Hard-label based small query black-box adversarial attack

Jeong Park*, Niall McLaughlin, Paul Miller

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Downloads (Pure)


We consider the hard-label based black-box adversarial attack setting which solely observes the target model’s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and black-box target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.

Original languageEnglish
Title of host publicationIEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages10
Publication statusPublished - 09 Apr 2024
EventIEEE/CVF Winter Conference on Applications of Computer Vision 2024 - Waikoloa, United States
Duration: 04 Jan 202408 Jan 2024

Publication series

NameIEEE/CVF Winter Conference on Applications of Computer Vision: proceedings
ISSN (Print)2472-6737
ISSN (Electronic)2642-9381


ConferenceIEEE/CVF Winter Conference on Applications of Computer Vision 2024
Abbreviated titleIEEE/CVF WACV 2024
Country/TerritoryUnited States


Dive into the research topics of 'Hard-label based small query black-box adversarial attack'. Together they form a unique fingerprint.

Cite this