pith. sign in

arxiv: 1712.04248 · v2 · pith:CQTMGRSQnew · submitted 2017-12-12 · 📊 stat.ML · cs.CR· cs.CV· cs.LG· cs.NE

Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models

Wieland Brendel , Jonas Rauber , Matthias Bethge This is my paper
classification 📊 stat.ML cs.CRcs.CVcs.LGcs.NE
keywords attacksattackmodelslearningmachineadversarialdecision-basedrely
0
0 comments X
read the original abstract

Many machine learning algorithms are vulnerable to almost imperceptible perturbations of their inputs. So far it was unclear how much risk adversarial perturbations carry for the safety of real-world machine learning applications because most methods used to generate such perturbations rely either on detailed model information (gradient-based attacks) or on confidence scores such as class probabilities (score-based attacks), neither of which are available in most real-world scenarios. In many such cases one currently needs to retreat to transfer-based attacks which rely on cumbersome substitute models, need access to the training data and can be defended against. Here we emphasise the importance of attacks which solely rely on the final model decision. Such decision-based attacks are (1) applicable to real-world black-box models such as autonomous cars, (2) need less knowledge and are easier to apply than transfer-based attacks and (3) are more robust to simple defences than gradient- or score-based attacks. Previous attacks in this category were limited to simple models or simple datasets. Here we introduce the Boundary Attack, a decision-based attack that starts from a large adversarial perturbation and then seeks to reduce the perturbation while staying adversarial. The attack is conceptually simple, requires close to no hyperparameter tuning, does not rely on substitute models and is competitive with the best gradient-based attacks in standard computer vision tasks like ImageNet. We apply the attack on two black-box algorithms from Clarifai.com. The Boundary Attack in particular and the class of decision-based attacks in general open new avenues to study the robustness of machine learning models and raise new questions regarding the safety of deployed machine learning systems. An implementation of the attack is available as part of Foolbox at https://github.com/bethgelab/foolbox .

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 10 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Uncovering and Understanding FPR Manipulation Attack in Industrial IoT Networks

    cs.CR 2026-01 unverdicted novelty 8.0

    FPR manipulation attack perturbs benign MQTT packets to flip labels to attacks in NIDS with 80-100% success, increasing SOC delays without gradient-based methods.

  2. Empirical Evidence for Simply Connected Decision Regions in Image Classifiers

    cs.CV 2026-05 unverdicted novelty 7.0

    Empirical tests with quad-mesh filling indicate that decision regions in modern image classifiers are simply connected.

  3. Hard-Label Black-Box Attacks on 3D Point Clouds

    cs.CV 2024-11 unverdicted novelty 7.0

    A spectrum-aware decision boundary algorithm enables effective hard-label black-box adversarial attacks on 3D point cloud models by fusing spectral information across classes and performing curvature-aware iterative o...

  4. Unsolved Problems in ML Safety

    cs.LG 2021-09 accept novelty 6.0

    The paper presents a roadmap that identifies four unsolved problems in ML safety: robustness against hazards, monitoring for hazards, alignment of model goals with human intent, and systemic safety.

  5. Hiding Faces in Plain Sight: Disrupting AI Face Synthesis with Adversarial Perturbations

    cs.CV 2019-06 unverdicted novelty 6.0

    Adversarial perturbations disrupt DNN-based face detectors under white-box, gray-box, and black-box settings to sabotage training data for AI face synthesis.

  6. Memory Efficient Full-gradient Attacks (MEFA) Framework for Adversarial Defense Evaluations

    cs.LG 2026-05 unverdicted novelty 5.0

    MEFA enables exact full-gradient white-box attacks on iterative stochastic purification defenses like diffusion and Langevin EBMs by trading recomputation for lower memory, revealing vulnerabilities missed by approxim...

  7. Accelerating Targeted Hard-Label Adversarial Attacks in Low-Query Black-Box Settings

    cs.CV 2025-05 unverdicted novelty 5.0

    TEA is a new targeted adversarial attack that incorporates edge information from the target image to reduce query count and improve performance in low-query black-box hard-label settings.

  8. Graph Interpolating Activation Improves Both Natural and Robust Accuracies in Data-Efficient Deep Learning

    cs.LG 2019-07 unverdicted novelty 5.0

    Graph Laplacian interpolating activation replaces softmax in DNNs and improves natural accuracy, robust accuracy, and data efficiency.

  9. Security and Privacy in Virtual and Robotic Assistive Systems: A Comparative Framework

    cs.CR 2026-03 unverdicted novelty 4.0

    A unified comparative threat-modeling framework is developed to analyze security and privacy risks across virtual and robotic assistive systems.

  10. Quantum Adversarial Machine Learning: From Classical Adaptations to Quantum-Native Methods

    cs.LG 2026-05 unverdicted novelty 1.0

    A survey of quantum adversarial machine learning covering attacks, countermeasures, theoretical underpinnings, trends, and challenges.