experiments is the development of bounding box generation techniques for densely sampled azimuthal SAR datasets, critical for precise localization in aspect-variant evaluations (Lemeire et al., 5 Nov 2025).

7. Outlook and Extensions

Current SAAIPAA-formulations provide a foundation for future research in several directions:

• Extending SAAIPAA to bistatic, circular, and multi-static SAR by adapting the imaging forward model.
• Joint multi-angle optimization and robust regularization to flatten ASR curves across all relevant aspect bins.
• Physical deployment studies combining engineered adversarial reflectors and surface modifications.
• Integration of SAAIPAA-generated perturbations into adversarial training for improved ATR robustness.
• Exploration of transferability to emerging network architectures and broader SAR datasets.

These efforts unify the physics of radar scattering, differentiable simulation, and adversarial ML into a rigorous, application-grounded framework for understanding and defending against physical-domain attacks on SAR ATR systems (Lemeire et al., 5 Nov 2025, Peng et al., 2022, Cui et al., 2 Mar 2024).