Guessing Smart: Biased Sampling for Efficient Black-Box Adversarial Attacks

  title={Guessing Smart: Biased Sampling for Efficient Black-Box Adversarial Attacks},
  author={Thomas Brunner and Frederik Diehl and Michael Truong-Le and Alois Knoll},
  journal={2019 IEEE/CVF International Conference on Computer Vision (ICCV)},
  • T. BrunnerFrederik Diehl A. Knoll
  • Published 24 December 2018
  • Computer Science, Mathematics
  • 2019 IEEE/CVF International Conference on Computer Vision (ICCV)
We consider adversarial examples for image classification in the black-box decision-based setting. Here, an attacker cannot access confidence scores, but only the final label. Most attacks for this scenario are either unreliable or inefficient. Focusing on the latter, we show that a specific class of attacks, Boundary Attacks, can be reinterpreted as a biased sampling framework that gains efficiency from domain knowledge. We identify three such biases, image frequency, regional masks and… 

Query-Efficient Hard-Label Black-Box Attacks Using Biased Sampling

  • Sijia LiuJian SunJun Li
  • Computer Science
    2020 Chinese Automation Congress (CAC)
  • 2020
Experimental results on ImageNet show that the biased sampling methods can improve the efficiency of existing hard-label black box attacks and significantly limit the search space and thus reduce query times.

Spanning Attack: Reinforce Black-box Attacks with Unlabeled Data

By constraining adversarial perturbations in a low-dimensional subspace via spanning an auxiliary unlabeled dataset, the spanning attack significantly improves the query efficiency of black-box attacks.

Simple and Efficient Hard Label Black-box Adversarial Attacks in Low Query Budget Regimes

This work proposes a simple and efficient Bayesian Optimization (BO) based approach for developing black-box adversarial attacks, which consistently achieves 2x to 10x higher attack success rate while requiring 10x to 20x fewer queries compared to the current state-of-the-art black- box adversarial attack.

Automated Decision-based Adversarial Attacks

This work considers the practical and challenging decision-based black-box adversarial setting, where the attacker can only acquire the final classification labels by querying the target model without access to the model’s details, and proposes to automatically discover decisionbased adversarial attack algorithms.


Experimental results demonstrate that the proposed Policy-Driven Attack method can significantly reduce the query complexity in comparison with existing state-of-the-art hard-label black-box attacks on various image classification benchmark datasets.

Improved Adversarial Attack against Black-box Machine Learning Models

This paper improved the algorithm for generating initial adversarial samples with smaller L2 distance, and innovatively combines a swarm intelligence algorithm——Particle Swarm Optimization with Biased Boundary Attack with PSO with a novel method to solve these shortcomings.


It is shown that this approach can greatly improve the query efficiency of black-box adversarial attack across different target network architectures and also attack adversarially defended networks on CIFAR10 and ImageNet, where the method not only reduces the number of queries, but also improves the attack success rate.

Black-Box Adversarial Attack with Transferable Model-based Embedding

It is shown that this approach can greatly improve the query efficiency of black-box adversarial attack across different target network architectures and also attack adversarially defended networks on CIFAR10 and ImageNet, where the method not only reduces the number of queries, but also improves the attack success rate.

Copy and Paste: A Simple But Effective Initialization Method for Black-Box Adversarial Attacks

It is found that simply copying small patches from other images is a valid strategy and the initialization scheme reduces the number of queries required for a state-of-the-art Boundary Attack by 81%, significantly outperforming previous results reported for targeted black-box adversarial examples.

Query-Efficient Black-box Adversarial Attacks Guided by a Transfer-based Prior

This paper proposes two prior-guided random gradient-free (PRGF) algorithms based on biased sampling and gradient averaging, respectively that require much fewer queries to attack black-box models with higher success rates.



Black-box Adversarial Attacks with Limited Queries and Information

This work defines three realistic threat models that more accurately characterize many real-world classifiers: the query-limited setting, the partial-information setting, and the label-only setting and develops new attacks that fool classifiers under these more restrictive threat models.


The Boundary Attack is introduced, a decision-based attack that starts from a large adversarial perturbations and then seeks to reduce the perturbation while staying adversarial, which is conceptually simple, requires close to no hyperparameter tuning, does not rely on substitute models and is competitive with the best gradient-based attacks in standard computer vision tasks like ImageNet.

Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors

A framework that conceptually unifies much of the existing work on black-box attacks is introduced, and it is demonstrated that the current state-of-the-art methods are optimal in a natural sense.

AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks

Experimental results suggest that, by applying AutoZOOM to a state-of-the-art black-box attack (ZOO), a significant reduction in model queries can be achieved without sacrificing the attack success rate and the visual quality of the resulting adversarial examples.

Towards Deep Learning Models Resistant to Adversarial Attacks

This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.

Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser

High-level representation guided denoiser (HGD) is proposed as a defense for image classification by using a loss function defined as the difference between the target model's outputs activated by the clean image and denoised image.

Low Frequency Adversarial Perturbation

This paper proposes to restrict the search for adversarial images to a low frequency domain, which is readily compatible with many existing black-box attack frameworks and consistently reduces their query cost by 2 to 4 times.

Mitigating adversarial effects through randomization

This paper proposes to utilize randomization at inference time to mitigate adversarial effects, and uses two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input image in a random manner.

Ensemble Adversarial Training: Attacks and Defenses

This work finds that adversarial training remains vulnerable to black-box attacks, where perturbations computed on undefended models are transferred to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step.

ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models

An effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN is proposed, sparing the need for training substitute models and avoiding the loss in attack transferability.