ML Security PapersPhysically-Induced Atmospheric Adversarial Perturbations: Enhancing Transferability and Robustness in Remote Sensing Image Classification
Weiwei Zhuang 1, Wangze Xie 1, Qi Zhang 2, Xia Du 1, Zihan Lin 3, Zheng Lin 4, Hanlin Cai 5, Jizhe Zhou 6, Zihan Fang 7, Chi-man Pun 8, Wei Ni 9, Jun Luo 10
Published on arXiv
2604.14643
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves 83.74% black-box transferability (TASR) and superior robustness against JPEG compression and filtering defenses compared to pixel-wise perturbation methods
FogFool
Novel technique introduced
Adversarial attacks pose a severe threat to the reliability of deep learning models in remote sensing (RS) image classification. Most existing methods rely on direct pixel-wise perturbations, failing to exploit the inherent atmospheric characteristics of RS imagery or survive real-world image degradations. In this paper, we propose FogFool, a physically plausible adversarial framework that generates fog-based perturbations by iteratively optimizing atmospheric patterns based on Perlin noise. By modeling fog formations with natural, irregular structures, FogFool generates adversarial examples that are not only visually consistent with authentic RS scenes but also deceptive. By leveraging the spatial coherence and mid-to-low-frequency nature of atmospheric phenomena, FogFool embeds adversarial information into structural features shared across diverse architectures. Extensive experiments on two benchmark RS datasets demonstrate that FogFool achieves superior performance: not only does it exceed in white-box settings, but also exhibits exceptional black-box transferability (reaching 83.74% TASR) and robustness against common preprocessing-based defenses such as JPEG compression and filtering. Detailed analyses, including confusion matrices and Class Activation Map (CAM) visualizations, reveal that our atmospheric-driven perturbations induce a universal shift in model attention. These results indicate that FogFool represents a practical, stealthy, and highly persistent threat to RS classification systems, providing a robust benchmark for evaluating model reliability in complex environments.
Key Contributions
- FogFool framework that generates physically plausible fog-based adversarial perturbations using Perlin noise optimization
- Achieves 83.74% black-box transferability across diverse architectures by embedding adversarial information in mid-to-low-frequency atmospheric patterns
- Demonstrates robustness against preprocessing defenses (JPEG compression, filtering) by leveraging spatial coherence of atmospheric phenomena
🛡️ Threat Analysis
Proposes FogFool, a gradient-based adversarial attack that crafts fog-based perturbations to cause misclassification at inference time. The attack iteratively optimizes atmospheric patterns to generate adversarial examples that fool remote sensing classifiers. This is a clear input manipulation attack achieving 83.74% black-box transferability.