Black-Box Attack Algorithms

Updated 18 January 2026

Black-box attack algorithms are adversarial methods that generate perturbations to mislead machine learning models without direct access to internal parameters.
They employ gradient-free techniques, genetic strategies, and discrete search methods to optimize adversarial examples under strict query constraints.
Efficient adversarial attacks leverage search space reduction and adaptive query strategies to overcome defense mechanisms in diverse domains.

A black-box attack algorithm is an adversarial attack strategy that constructs inputs which mislead machine learning models under conditions where the attacker has no direct access to model parameters, gradients, or internal structure. In the black-box scenario, only limited access is available—typically through queries that return output labels, probabilities, or scores for chosen inputs—making the crafting of adversarial examples a highly constrained and practically relevant optimization problem. A variety of algorithmic frameworks have emerged to address this challenge, exploiting evolutionary methods, compressed sensing, surrogate modeling, discrete search, and various query-efficient heuristics across a range of machine learning domains including image classification, object detection, graph neural networks, sequence modeling, and more.

1. Formal Problem Setting and Threat Models

Black-box attack algorithms are defined by strict query-only access to a machine learning model $f$ : given an input $x\in\mathbb{R}^d$ (for vision, typically a color image), the adversary can query $f(x+\delta)$ and observe the output label, top- $K$ labels, softmax confidences, or loss values. The canonical adversarial example problem is then to find a perturbation $\delta$ such that:

$\|\delta\|_p \le \epsilon$ , per some norm constraint ( $p\in\{2,\,\infty\}$ commonly),
$f(x+\delta) \ne f(x)$ for untargeted attacks, or $f(x+\delta) = t$ for a specific target class $t$ in targeted attacks,
under a total query budget $Q_{\max}$ , with no access to $\nabla_x f$ , weights, or network internals.

Variations include “score-based” (probabilistic/confidence output available) and “decision-based” (only top-1 labels visible) settings (Wang, 2022), and distinct threat models for APIs, defense-aware targets, or transferability across networks (Alzantot et al., 2018, Huang et al., 2019).

In certain domains (e.g., graph neural networks), the adversary may perturb graph topology or node features, subject to constraints such as edge-flip budgets and connectivity priors (Zhan et al., 2021).

2. Core Algorithmic Techniques

Gradient-Free and Zeroth-Order Estimation

Many black-box algorithms seek to approximate local gradients for adversarial optimization using zeroth-order or finite-difference methods. These include:

Natural Evolution Strategies (NES): Estimating the expected loss gradient by sampling random Gaussian directions $u_k$ and averaging $\frac{1}{n\sigma}\sum_k L(x+\sigma u_k)u_k$ (Wang, 2022, Du et al., 2018, Qiu et al., 2021).
Score-based Sign Estimation: Methods such as ZO-signSGD, SimBA, and SignHunter recover (approximate) sign gradients solely from scalar loss evaluations, enabling efficient coordinate or direction selection (Al-Dujaili et al., 2019, Guo et al., 2019, Wang, 2022).
Bandit Optimization: Adaptive latent gradient estimation and update via directional probes, using historical query data to inform coordinate selection and gradient priors (Wang, 2022).

Evolutionary and Genetic Algorithms

A distinct class comprises black-box attacks powered by evolutionary search or swarm-based heuristics:

GenAttack: Constructs a population of candidate adversarial examples, evolving via selection, pixel-level crossover, and mutation, subject to an $L_\infty$ constraint. Population updates are guided by fitness scores derived from softmax margin objectives (Alzantot et al., 2018).
BANA and Microbial GA: Apply tournament or steady-state genetic selection to populations, integrating Gaussian mutation and gene-wise crossover. Solutions evolve through generations until strong fitness is attained (misclassification, then distortion minimization). Randomness and population diversity help evade deterministic defenses (Liu et al., 2019, Abdukhamidov et al., 2023).
GARSDC (genetic for object detection): Adds multi-objective search (minimize true positives, maximize false positives) with random subset sampling, divide-and-conquer on image patches, and gradient-prior transfer-based initial populations to facilitate attacks on detectors with millions of search variables (Liang et al., 2022).

Pixel- and Patch-Wise Greedy/Discrete Search

GreedyPixel: Sequentially perturbs individual pixels following a pixel-wise priority map computed from a surrogate model’s gradient, greedily selecting perturbations that most decrease the target loss. The method is query-efficient and yields high visual fidelity in adversarial images (Wang et al., 24 Jan 2025).
SimBA: Iteratively samples orthonormal (e.g., pixel or DCT) basis vectors and evaluates step directions using confidence score change, accepting those that reduce the probability of the correct class. This allows for highly efficient adversarial constructions (e.g., $\sim$ 1.3k queries for ImageNet, 98% success) (Guo et al., 2019).

Subspace and Low-Frequency Projections

Projection-Probability Driven Attack (PPBA): Reduces the search space to the low-frequency DCT subspace using compressed sensing theory, formulating the attack in a lower-dimensional space. Probability-driven random walks (signed step effectiveness) further improve query efficiency (Li et al., 2020).
Low-Frequency Backdoor Attack (LFBA): Focuses perturbations on a small set of low-frequency DCT bands for trigger injection, optimized with simulated annealing, leading to adversarial examples that are robust to denoising and compression (Qiao et al., 2024).

Surrogate and Embedding-Based Search

TREMBA: Leverages a pretrained surrogate (encoder-decoder) to learn a low-dimensional “semantic” embedding space for adversarial perturbations, then deploys NES-based queries in this embedding for high transferability, leading to a 6x reduction in query count over score-based NES (Huang et al., 2019).
EigenBA: Channels SVD-based transfer from a frozen, pretrained white-box feature extractor, probing along top singular vector directions of the surrogate Jacobian, allowing for significant query savings and robust attack success (Zhou et al., 2020).

Decision-Based and Targeted Search for Sequence Models

Ask, Attend, Attack (AAA): For image-to-text, decision-only, targeted attacks, combines: (1) target semantic mining by perturbing images to elicit target words (“Ask”), (2) surrogate-based region localization via Grad-CAM (“Attend”), and (3) a DE evolutionary search restricted to salient pixels (“Attack”), to achieve high METEOR/BLEU/CLIP scores at low query budgets (Zeng et al., 2024).

3. Search Space Reduction and Query Efficiency Strategies

Due to the high dimensionality of image, video, or graph input spaces, efficiency requires both search space reduction and query-efficient update rules:

Input-Free Attacks (Region Attack): Eliminate similarity constraints by starting from a plain gray image, tiling a small, optimized region across the input, and dramatically shrinking the search dimension for each query (Du et al., 2018).
Patch and Subset Optimization: Restrict updates to patches or randomly chosen subsets (e.g., square attack, GARSDC’s random subset, masking in DIMBA), reducing the per-iteration query and computational burden (Liang et al., 2022, Yin et al., 2022, Wang, 2022).
Dimensionality Reduction: Encode perturbations at lower resolution and upsample (as in GenAttack for ImageNet and CMA-ES/ES approaches), notably reducing required queries in large input spaces (Alzantot et al., 2018, Qiu et al., 2021).
Active Learning and Diversity in Substitute Models: When substitute models are used, active selection of queries prioritizes informativeness (max-entropy, margin) and sample diversity, leading to >90% reduction in queries relative to uniform/random approaches (Li et al., 2018).

The table below summarizes representative algorithms, their main principles, and key efficiency enhancements:

Algorithm	Core Principle	Query Efficiency Mechanism
GenAttack (Alzantot et al., 2018)	Genetic algorithm	Dim. reduction, adaptive mutation
SimBA (Guo et al., 2019)	Basis-wise sign search	Orthonormal probing, DCT subspace
BANA (Liu et al., 2019)	Swarm evolutionary	Large fitness, random init
GARSDC (Liang et al., 2022)	Multi-objective GA	Random subset, DC, mixed init
PPBA (Li et al., 2020)	Low-freq. projection	Comp. sensing, P-driven walk
EigenBA (Zhou et al., 2020)	SVD transfer directions	Singular vector-based updates
TREMBA (Huang et al., 2019)	Embedding-based NES	Surrogate embedding, NES
AAA (Zeng et al., 2024)	Evolutionary, region focus	Target mining, Grad-CAM, DE
Region Attack (Du et al., 2018)	NES, input-free, tiling	Region tiling, entropy heuristic

4. Domain-Specific and Structured Targets

Black-box attacks and algorithms extend to structured input spaces beyond images:

Graph Neural Networks: The Black-Box Gradient Attack (BBGA) adapts meta-gradient estimation using pseudo-labels and surrogate GCNs, with k-fold meta-gradient aggregation to stably perturb adjacency matrices under budget and connectivity constraints (Zhan et al., 2021).
Video and Object Tracking: DIMBA employs RL for patch selection, masking for keyframe attacks, and sign-based optimization of perturbation directions, achieving substantial reductions in queries for tracking manipulation (Yin et al., 2022).
Object Detection: GARSDC deploys a large-scale multi-objective search, jointly minimizing detector true positive rate and maximizing false positive rate, orchestrated with random subset patch search and transfer-based initialization (Liang et al., 2022).
Image-to-Text: AAA’s region-focused DE methods adapt to vision-language problems where only the textual output is returned, coordinating search via automatic target mining and attended search region reduction (Zeng et al., 2024).
Interpretable Systems: QuScore combines white-box seed attack generation on surrogates and microbial genetic algorithm-based refinement, targeting both classifier prediction and the attribution map produced by model interpreters (Abdukhamidov et al., 2023).

5. Experimental Performance and Comparative Analysis

Empirical studies systematically compare black-box attack algorithms under varying query budgets, threat models, and domains:

Region Attack (Du et al., 2018): Achieves 100% success on ImageNet InceptionV3 with mean 1,701 queries per target, outperforming ZOO and QL attacks by 60x and 2x, respectively.
GenAttack (Alzantot et al., 2018): Demonstrates success rates ≥96% on CIFAR-10/ImageNet, median queries an order of magnitude fewer than ZOO; successfully evades non-differentiable and randomized input defenses.
SimBA (Guo et al., 2019): Delivers 98% success in 1.3k queries (DCT basis) for ImageNet untargeted attacks, notably outperforming Bandits-TD and Boundary Attack.
TREMBA (Huang et al., 2019): Obtains up to 6x query savings over NES and 2–5x over transfer-based approaches, with cross-model success rates exceeding 98%.
PPBA (Li et al., 2020): Saves up to 24% of queries over Bandits-TD and NES, with attack success rates above 96% for standard models.
BBGA (Zhan et al., 2021): Increases GCN misclassification rates by 10–20% over baselines under strong defense mechanisms.
LFBA (Qiao et al., 2024): Yields near 99.9% ASR under heavy JPEG and denoise transformations, outperforming conventional and high-frequency backdoor triggers.
QuScore (Abdukhamidov et al., 2023): Achieves median query counts of 5 for ImageNet and CIFAR, 100% attack success, and strong transferability and interpreter robustness.

6. Limitations, Open Challenges, and Future Directions

While black-box attack algorithms have demonstrated strong practical efficacy and efficiency, several intrinsic and practical challenges remain:

Query Budget vs. Success Trade-Off: Attacks must be optimized for minimal queries, particularly under practical limits imposed by APIs or real-time systems.
Surrogate Model Generalization: Methods reliant on surrogate gradients or embeddings are contingent on transferability; when target and surrogate diverge, attack efficiency degrades (Huang et al., 2019, Zhou et al., 2020).
High-Dimensional Scalability: Efficient search (e.g. through low-freq subspaces or patch-wise updates) is feasible for images and structured data, but less so for unstructured or high-frequency tasks.
Defense Evasion: Defensive mechanisms targeted at patch, subspace, or transfer attacks can differentially affect algorithm efficacy; robust attack methods must dynamically adapt to unknown or adaptive defenses (Alzantot et al., 2018, Qiao et al., 2024).
Decision-Only and Sequence Outputs: Adversarial attacks on models with strictly label or sequence output must solve harder, often non-differentiable optimization problems, as addressed in AAA and decision-based geometric methods (Zeng et al., 2024, Reza et al., 2023).
Hyperparameter Sensitivity and Algorithm Stagnation: Many evolutionary and greedy algorithms are sensitive to population size, selection rate, mutation parameters, or the frequency of map updates (as seen in GreedyPixel (Wang et al., 24 Jan 2025)); adaptive, data-driven parameter tuning remains an open area.

Future directions involve further reducing query complexity (possibly toward $O(\sqrt{d})$ ), developing adaptive shape or region search, integrating data-driven priors, handling high-frequency or joint-domain perturbations, and extending techniques to new application areas (e.g., reinforcement learning, multimodal models). Addressing these challenges will enable black-box attack methods to remain effective and practical across evolving machine learning deployment and defense scenarios.