Adversarial attacks have been extensively studied in recent years since they can identify the vulnerability of deep learning models before deployed. In this paper, we consider the black-box adversarial setting, where the adversary needs to craft adversarial examples without access to the gradients of a target model. Previous methods attempted to approximate the true gradient either by using the transfer gradient of a surrogate white-box model or based on the feedback of model queries. However, the existing methods inevitably suffer from low attack success rates or poor query efficiency since it is difficult to estimate the gradient in a high-dimensional input space with limited information. To address these problems and improve black-box attacks, we propose two prior-guided random gradient-free (PRGF) algorithms based on biased sampling and gradient averaging, respectively. Our methods can take the advantage of a transfer-based prior given by the gradient of a surrogate model and the query information simultaneously. Through theoretical analyses, the transfer-based prior is appropriately integrated with model queries by an optimal coefficient in each method. Extensive experiments demonstrate that, in comparison with the alternative state-of-the-arts, both of our methods require much fewer queries to attack black-box models with higher success rates.

中文翻译：

---

由基于转移的先验引导的高效查询黑盒对抗攻击。

近年来，对抗性攻击得到了广泛的研究，因为它们可以在部署之前识别深度学习模型的漏洞。在本文中，我们考虑了黑盒对抗设置，其中对手需要在不访问目标模型梯度的情况下制作对抗示例。以前的方法试图通过使用代理白盒模型的转移梯度或基于模型查询的反馈来逼近真实梯度。然而，现有方法不可避免地存在攻击成功率低或查询效率低的问题，因为在信息有限的高维输入空间中难以估计梯度。为了解决这些问题并改进黑盒攻击，我们提出了两种分别基于有偏采样和梯度平均的先验引导无梯度随机（PRGF）算法。我们的方法可以同时利用代理模型的梯度和查询信息给出的基于转移的先验。通过理论分析，基于转移的先验通过每种方法中的最佳系数适当地与模型查询相结合。大量实验表明，与替代的最先进技术相比，我们的两种方法都需要更少的查询来攻击具有更高成功率的黑盒模型。基于转移的先验通过每种方法中的最佳系数与模型查询适当地集成。大量实验表明，与替代的最先进技术相比，我们的两种方法都需要更少的查询来攻击具有更高成功率的黑盒模型。基于转移的先验通过每种方法中的最佳系数与模型查询适当地集成。大量实验表明，与替代的最先进技术相比，我们的两种方法都需要更少的查询来攻击具有更高成功率的黑盒模型。