Papers
Topics
Authors
Recent
Search
2000 character limit reached

Transferable Frequency-Aware Attacks

Updated 4 July 2026
  • Transferable frequency-aware attacks are adversarial methods that exploit explicit frequency representations to craft perturbations for improved black-box efficacy.
  • They employ diverse spectral transforms such as Fourier, cosine, and wavelet to optimize and selectively manipulate low, mid, and high-frequency components.
  • The literature demonstrates that techniques like spectral augmentation and cross-frequency meta-learning significantly enhance transferability across models and application domains.

Transferable frequency-aware attacks are adversarial methods that manipulate perturbations through an explicit frequency representation in order to improve black-box efficacy, cross-model generalization, cross-domain robustness, concealment, or all four simultaneously. In this literature, “frequency-aware” does not denote a single mechanism. It includes direct optimization in the Fourier, cosine, wavelet, or short-time Fourier domain; decomposition of inputs into low-, mid-, and high-frequency bands; spectral augmentation of surrogate inputs; frequency-conditioned feature alignment; and hybrid attacks that combine spatial and spectral gradients. The resulting attack family now spans standard image classification, automatic modulation classification, RF fingerprinting, face forgery detection, AI-generated image detection, closed-source multimodal LLMs, and learned image compression systems (Long et al., 2022, Yang et al., 2024, Yuan et al., 6 Mar 2025, Yuan et al., 20 May 2026).

1. Conceptual foundations

Transferability is the property that an adversarial example optimized on a surrogate model also fools an unseen target. Frequency-aware methods address a recurring failure mode of purely spatial attacks: gradients computed on one model can over-specialize to that model’s decision boundary, whereas spectral structure often exposes feature biases that are more broadly shared across architectures or domains. Several papers make this claim operationally rather than rhetorically. “Frequency Domain Model Augmentation for Adversarial Attack” defines a spectrum transformation that simulates diverse substitute models in the frequency domain and argues that the resulting spectrum saliency maps span a larger subspace than spatial-domain transforms do (Long et al., 2022). “Towards Transferable Adversarial Attacks with Centralized Perturbation” similarly argues that concentrating perturbation on dominant frequency coefficients mitigates source-model overfitting (Wu et al., 2023).

A central point in the literature is that transferability is not tied to one privileged band. Different tasks and targets expose different spectral vulnerabilities. Weng et al. report that high-frequency perturbations tend to fool normally trained networks more readily, while low-frequency perturbations transfer better to defense models, motivating cross-frequency meta-optimization (Weng et al., 2024). LFAA, despite its name, is motivated by the observation that replacing the high-frequency component of an image with that of another image can mislead deep models, yet it ultimately generates targeted perturbations that are added to the low-frequency component of the image (Wang et al., 2023). FACL-Attack instead treats mid-frequency features as the domain-invariant “semantic core,” randomizing low and high bands while explicitly separating clean and perturbed mid-frequency features during training (Yang et al., 2024). A wavelet-packet study goes further and reports that the worst-perturbed bands are not the global high-frequency extremes, but the high-frequency components of low-frequency bands such as “da,” “daa,” and “dad” (Zhang et al., 2024).

This band dependence also appears outside vision. In RF fingerprinting, a transmitter can inject transferable time-domain perturbations, yet Theorem 1 in “Robust Eavesdropping in the Presence of Adversarial Communications for RF Fingerprinting” shows that the eavesdropper’s important mid-band short-time Fourier features can remain nearly unchanged because the adversarial power is confined to out-of-band frequencies (Yuan et al., 6 Mar 2025). A common misconception is therefore that “frequency-aware” means “high-frequency attack.” The literature supports a more conditional view: low-, mid-, and high-frequency emphasis each appear as transfer-promoting priors under different threat models (Wang et al., 2023, Yang et al., 2024, Zheng et al., 27 May 2025, Yuan et al., 6 Mar 2025).

2. Spectral representations and perturbation parameterizations

The field is organized around a small set of transforms. Image attacks commonly use the 2-D DCT, FFT, DWT, or wavelet packet decomposition. RF and communication settings use STFT or signal-band-specific Fourier parameterizations. The representation is not merely diagnostic; it determines which coefficients are directly optimized, which are randomized, and which are suppressed.

Representation Representative use Operational role
2-D DCT SSA, FACL-Attack, FRA-Attack, face forgery attacks model augmentation, band masking, feature alignment, gradient regularization
FFT FSA, FAMPE stochastic spectral augmentation, LF/HF trade-off
DWT / WPD MetaSSA, WaveTransform, WPD black-box attack band decomposition, feature mixing, band-selective perturbation
STFT RF eavesdropper time-frequency feature extraction and robustness analysis

Direct frequency-domain optimization appears clearly in SFFAA for automatic modulation classification. It restricts the perturbation spectrum to a known occupied band and formalizes the objective as minimizing the fraction of power leaked outside the band,

minδ  energy(δso)energy(δ)s.t.f(x+δ)y,  δζ,\min_{\delta}\; \frac{\mathsf{energy}(\delta_{\mathrm{so}})}{\mathsf{energy}(\delta)} \quad \text{s.t.} \quad f(x+\delta)\neq y,\; \|\delta\|_{\infty}\le\zeta,

with iterative updates performed on the frequency-domain variable sns_n and projection back to the time domain through IFFT and clipping (Zhang et al., 2022). By construction, the attack targets spectral concealment and decision failure simultaneously.

Other methods retain spatial-domain optimization but inject frequency-aware stochasticity or regularization. The 2025 Frequency-Space Attack defines a high-frequency augmentation module

X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),

where M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p) and DE(ω)D_E(\omega) scales Gaussian noise toward higher frequencies through a linear weighting W(ω)W(\omega) (Zheng et al., 27 May 2025). SSA uses a related DCT-domain transformation,

T(x)=DI((D(x+ξ))M),T(x)=D_I\bigl((D(x+\xi))\odot M\bigr),

with fresh Gaussian noise and multiplicative masks at every iteration, then averages gradients across multiple transformed inputs (Long et al., 2022). Centralized Perturbation takes a spatial step Δt\Delta_t, transforms it blockwise into YCbCr-DCT coefficients, multiplies by binary masks Qc,tQ_{c,t}, and learns those masks in parallel so that only dominant coefficients survive (Wu et al., 2023).

Wavelet-based attacks expose finer granularity. MetaSSA decomposes an image with single-level orthogonal DWT into xlx_l and sns_n0, then mixes clean and adversarial features differently for standard and defense models (Weng et al., 2024). WaveTransform updates selected wavelet subbands sns_n1 under an sns_n2 constraint and reconstructs the image through IDWT (Anshumaan et al., 2020). The WPD-based decision attack narrows its search to the bands sns_n3, chosen after cosine-similarity analysis identified those bands as carrying concentrated adversarial disturbance (Zhang et al., 2024).

3. Transferability mechanisms

One major mechanism is spectral augmentation of the surrogate. SSA treats each transformed spectrum as a “simulated” substitute model and proves that the corresponding spectrum saliency map is perturbed by the random mask sns_n4, which increases substitute diversity (Long et al., 2022). The 2025 Frequency-Space Attack pushes the same idea further by coupling High-Frequency Augmentation with Hierarchical-Gradient Fusion, a multi-scale gradient pyramid whose coarser levels receive larger weights. In its ImageNet-1000 evaluation, FSA reports an average attack success rate increase of sns_n5 compared with BSR on eight black-box defense models (Zheng et al., 27 May 2025).

A second mechanism is cross-frequency meta-learning. Meta-SFFAA constructs tasks over surrogate AMC models, using some models for “meta-train” and a held-out surrogate for “meta-test,” so that the perturbation update direction generalizes across architectures (Zhang et al., 2022). MetaSSA resolves a conflict between two feature-mixing strategies—AFM for normally trained models and LF-AFM for defense models—through a three-step meta-train, meta-test, and final update procedure (Weng et al., 2024). This directly encodes the claim that different target classes of models prefer different spectral attack views.

A third mechanism is frequency-aware feature alignment. FACL-Attack introduces Frequency-Aware Domain Randomization, which randomizes low- and high-frequency components but leaves mid-frequency coefficients unchanged, and a contrastive loss

sns_n6

which pushes mid-frequency features of clean and perturbed inputs apart while pulling low/high features together (Yang et al., 2024). FRA-Attack for closed-source MLLMs combines a high-pass DCT objective over patch features with Frequency-domain Gradient Regularization, a low-pass filter sns_n7 applied to the DCT of the surrogate gradient. The design is explicitly split: high-frequency alignment concentrates on intrinsic visual focus, while low-frequency gradient regularization removes surrogate-specific high-frequency artifacts (Yuan et al., 20 May 2026).

A fourth mechanism is dual-domain importance fusion. The face forgery attack introduces a DCT-domain fusion module that captures salient adversarial regions in the frequency domain and then alternates frequency and spatial updates in a hybrid attack (Jia et al., 2022). DuFIA for AI-generated image detectors computes a spatial feature-importance map through integrated gradients and a frequency feature-importance map through randomized DCT perturbation, then fuses them as

sns_n8

before maximizing a mid-layer feature attack loss under an sns_n9 constraint (Zhu et al., 19 Nov 2025). In both cases, transferability is attributed to complementary information captured in the two domains rather than to a purely spectral prior.

4. Domain-specific developments

In image classification, the field has moved from augmentation-based attacks toward structured spectral reasoning. SSA showed that frequency-domain model augmentation can be retrofitted to iterative attacks such as I-FGSM, MI-FGSM, DI-FGSM, TI-FGSM, and SI-FGSM (Long et al., 2022). FACL-Attack shifted the focus to cross-domain and cross-model generator training under strict black-box conditions, using DCT band partitioning and contrastive feature separation (Yang et al., 2024). LFAA addressed a harder regime—transferable targeted attacks—by training a class-conditional generator that outputs perturbations added to the low-frequency component of the image (Wang et al., 2023). FRA-Attack generalizes the same logic to closed-source MLLMs, where the surrogate is an open-source vision encoder but the victim is an unknown proprietary multimodal system (Yuan et al., 20 May 2026).

Signal-processing applications adopt analogous ideas but with domain-specific constraints. In AMC, SFFAA and Meta-SFFAA explicitly exploit the known occupied spectrum of the communication signal, restricting perturbation energy to that band and measuring concealment through the Out-Spectrum Energy Ratio (Zhang et al., 2022). In RF fingerprinting, the adversary is the transmitter rather than an external attacker: it adds X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),0 to a complex baseband preamble under a power budget and crafts the perturbation with X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),1-FGSM, X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),2-FGSM, X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),3-PGD, or X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),4-PGD on the receiver’s surrogate model (Yuan et al., 6 Mar 2025). The eavesdropper then counters with an STFT-based architecture because the transmitter’s purely time-domain transferable perturbations remain spectrally localized away from the classifier’s important midbands (Yuan et al., 6 Mar 2025).

Forensic and detection tasks reveal another use of frequency awareness: attacking detectors that themselves rely on spectral artifacts. The face forgery attack reports that its DCT-domain method fools spatial-based and frequency-based detectors, including FX~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),5-Net and LRL (Jia et al., 2022). DuFIA transfers across AI-generated image detectors by fusing spatially interpolated gradients with frequency-aware perturbation-derived feature importance (Zhu et al., 19 Nov 2025). In learned image compression, the objective changes from misclassification to trigger persistence and downstream task manipulation, but the spectral logic persists: backdoor triggers are embedded in selected DCT frequencies, robust frequency selection chooses Top-X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),6 coefficients that survive preprocessing, and boundary-shift interpolation improves cross-model and cross-domain transferability for downstream segmentation and face-recognition attacks (Yu et al., 2024).

5. Empirical patterns and evaluation criteria

Reported gains are substantial but heterogeneous because metrics differ by task. On ImageNet defenses, SSA reports an average success rate of X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),7 when attacking nine state-of-the-art defense models with an ensemble substitute (Long et al., 2022). The 2025 Frequency-Space Attack reports single-model average attack success rates of approximately X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),8 versus approximately X~(ω)=(X(ω)+DE(ω))M(ω),xhf=F1(X~),\widetilde{X}(\omega)=\bigl(X(\omega)+D_E(\omega)\bigr)\cdot M(\omega),\qquad x_{hf}=\mathcal{F}^{-1}(\widetilde{X}),9 for BSR, and up to M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)0 ASR on Inc-v3 ens3 when combined with other input transforms (Zheng et al., 27 May 2025). Centralized Perturbation reports a mean improvement of M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)1 percentage points over vanilla gradient baselines across five attacks and six black-box models (Wu et al., 2023). FACL-Attack evaluates transfer in terms of post-attack top-1 accuracy and reduces the cross-model average from M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)2 to M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)3 and the cross-domain average from M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)4 to M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)5, where lower is better (Yang et al., 2024).

Targeted and structured black-box settings show similarly strong effects. LFAA reports targeted black-box success-rate improvements ranging from M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)6 to M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)7 over prior methods, with a black-box success of M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)8 on DenseNet-121 and M(ω)U(1p,1+p)M(\omega)\sim\mathcal{U}(1-p,1+p)9 on VGG-19DE(ω)D_E(\omega)0 when trained on ResNet-50 as surrogate (Wang et al., 2023). The WPD-based decision attack reports an average attack success rate reaching DE(ω)D_E(\omega)1, together with query counts, SSIM, and the proposed normalized disturbance visibility index (Zhang et al., 2024). In AMC, SFFAA confines more than DE(ω)D_E(\omega)2 of perturbation energy inside the band, achieving OSER approximately DE(ω)D_E(\omega)3 dB and average FD DE(ω)D_E(\omega)4 at SNR DE(ω)D_E(\omega)5 dB, while Meta-SFFAA improves black-box transfer beyond FGSM, PGD, and UAP (Zhang et al., 2022).

The RF case is notable because it reveals a limit rather than a gain. On clean signals, the intended receiver achieves DE(ω)D_E(\omega)6 on seen devices and DE(ω)D_E(\omega)7 on unseen devices, while the eavesdropper achieves DE(ω)D_E(\omega)8 and DE(ω)D_E(\omega)9 (Yuan et al., 6 Mar 2025). Under single-step FGSM, an unaware time-domain eavesdropper collapses to approximately W(ω)W(\omega)0 at PSR W(ω)W(\omega)1 dB, but the STFT-based eavesdropper remains above W(ω)W(\omega)2–W(ω)W(\omega)3 up to PSR W(ω)W(\omega)4 dB in Environment A and tracks the receiver in Environment B (Yuan et al., 6 Mar 2025). Under multi-step PGD, the unaware eavesdropper drops to W(ω)W(\omega)5 at PSR W(ω)W(\omega)6 dB, whereas the STFT-based model stays above W(ω)W(\omega)7 in Environment A and above W(ω)W(\omega)8 in Environment B (Yuan et al., 6 Mar 2025). This is a reminder that frequency-aware attacks and frequency-aware defenses co-evolve.

6. Limitations, misconceptions, and open directions

A common misconception is that spectral attacks are inherently more transferable simply because they occupy the frequency domain. The literature is more specific. Some methods succeed by amplifying high frequencies (Zheng et al., 27 May 2025); others by perturbing low-frequency structure (Wang et al., 2023); others by isolating mid-frequency invariants (Yang et al., 2024); and others by combining low-frequency bands with the high-frequency components nested inside them (Zhang et al., 2024). This suggests that the effective design variable is not “frequency-domain vs. spatial-domain” in the abstract, but the match between band selection and the invariances shared by surrogate and victim models.

The current literature also documents clear limitations. SFFAA assumes a direct-access scenario and does not model over-the-air effects (Zhang et al., 2022). The RF eavesdropping paper assumes that the transmitter knows the channel and noise distributions used to design W(ω)W(\omega)9, and it explicitly states that no joint time-frequency crafting is attempted (Yuan et al., 6 Mar 2025). The 2025 Frequency-Space Attack notes that its uniform random mask could be replaced by an adaptive mask and that alternative transforms such as DCT, wavelet, or learnable spectral bases may yield further gains (Zheng et al., 27 May 2025). MetaSSA acknowledges higher per-iteration cost due to the inner meta-train loop (Weng et al., 2024). LFAA notes weaker performance against strong adversarially trained defenses (Wang et al., 2023).

Several future directions recur across papers. One is joint spatial-frequency or time-frequency optimization rather than single-domain perturbation with post hoc spectral interpretation (Yuan et al., 6 Mar 2025, Jia et al., 2022). Another is stronger model-agnostic regularization: FRA-Attack’s low-pass gradient filter depends only on geometric frequency coordinates, while FACL-Attack’s training-only modules attempt to encode invariances that persist at inference (Yuan et al., 20 May 2026, Yang et al., 2024). A third is extension across modalities and deployment settings, including audio, 3D, video, multimodal systems, federated or multiuser RF scenarios, and open-vocabulary vision models (Zheng et al., 27 May 2025, Yuan et al., 6 Mar 2025, Wang et al., 2023). A plausible implication is that future transferable attacks will be less about choosing a single favored band and more about learning task-specific spectral priors together with surrogate-agnostic gradient structure.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Transferable Frequency-Aware Attacks.