# Guessing Smart: Biased Sampling for Efficient Black-Box Adversarial   Attacks

**Authors:** Thomas Brunner, Frederik Diehl, Michael Truong Le, Alois Knoll

arXiv: 1812.09803 · 2021-04-30

## TL;DR

This paper introduces a biased sampling approach for black-box adversarial attacks on image classifiers, significantly improving efficiency and success rates by leveraging domain knowledge and outperforming existing methods.

## Contribution

It reinterprets Boundary Attacks as a biased sampling framework and demonstrates how combining biases like image frequency, regional masks, and surrogate gradients enhances attack efficiency.

## Key findings

- Outperforms state-of-the-art attacks on ImageNet
- Successfully attacks Google Cloud Vision API with few queries
- Achieved second place in NeurIPS 2018 Adversarial Vision Challenge

## Abstract

We consider adversarial examples for image classification in the black-box decision-based setting. Here, an attacker cannot access confidence scores, but only the final label. Most attacks for this scenario are either unreliable or inefficient. Focusing on the latter, we show that a specific class of attacks, Boundary Attacks, can be reinterpreted as a biased sampling framework that gains efficiency from domain knowledge. We identify three such biases, image frequency, regional masks and surrogate gradients, and evaluate their performance against an ImageNet classifier. We show that the combination of these biases outperforms the state of the art by a wide margin. We also showcase an efficient way to attack the Google Cloud Vision API, where we craft convincing perturbations with just a few hundred queries. Finally, the methods we propose have also been found to work very well against strong defenses: Our targeted attack won second place in the NeurIPS 2018 Adversarial Vision Challenge.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.09803/full.md

## Figures

12 figures with captions in the complete paper: https://tomesphere.com/paper/1812.09803/full.md

## References

22 references — full list in the complete paper: https://tomesphere.com/paper/1812.09803/full.md

---
Source: https://tomesphere.com/paper/1812.09803