Black-Box Adversarial Algorithms

• Black-box adversarial algorithms are optimization-based methods that craft adversarial examples using only input-output feedback without accessing internal model parameters.
• They employ diverse strategies such as score-based, decision-based, and transfer-based attacks, leveraging genetic, evolutionary, and Bayesian techniques for efficient search.
• These methods enable practical robustness evaluations by reducing query counts and improving attack success rates across applications from image classification to audio and robotics.

Black-box adversarial algorithms are optimization-based attack methods that generate adversarial examples targeting machine learning models in scenarios where direct knowledge of model internals (such as architecture, parameters, or gradients) is unavailable. The adversary typically interacts with the system solely via input-output access—submitting queries and receiving predicted labels, scores, or loss values—and must efficiently search the high-dimensional input space to find perturbations that achieve targeted misclassification or maximal output difference. Such algorithms are critical for evaluating deployed systems, as they reflect real-world adversarial threat models, and their performance is measured primarily in terms of attack success rate, query efficiency, fidelity (imperceptibility), and adaptability to varying feedback modalities.

1. Fundamental Principles and Black-Box Attack Taxonomy

Black-box adversarial algorithms are characterized by their lack of access to model gradients or internals, necessitating reliance on observable outputs. Based on feedback modality, they are categorized as:

• Score-based attacks: The adversary can query the model and access confidence scores, probabilities, or losses for each prediction.
• Decision-based attacks: The adversary only receives the output class label (“hard label”) per query.
• Transfer-based attacks: The adversary crafts perturbations on a surrogate (white-box) model, exploiting the phenomenon of adversarial transferability.

Core optimization methodologies employed in black-box settings include gradient-free algorithms (e.g., random search, evolutionary strategies, reinforcement learning), approximate gradient estimation (e.g., finite difference, sign-estimation), and query-efficient search techniques (e.g., Bayesian optimization with priors, bandit strategies, greedy search). Each adopts specific mechanisms to explore and exploit the adversarial search space under query constraints and limited feedback.

2. Genetic and Evolutionary Strategies

Genetic algorithms (GA) and broader evolutionary strategies are effective for high-dimensional, gradient-free black-box adversarial attacks. Two archetypal examples are:

• Hybrid Genetic + Gradient Estimation Attacks: A two-phase process begins with a GA that evolves a population of candidate perturbations (chromosomes), progressing through selection, crossover, and mutation. The fitness function is typically aligned with attack loss metrics—such as Connectionist Temporal Classification (CTC) loss for audio—as in

$$\operatorname{Pr}(p|y) = \sum_{\pi: C(\pi)=p} \prod_i y_{\pi^i}$$

where $y$ is the model output distribution and $p$ is the target phrase (Taori et al., 2018).

Mutation noise can be tailored using perceptual filters (e.g., high-pass for audio). Momentum updates, such as adaptive mutation probabilities,

$$p_{\text{new}} = \alpha \cdot p_{\text{old}} + \frac{\beta}{|\text{currScore} - \text{prevScore}|}$$

increase exploration if the population plateaus.

• Differential Evolution (DE) and CMA-ES: DE perturbs a population of candidate sign matrices (for image perturbations), using mutation, crossover, and a fitness function that combines confidence gaps and perceptual metrics. Population-based evolution strategies such as Covariance Matrix Adaptation Evolution Strategy (CMA-ES) maintain and update the covariance matrix of perturbations, enabling efficient adaptation even in high dimensions (Qiu et al., 2021). These strategies do not estimate gradients, instead relying purely on population diversity, stochastic search, and measured attack efficacy.

Empirically, genetic and evolutionary methods have been observed to achieve 100% attack success on MNIST and CIFAR-10 with significantly fewer queries compared to coordinate-wise gradient estimation (Chen et al., 2019), and in audio, achieve up to 89.25% targeted similarity with high audio fidelity (Taori et al., 2018).

3. Randomized and Directional Search

Among score-based black-box attacks, randomized and coordinate-wise directional search techniques are prominent:

• SimBA (Simple Black-box Attack): Iteratively perturbs the current input along randomly sampled orthonormal basis directions (pixel or DCT), trying both positive and negative steps, and greedily accepts changes that reduce the confidence of the true label. This requires only two queries per direction per iteration and achieves median query counts as low as 582 on ImageNet, with success rates near 100% (Guo et al., 2019).
• Sign-based Estimation (SignHunter): Focuses on sign recovery of the input's gradient instead of full magnitude, leveraging directional derivatives:

$$D_qL(x, y) \approx \frac{L(x + \delta q) - L(x)}{\delta}, \quad q \in \{-1, +1\}^n$$

The divide-and-conquer binary optimization yields query complexity $O(n/\log n)$, enabling attacks with as few as 12 queries per image on MNIST and 121 on CIFAR-10 under $\ell_\infty$ constraints (Al-Dujaili et al., 2019).

• Square Attack: Randomly modifies square-shaped blocks within an image at each iteration. The side length is determined by a fractional parameter $p$; schedule variations that halve $p$ produce marginal gains. Empirically, Square Attack outperforms other methods in query efficiency (e.g., 0.0% failure on ResNet-50 and VGG-16-BN with minimal queries) (Wang, 2022).

4. Bayesian and Prior-guided Optimization

Integrating global prior information and Bayesian search offers substantial query efficiency gains:

• Prior-guided Bayesian Optimization (P-BO): Treats the surrogate model's loss $f'$ as the mean function for a Gaussian Process prior over the unknown true loss $f$:

$f \sim \mathcal{GP}(f', k)$

The GP posterior mean is:

$$\mu_t(x) = k_T(x)^\top K_T^{-1}(y_T - y_T') + f'(x)$$

and acquisition step (Upper-Confidence Bound):

$\alpha(x) = \mu_t(x) + \beta \sigma_t(x)$

The regret bound is proportional to the RKHS distance $\Vert f-f' \Vert_k$, motivating an adaptive coefficient $\lambda$ such that the prior becomes $\lambda f'$; $\lambda$ is adaptively adjusted by maximizing GP likelihood. Experiments reduce query counts to $15$–$20$ for CIFAR-10 and $81$–$94$ for ImageNet per attack, with nearly 100% success on diverse vision and vision-LLMs (Cheng et al., 29 May 2024).

• PRGF (Prior-guided Random Gradient-Free): Combines the surrogate gradient with random gradient-free samples using optimal weighting. If the cosine similarity $\alpha$ between the surrogate and the unknown true gradient is high, the estimator biases strongly toward the surrogate gradient, drastically reducing queries while preserving accuracy (Dong et al., 2022).

5. Decision-based and Median Search Attacks

In scenarios where only hard labels are observable, decision-based black-box attacks are employed:

• Approximation Decision Boundary Approach (ADBA, ADBA-md): Rather than performing a binary search to determine the exact decision boundary per candidate direction (which is query intensive), ADBA compares two candidate perturbation directions using an “approximate decision boundary” (ADB). The median of the statistical distribution of decision boundaries is used as the threshold (via

$$\int_{\text{start}}^{\text{ADB}} \rho(r) dr = \frac{1}{2}\int_{\text{start}}^{\text{end}} \rho(r) dr$$

), maximizing the probability of differentiating between two candidates in a single step. This yields an expected four queries per comparison, compared to ~10 for standard binary search (Wang et al., 7 Jun 2024). ADBA-md achieves attack success rates exceeding 99% on six state-of-the-art classifiers with dramatically improved query efficiency.

• Reinforcement Learning-based Approaches (DBAR): Decision-based attacks optimized via RL learn a parameterized distribution (e.g., normal) over perturbations. The agent samples perturbations $\eta$ such that, when added to the input, they maximize misclassification reward while minimizing $\|\eta\|_{\infty}$. The RL objective is

$$J(\Theta) = \int p_\Theta(\tau) \Big(\sum_t r(x_t, \eta_t)\Big) d\tau$$

where reward $r$ incorporates attack success and perturbation penalty. DBAR demonstrates improved attack success rate and transferability over previous decision-based attacks (e.g., Boundary Attack) (Huang et al., 2022).

6. Applications Beyond Image and Robustness Evaluation

Black-box adversarial algorithms are broadly applicable beyond image classification:

• Audio Systems: Hybrid genetic-gradient approaches can target automatic speech recognition (ASR) models using CTC loss functions, producing adversarial audio yielding targeted phrase similarity of 89.25% and audio similarity of 94.6% (Taori et al., 2018).
• SLAM and Robotics: Transfer-based black-box attacks on CNN-based feature detectors within SLAM systems (e.g., GCN-SLAM) show that even moderate perturbations introduced via surrogates such as InceptionResNetV2—or applied to depth channels—cause catastrophic tracking failure (up to 76% untracked frames), severely degrading pose estimation on robotics benchmarks (Gkeka et al., 30 May 2025).
• Clustering Algorithms: Genetic algorithm-inspired black-box attacks designed for unsupervised learning demonstrate that adversarial perturbations crafted to alter cluster assignments are highly transferable to supervised models, reducing classification accuracy across SVM, Random Forests, and DNNs (Cinà et al., 2020).
• Benchmarking: BlackboxBench (Zheng et al., 2023) offers a modular evaluation framework enabling comparative analysis of 29 query-based and 30 transfer-based algorithms on diverse architectures and datasets, applying consistent metrics (ASR, queries, fidelity) and analytical tools (e.g., saliency visualization, adversarial divergence).

7. Performance Metrics, Practical Implications, and Future Directions

Key metrics for black-box adversarial algorithms include:

• Attack Success Rate (ASR): Proportion of successful adversarial examples.
• Query Efficiency: Average and median queries needed per successful attack (with state-of-the-art methods achieving median values as low as ~15–100 on ImageNet and CIFAR-10).
• Perceptual Fidelity: Structural similarity (SSIM), LPIPS, and cross-correlation for audio.
• Transferability: Success across multiple models or domains.

Practical implications encompass:

• Security Testing: Real-world systems (APIs, deployed models, SLAM) are vulnerable to black-box attacks even with moderate perturbations.
• Stealth and Detection: Query-efficient, fine-grained attacks (e.g., GreedyPixel (Wang et al., 24 Jan 2025), ADBA-md) are less likely to trigger monitoring, raising the bar for defense mechanisms.
• Robustness Auditing: Benchmarks such as BlackboxBench aid in tracking advancements and identifying weaknesses in current model architectures and defense strategies (Zheng et al., 2023).

Ongoing research areas include adaptive integration of multiple priors, better surrogate alignment metrics (e.g., adversarial divergence), attacks under minimal feedback or constrained query budgets, and bridging the gap between untargeted and targeted attack efficiency.

In summary, black-box adversarial algorithms constitute a diverse suite of optimization-driven attack methodologies underpinning both fundamental research and practical robustness evaluation in machine learning security. Algorithmic innovations—spanning genetic and greedy search, efficient gradient-free estimation, Bayesian optimization with adaptive priors, median-search analysis, and differential/decision-based RL approaches—continue to reduce query costs, increase stealthiness, and broaden applicability across modalities and domains.