This work investigates the mechanistic relationship between the frequency-domain characteristics of adversarial examples and the architectural robustness of deep neural networks. We systematically analyze adversarial perturbations in the DCT/DFT domain, generate attacks via PGD and AutoAttack, conduct band-limited filtering ablations, and perform cross-architecture comparisons. Our experiments reveal a fundamental divergence: CNNs exhibit sharply declining robustness under high-frequency perturbations, whereas Vision Transformers (ViTs) are disproportionately vulnerable to low-frequency disturbances. Based on these findings, we propose three novel frequency-aware robust training principles—grounded in theoretical analysis—to guide defense design. Empirically, frequency-domain filtering yields stepwise improvements in robust accuracy, achieving peak performance at optimal bandwidths. This study establishes frequency composition as a critical determinant of model robustness, advancing the paradigm of frequency-centric robustness research.

Adversarial examples have attracted significant attention over the years, yet understanding their frequency-based characteristics remains insufficient. In this paper, we investigate the intriguing properties of adversarial examples in the frequency domain for the image classification task, with the following key findings. (1) As the high-frequency components increase, the performance gap between adversarial and natural examples becomes increasingly pronounced. (2) The model performance against filtered adversarial examples initially increases to a peak and declines to its inherent robustness. (3) In Convolutional Neural Networks, mid- and high-frequency components of adversarial examples exhibit their attack capabilities, while in Transformers, low- and mid-frequency components of adversarial examples are particularly effective. These results suggest that different network architectures have different frequency preferences and that differences in frequency components between adversarial and natural examples may directly influence model robustness. Based on our findings, we further conclude with three useful proposals that serve as a valuable reference to the AI model security community.