Transferable Frequency-Aware Attacks
- Transferable frequency-aware attacks are adversarial methods that exploit explicit frequency representations to craft perturbations for improved black-box efficacy.
- They employ diverse spectral transforms such as Fourier, cosine, and wavelet to optimize and selectively manipulate low, mid, and high-frequency components.
- The literature demonstrates that techniques like spectral augmentation and cross-frequency meta-learning significantly enhance transferability across models and application domains.
Transferable frequency-aware attacks are adversarial methods that manipulate perturbations through an explicit frequency representation in order to improve black-box efficacy, cross-model generalization, cross-domain robustness, concealment, or all four simultaneously. In this literature, “frequency-aware” does not denote a single mechanism. It includes direct optimization in the Fourier, cosine, wavelet, or short-time Fourier domain; decomposition of inputs into low-, mid-, and high-frequency bands; spectral augmentation of surrogate inputs; frequency-conditioned feature alignment; and hybrid attacks that combine spatial and spectral gradients. The resulting attack family now spans standard image classification, automatic modulation classification, RF fingerprinting, face forgery detection, AI-generated image detection, closed-source multimodal LLMs, and learned image compression systems (Long et al., 2022, Yang et al., 2024, Yuan et al., 6 Mar 2025, Yuan et al., 20 May 2026).
1. Conceptual foundations
Transferability is the property that an adversarial example optimized on a surrogate model also fools an unseen target. Frequency-aware methods address a recurring failure mode of purely spatial attacks: gradients computed on one model can over-specialize to that model’s decision boundary, whereas spectral structure often exposes feature biases that are more broadly shared across architectures or domains. Several papers make this claim operationally rather than rhetorically. “Frequency Domain Model Augmentation for Adversarial Attack” defines a spectrum transformation that simulates diverse substitute models in the frequency domain and argues that the resulting spectrum saliency maps span a larger subspace than spatial-domain transforms do (Long et al., 2022). “Towards Transferable Adversarial Attacks with Centralized Perturbation” similarly argues that concentrating perturbation on dominant frequency coefficients mitigates source-model overfitting (Wu et al., 2023).
A central point in the literature is that transferability is not tied to one privileged band. Different tasks and targets expose different spectral vulnerabilities. Weng et al. report that high-frequency perturbations tend to fool normally trained networks more readily, while low-frequency perturbations transfer better to defense models, motivating cross-frequency meta-optimization (Weng et al., 2024). LFAA, despite its name, is motivated by the observation that replacing the high-frequency component of an image with that of another image can mislead deep models, yet it ultimately generates targeted perturbations that are added to the low-frequency component of the image (Wang et al., 2023). FACL-Attack instead treats mid-frequency features as the domain-invariant “semantic core,” randomizing low and high bands while explicitly separating clean and perturbed mid-frequency features during training (Yang et al., 2024). A wavelet-packet study goes further and reports that the worst-perturbed bands are not the global high-frequency extremes, but the high-frequency components of low-frequency bands such as “da,” “daa,” and “dad” (Zhang et al., 2024).
This band dependence also appears outside vision. In RF fingerprinting, a transmitter can inject transferable time-domain perturbations, yet Theorem 1 in “Robust Eavesdropping in the Presence of Adversarial Communications for RF Fingerprinting” shows that the eavesdropper’s important mid-band short-time Fourier features can remain nearly unchanged because the adversarial power is confined to out-of-band frequencies (Yuan et al., 6 Mar 2025). A common misconception is therefore that “frequency-aware” means “high-frequency attack.” The literature supports a more conditional view: low-, mid-, and high-frequency emphasis each appear as transfer-promoting priors under different threat models (Wang et al., 2023, Yang et al., 2024, Zheng et al., 27 May 2025, Yuan et al., 6 Mar 2025).
2. Spectral representations and perturbation parameterizations
The field is organized around a small set of transforms. Image attacks commonly use the 2-D DCT, FFT, DWT, or wavelet packet decomposition. RF and communication settings use STFT or signal-band-specific Fourier parameterizations. The representation is not merely diagnostic; it determines which coefficients are directly optimized, which are randomized, and which are suppressed.
| Representation | Representative use | Operational role |
|---|---|---|
| 2-D DCT | SSA, FACL-Attack, FRA-Attack, face forgery attacks | model augmentation, band masking, feature alignment, gradient regularization |
| FFT | FSA, FAMPE | stochastic spectral augmentation, LF/HF trade-off |
| DWT / WPD | MetaSSA, WaveTransform, WPD black-box attack | band decomposition, feature mixing, band-selective perturbation |
| STFT | RF eavesdropper | time-frequency feature extraction and robustness analysis |
Direct frequency-domain optimization appears clearly in SFFAA for automatic modulation classification. It restricts the perturbation spectrum to a known occupied band and formalizes the objective as minimizing the fraction of power leaked outside the band,
with iterative updates performed on the frequency-domain variable and projection back to the time domain through IFFT and clipping (Zhang et al., 2022). By construction, the attack targets spectral concealment and decision failure simultaneously.
Other methods retain spatial-domain optimization but inject frequency-aware stochasticity or regularization. The 2025 Frequency-Space Attack defines a high-frequency augmentation module
where and scales Gaussian noise toward higher frequencies through a linear weighting (Zheng et al., 27 May 2025). SSA uses a related DCT-domain transformation,
with fresh Gaussian noise and multiplicative masks at every iteration, then averages gradients across multiple transformed inputs (Long et al., 2022). Centralized Perturbation takes a spatial step , transforms it blockwise into YCbCr-DCT coefficients, multiplies by binary masks , and learns those masks in parallel so that only dominant coefficients survive (Wu et al., 2023).
Wavelet-based attacks expose finer granularity. MetaSSA decomposes an image with single-level orthogonal DWT into and 0, then mixes clean and adversarial features differently for standard and defense models (Weng et al., 2024). WaveTransform updates selected wavelet subbands 1 under an 2 constraint and reconstructs the image through IDWT (Anshumaan et al., 2020). The WPD-based decision attack narrows its search to the bands 3, chosen after cosine-similarity analysis identified those bands as carrying concentrated adversarial disturbance (Zhang et al., 2024).
3. Transferability mechanisms
One major mechanism is spectral augmentation of the surrogate. SSA treats each transformed spectrum as a “simulated” substitute model and proves that the corresponding spectrum saliency map is perturbed by the random mask 4, which increases substitute diversity (Long et al., 2022). The 2025 Frequency-Space Attack pushes the same idea further by coupling High-Frequency Augmentation with Hierarchical-Gradient Fusion, a multi-scale gradient pyramid whose coarser levels receive larger weights. In its ImageNet-1000 evaluation, FSA reports an average attack success rate increase of 5 compared with BSR on eight black-box defense models (Zheng et al., 27 May 2025).
A second mechanism is cross-frequency meta-learning. Meta-SFFAA constructs tasks over surrogate AMC models, using some models for “meta-train” and a held-out surrogate for “meta-test,” so that the perturbation update direction generalizes across architectures (Zhang et al., 2022). MetaSSA resolves a conflict between two feature-mixing strategies—AFM for normally trained models and LF-AFM for defense models—through a three-step meta-train, meta-test, and final update procedure (Weng et al., 2024). This directly encodes the claim that different target classes of models prefer different spectral attack views.
A third mechanism is frequency-aware feature alignment. FACL-Attack introduces Frequency-Aware Domain Randomization, which randomizes low- and high-frequency components but leaves mid-frequency coefficients unchanged, and a contrastive loss
6
which pushes mid-frequency features of clean and perturbed inputs apart while pulling low/high features together (Yang et al., 2024). FRA-Attack for closed-source MLLMs combines a high-pass DCT objective over patch features with Frequency-domain Gradient Regularization, a low-pass filter 7 applied to the DCT of the surrogate gradient. The design is explicitly split: high-frequency alignment concentrates on intrinsic visual focus, while low-frequency gradient regularization removes surrogate-specific high-frequency artifacts (Yuan et al., 20 May 2026).
A fourth mechanism is dual-domain importance fusion. The face forgery attack introduces a DCT-domain fusion module that captures salient adversarial regions in the frequency domain and then alternates frequency and spatial updates in a hybrid attack (Jia et al., 2022). DuFIA for AI-generated image detectors computes a spatial feature-importance map through integrated gradients and a frequency feature-importance map through randomized DCT perturbation, then fuses them as
8
before maximizing a mid-layer feature attack loss under an 9 constraint (Zhu et al., 19 Nov 2025). In both cases, transferability is attributed to complementary information captured in the two domains rather than to a purely spectral prior.
4. Domain-specific developments
In image classification, the field has moved from augmentation-based attacks toward structured spectral reasoning. SSA showed that frequency-domain model augmentation can be retrofitted to iterative attacks such as I-FGSM, MI-FGSM, DI-FGSM, TI-FGSM, and SI-FGSM (Long et al., 2022). FACL-Attack shifted the focus to cross-domain and cross-model generator training under strict black-box conditions, using DCT band partitioning and contrastive feature separation (Yang et al., 2024). LFAA addressed a harder regime—transferable targeted attacks—by training a class-conditional generator that outputs perturbations added to the low-frequency component of the image (Wang et al., 2023). FRA-Attack generalizes the same logic to closed-source MLLMs, where the surrogate is an open-source vision encoder but the victim is an unknown proprietary multimodal system (Yuan et al., 20 May 2026).
Signal-processing applications adopt analogous ideas but with domain-specific constraints. In AMC, SFFAA and Meta-SFFAA explicitly exploit the known occupied spectrum of the communication signal, restricting perturbation energy to that band and measuring concealment through the Out-Spectrum Energy Ratio (Zhang et al., 2022). In RF fingerprinting, the adversary is the transmitter rather than an external attacker: it adds 0 to a complex baseband preamble under a power budget and crafts the perturbation with 1-FGSM, 2-FGSM, 3-PGD, or 4-PGD on the receiver’s surrogate model (Yuan et al., 6 Mar 2025). The eavesdropper then counters with an STFT-based architecture because the transmitter’s purely time-domain transferable perturbations remain spectrally localized away from the classifier’s important midbands (Yuan et al., 6 Mar 2025).
Forensic and detection tasks reveal another use of frequency awareness: attacking detectors that themselves rely on spectral artifacts. The face forgery attack reports that its DCT-domain method fools spatial-based and frequency-based detectors, including F5-Net and LRL (Jia et al., 2022). DuFIA transfers across AI-generated image detectors by fusing spatially interpolated gradients with frequency-aware perturbation-derived feature importance (Zhu et al., 19 Nov 2025). In learned image compression, the objective changes from misclassification to trigger persistence and downstream task manipulation, but the spectral logic persists: backdoor triggers are embedded in selected DCT frequencies, robust frequency selection chooses Top-6 coefficients that survive preprocessing, and boundary-shift interpolation improves cross-model and cross-domain transferability for downstream segmentation and face-recognition attacks (Yu et al., 2024).
5. Empirical patterns and evaluation criteria
Reported gains are substantial but heterogeneous because metrics differ by task. On ImageNet defenses, SSA reports an average success rate of 7 when attacking nine state-of-the-art defense models with an ensemble substitute (Long et al., 2022). The 2025 Frequency-Space Attack reports single-model average attack success rates of approximately 8 versus approximately 9 for BSR, and up to 0 ASR on Inc-v3 ens3 when combined with other input transforms (Zheng et al., 27 May 2025). Centralized Perturbation reports a mean improvement of 1 percentage points over vanilla gradient baselines across five attacks and six black-box models (Wu et al., 2023). FACL-Attack evaluates transfer in terms of post-attack top-1 accuracy and reduces the cross-model average from 2 to 3 and the cross-domain average from 4 to 5, where lower is better (Yang et al., 2024).
Targeted and structured black-box settings show similarly strong effects. LFAA reports targeted black-box success-rate improvements ranging from 6 to 7 over prior methods, with a black-box success of 8 on DenseNet-121 and 9 on VGG-190 when trained on ResNet-50 as surrogate (Wang et al., 2023). The WPD-based decision attack reports an average attack success rate reaching 1, together with query counts, SSIM, and the proposed normalized disturbance visibility index (Zhang et al., 2024). In AMC, SFFAA confines more than 2 of perturbation energy inside the band, achieving OSER approximately 3 dB and average FD 4 at SNR 5 dB, while Meta-SFFAA improves black-box transfer beyond FGSM, PGD, and UAP (Zhang et al., 2022).
The RF case is notable because it reveals a limit rather than a gain. On clean signals, the intended receiver achieves 6 on seen devices and 7 on unseen devices, while the eavesdropper achieves 8 and 9 (Yuan et al., 6 Mar 2025). Under single-step FGSM, an unaware time-domain eavesdropper collapses to approximately 0 at PSR 1 dB, but the STFT-based eavesdropper remains above 2–3 up to PSR 4 dB in Environment A and tracks the receiver in Environment B (Yuan et al., 6 Mar 2025). Under multi-step PGD, the unaware eavesdropper drops to 5 at PSR 6 dB, whereas the STFT-based model stays above 7 in Environment A and above 8 in Environment B (Yuan et al., 6 Mar 2025). This is a reminder that frequency-aware attacks and frequency-aware defenses co-evolve.
6. Limitations, misconceptions, and open directions
A common misconception is that spectral attacks are inherently more transferable simply because they occupy the frequency domain. The literature is more specific. Some methods succeed by amplifying high frequencies (Zheng et al., 27 May 2025); others by perturbing low-frequency structure (Wang et al., 2023); others by isolating mid-frequency invariants (Yang et al., 2024); and others by combining low-frequency bands with the high-frequency components nested inside them (Zhang et al., 2024). This suggests that the effective design variable is not “frequency-domain vs. spatial-domain” in the abstract, but the match between band selection and the invariances shared by surrogate and victim models.
The current literature also documents clear limitations. SFFAA assumes a direct-access scenario and does not model over-the-air effects (Zhang et al., 2022). The RF eavesdropping paper assumes that the transmitter knows the channel and noise distributions used to design 9, and it explicitly states that no joint time-frequency crafting is attempted (Yuan et al., 6 Mar 2025). The 2025 Frequency-Space Attack notes that its uniform random mask could be replaced by an adaptive mask and that alternative transforms such as DCT, wavelet, or learnable spectral bases may yield further gains (Zheng et al., 27 May 2025). MetaSSA acknowledges higher per-iteration cost due to the inner meta-train loop (Weng et al., 2024). LFAA notes weaker performance against strong adversarially trained defenses (Wang et al., 2023).
Several future directions recur across papers. One is joint spatial-frequency or time-frequency optimization rather than single-domain perturbation with post hoc spectral interpretation (Yuan et al., 6 Mar 2025, Jia et al., 2022). Another is stronger model-agnostic regularization: FRA-Attack’s low-pass gradient filter depends only on geometric frequency coordinates, while FACL-Attack’s training-only modules attempt to encode invariances that persist at inference (Yuan et al., 20 May 2026, Yang et al., 2024). A third is extension across modalities and deployment settings, including audio, 3D, video, multimodal systems, federated or multiuser RF scenarios, and open-vocabulary vision models (Zheng et al., 27 May 2025, Yuan et al., 6 Mar 2025, Wang et al., 2023). A plausible implication is that future transferable attacks will be less about choosing a single favored band and more about learning task-specific spectral priors together with surrogate-agnostic gradient structure.