Existing universal adversarial perturbation (UAP) methods neglect domain-specific feature relationship constraints, yielding unrealistic and easily detectable adversarial samples—severely limiting practical applicability. To address this, we propose Constraint-Aware Universal Adversarial Perturbations (CAP), a novel UAP framework built upon the augmented Lagrangian method to jointly model diverse, complex domain constraints—including monotonicity in financial time series and spectral constraints in communication signals—and to automatically learn implicit constraints directly from data. CAP employs gradient-driven alternating optimization coupled with min-max constrained encoding to efficiently generate robust perturbations within restricted feature spaces. Extensive experiments across financial forecasting and network communication domains demonstrate that CAP significantly improves attack success rates (average +12.7%), reduces runtime by 43.5%, and seamlessly supports both targeted individual and universal attack paradigms.

Deep neural networks have achieved remarkable success in a wide range of classification tasks. However, they remain highly susceptible to adversarial examples - inputs that are subtly perturbed to induce misclassification while appearing unchanged to humans. Among various attack strategies, Universal Adversarial Perturbations (UAPs) have emerged as a powerful tool for both stress testing model robustness and facilitating scalable adversarial training. Despite their effectiveness, most existing UAP methods neglect domain specific constraints that govern feature relationships. Violating such constraints, such as debt to income ratios in credit scoring or packet flow invariants in network communication, can render adversarial examples implausible or easily detectable, thereby limiting their real world applicability. In this work, we advance universal adversarial attacks to constrained feature spaces by formulating an augmented Lagrangian based min max optimization problem that enforces multiple, potentially complex constraints of varying importance. We propose Constrained Adversarial Perturbation (CAP), an efficient algorithm that solves this problem using a gradient based alternating optimization strategy. We evaluate CAP across diverse domains including finance, IT networks, and cyber physical systems, and demonstrate that it achieves higher attack success rates while significantly reducing runtime compared to existing baselines. Our approach also generalizes seamlessly to individual adversarial perturbations, where we observe similar strong performance gains. Finally, we introduce a principled procedure for learning feature constraints directly from data, enabling broad applicability across domains with structured input spaces.