Adversarial black-box attacks aim to craft adversarial perturbations by querying input-output pairs of machine learning models. They are widely used to evaluate the robustness of pre-trained models. However, black-box attacks often suffer from the issue of query inefficiency due to the high dimensionality of the input space, and therefore incur a false sense of model robustness. In this paper, we relax the conditions of the black-box threat model, and propose a novel technique called the spanning attack. By constraining adversarial perturbations in a low-dimensional subspace via spanning an auxiliary unlabeled dataset, the spanning attack significantly improves the query efficiency of black-box attacks. Extensive experiments show that the proposed method works favorably in both soft-label and hard-label black-box attacks. Our code is available at this https URL.

中文翻译：

---

跨越攻击：用未标记的数据加强黑盒攻击

对抗性黑盒攻击旨在通过查询机器学习模型的输入-输出对来制造对抗性扰动。它们被广泛用于评估预训练模型的稳健性。然而，由于输入空间的高维数，黑盒攻击通常会遇到查询效率低下的问题，因此会导致错误的模型鲁棒性。在本文中，我们放宽了黑盒威胁模型的条件，并提出了一种称为跨越攻击的新技术。通过跨越辅助未标记数据集来约束低维子空间中的对抗性扰动，跨越攻击显着提高了黑盒攻击的查询效率。大量实验表明，所提出的方法在软标签和硬标签黑盒攻击中均表现良好。