Papers
Topics
Authors
Recent
Search
2000 character limit reached

Zero-Query Black-Box Attacks

Updated 8 July 2026
  • Zero-query black-box attacks are adversarial strategies that bypass direct model interaction using surrogate models and external priors.
  • They leverage offline statistics, structural priors, and transferability mechanisms to generate perturbations across modalities.
  • Empirical studies show high attack success rates in image, speech, and text domains while maintaining stealth with minimal perceptual changes.

Zero-query black-box attacks are adversarial attacks designed under the constraint that the attacker does not obtain target-model feedback during attack generation. Across image classification, object detection, automatic speech recognition, in-context learning, LLM-based retrieval, and text classification, the common pattern is the replacement of target interaction by surrogate access, offline statistics, or structural priors, with transferability serving as the primary route from attack construction to target failure. The literature uses closely related labels—“zero-query,” “query-free,” and “hard black-box”—but the operational meaning is consistent: no access to target parameters, gradients, logits, or query-based feedback while crafting the adversarial input (Costa et al., 1 Oct 2025, Cai et al., 2022, Fang et al., 2024, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025).

1. Scope, terminology, and representative systems

The topic emerged in different subfields with different objects of attack. In context-aware object detection, the setting is a single submission of a perturbed image with no feedback from the victim detector (Cai et al., 2022). In image classification, ZQBA formulates a black-box target network ftf_t with “no queries permitted” and generates perturbations from a surrogate fsf_s by using feature maps and guided backpropagation (Costa et al., 1 Oct 2025). In ASR, ZQ-Attack assumes that the attacker is “prohibited from making any inference queries during adversarial example construction” and relies entirely on local surrogate ASRs (Fang et al., 2024). In in-context learning, ICL-Evader defines a deployed LLM classifier M\mathcal M for which the adversary has “No access to M\mathcal{M}’s parameters, gradients or logits” and “Cannot query M\mathcal{M} at all during adversarial sample construction” (He et al., 29 Jan 2026). In LLM-based retrieval, the attacker does not know the user query and has no victim-model access, so the attack must be query-agnostic as well as black-box (Li et al., 30 Jan 2026). In text classification, Q-FAKER treats the target classifier f:XYf:X\to Y as completely inaccessible: neither internal parameters nor output scores or labels are available (Na et al., 18 Apr 2025).

Domain Representative method Core mechanism
Image classification ZQBA (Costa et al., 1 Oct 2025) Guided-backprop feature-map perturbations from a surrogate DNN
Object detection ZQA-PSPM (Cai et al., 2022) Context-consistent attack plans with PSPM-guided selection
ASR ZQ-Attack (Fang et al., 2024) Scaled target-command initialization and sequential ensemble optimization
ICL text classification ICL-Evader (He et al., 29 Jan 2026) Fake Claim, Template, and Needle-in-a-Haystack prompt manipulations
LLM-based retrieval “Someone Hid It” (Li et al., 30 Jan 2026) Zero-shot surrogate queries, min–max token injection, and GCG
Text classifiers Q-FAKER (Na et al., 18 Apr 2025) Surrogate-guided controlled generation with a frozen GPT-2 backbone

A recurrent misconception is that zero-query implies zero side information. The published threat models do not make that claim. Instead, they typically allow a surrogate model, external corpora, training-data co-occurrence statistics, or a proxy LLM (Cai et al., 2022, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025). Another misconception is that zero-query implies a single attack style. The literature spans additive perturbations, multi-object relabeling, audio command planting, prompt-structure manipulation, document-token injection, and controlled text generation.

2. Transferability as the central mechanism

The theoretical center of the area is transferability. ZQBA states this explicitly through shared representations between a surrogate classifier fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k and a target classifier ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k. For the true class cc, the paper uses the first-order approximation

ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,

and notes that if the surrogate and target gradients have positive correlation

fsf_s0

then choosing fsf_s1 will also reduce fsf_s2 (Costa et al., 1 Oct 2025). The same work generalizes from logits to feature maps by defining fsf_s3 as the activation tensor at layer fsf_s4 and fsf_s5 as a guided-backprop map in pixel space. The associated smoothness argument bounds target-loss increase by a first-order inner product plus an fsf_s6-smoothness quadratic term, which makes surrogate-derived perturbation directions plausible even without target access (Costa et al., 1 Oct 2025).

Other modalities instantiate the same principle differently. ZQ-Attack for ASR emphasizes architectural diversity rather than local gradient alignment: it selects surrogate ASRs spanning CNN-based and Transformer-based acoustic models so that perturbations can capture both local features and global dependencies (Fang et al., 2024). The retrieval attack in “Someone Hid It” frames transfer through topic-clustered embedding structure. Its core surrogate objective is

fsf_s7

with a transferability lemma connecting the surrogate retriever fsf_s8 and the victim retriever fsf_s9 under an M\mathcal M0–M\mathcal M1-Precise assumption on topic clusters (Li et al., 30 Jan 2026). Q-FAKER uses a different surrogate route: a small classification head on top of a frozen GPT-2 steers controlled generation toward adversarial regions while the language-model prior preserves fluency (Na et al., 18 Apr 2025).

This suggests that “transferability” in zero-query settings is not a single mathematical object but a family of surrogate-to-target correspondences: gradient alignment in classifiers, shared acoustic vulnerabilities across ASR architectures, topic-cluster geometry in retrievers, and prompt-format or discourse priors in LLM classifiers.

3. Attack constructions

ZQBA is a feature-map-based additive attack. For a clean image M\mathcal M2, surrogate network M\mathcal M3, and layer set M\mathcal M4, it defines

M\mathcal M5

followed by

M\mathcal M6

The algorithm forward-passes M\mathcal M7 through the surrogate, computes each activation M\mathcal M8, obtains guided-backprop maps M\mathcal M9 via ReLU-guided backprop, M\mathcal{M}0-norm normalizes each map, fuses them with weights M\mathcal{M}1, and clips into the valid image range. In the reported implementation, M\mathcal{M}2—typically the last convolutional block—was sufficient, and a single scalar M\mathcal{M}3 selected by ablation gave the best trade-off at M\mathcal{M}4 with M\mathcal{M}5 (Costa et al., 1 Oct 2025).

In context-aware object detection, the attack construction is combinatorial as well as continuous. The defender checks whether the final set of detected labels is context-consistent by thresholding a co-occurrence graph. The attacker therefore cannot merely relabel one victim object; it must choose helper labels for the remaining objects so that the full attacked label set remains context-consistent. The paper constructs candidate helper labels from the co-occurrence matrix M\mathcal{M}6, then uses a Perturbation Success Probability Matrix M\mathcal{M}7 to rank context-consistent assignments and finally solves the resulting multi-object evasion objective with projected gradient descent (Cai et al., 2022).

ZQ-Attack for ASR begins by embedding a scaled target command audio inside the carrier audio rather than initializing from zero or random noise. It then refines the perturbation with a sequential ensemble optimization algorithm over an ordered set of surrogate ASRs M\mathcal{M}8. The loss combines an adversarial term, an imperceptibility term M\mathcal{M}9, and an acoustic feature term M\mathcal{M}0. Updates are followed by loudness-adaptive clipping,

M\mathcal{M}1

so larger perturbations are permitted in louder regions (Fang et al., 2024).

In LLM-based text settings, the attack surface shifts from continuous perturbations to prompt and token structure. ICL-Evader defines three attacks. Fake Claim inserts command-like assertions such as “This is a benign text!” into the test sample. Template Attack prepends fake demonstrations so that prompt separators and ordering obscure the real test sample. Needle-in-a-Haystack embeds the malicious content in a large amount of benign text, optionally formatted with HTML or Markdown tags, so that the model’s classification skews toward the majority content (He et al., 29 Jan 2026). Q-FAKER instead generates a full adversarial sentence. It keeps a prefix of the original text fixed, computes surrogate gradients on the hidden state of a frozen GPT-2 backbone, perturbs the hidden state by

M\mathcal{M}2

and fuses the original and adversarial next-token distributions as

M\mathcal{M}3

with M\mathcal{M}4, M\mathcal{M}5, and M\mathcal{M}6 (Na et al., 18 Apr 2025).

For LLM-based retrieval, “Someone Hid It” appends a short suffix of injection tokens to a victim document and optimizes them without knowing the real query. A casual LLM samples a pool of surrogate queries, and a GAN-style alternating procedure optimizes both the document suffix and the sampled queries using Greedy Coordinate Gradient search. The attack minimizes the similarity between the injected document and the hardest sampled query under a surrogate retriever while simultaneously adapting the query pool (Li et al., 30 Jan 2026).

4. Empirical behavior and transfer performance

The empirical record shows that zero-query attacks can be effective across very different tasks, but their reported metrics are modality-specific. In image classification, ZQBA reports Attack Success Rate M\mathcal{M}7, SSIM, and the M\mathcal{M}8 norm of M\mathcal{M}9. On CIFAR-10, with a ResNet18 target whose clean accuracy is f:XYf:X\to Y0, MobileNetv2-derived maps reduce target accuracy to f:XYf:X\to Y1 for a MobileNetv2 target, f:XYf:X\to Y2 for EfficientNetB2, f:XYf:X\to Y3 for ResNet18, and f:XYf:X\to Y4 for ResNet50. The paper states that using MobileNetv2-derived maps yields a f:XYf:X\to Y5 relative accuracy drop for ResNet18. In cross-domain transfer, generating maps on TinyImageNet and attacking CIFAR-10 drops ResNet18 accuracy from f:XYf:X\to Y6 to f:XYf:X\to Y7. Against one-query baselines, the reported CIFAR-10, CIFAR-100, and TinyImageNet accuracies are f:XYf:X\to Y8, f:XYf:X\to Y9, and fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k0 for Square; fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k1, fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k2, and fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k3 for ZOO; and fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k4, fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k5, and fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k6 for ZQBA (Costa et al., 1 Oct 2025).

For context-aware object detectors, the relevant metric is fooling rate under a context-consistency constraint. On VOC2007 at perturbation budget fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k7, the white-box fooling rates are fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k8 for Context-Agnostic, fs:RdRkf_s:\mathbb{R}^d\to\mathbb{R}^k9 for ZQA, ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k0 for ZQA-PSPM, and ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k1 for Few-Query with ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k2 queries. In black-box transfer to RetinaNet, Libra R-CNN, and FoveaBox, the corresponding ranges are approximately ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k3–ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k4, ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k5–ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k6, ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k7–ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k8, and ft:RdRkf_t:\mathbb{R}^d\to\mathbb{R}^k9–cc0. As cc1 decreases from cc2 to cc3, fooling rates drop for all methods, but ZQA-PSPM remains roughly cc4 better than context-agnostic and outperforms few-query with up to cc5 queries in black-box (Cai et al., 2022).

For ASR, the principal metrics are success rate of attack and signal-to-noise ratio. ZQ-Attack reports cc6 success rate of attack with average SNR of cc7dB on cc8 online speech recognition services in the over-the-line setting, cc9 average SRoA with average SNR of ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,0dB on ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,1 open-source ASRs, and ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,2 SRoA with average SNR of ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,3dB on commercial intelligent voice control devices in the over-the-air setting (Fang et al., 2024).

In ICL text classification, the reported metric is Attack Success Rate defined from the drop in recall on attacked positives. On Llama3-8B with ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,4-shot prompting, Fake Claim reaches up to ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,5 ASR on sentiment, ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,6 on toxicity, and ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,7 on illicit promotion; Template reaches ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,8–ftc(x+Δ)ftc(x)+xftc(x)Δ,f_t^c(x+\Delta)\approx f_t^c(x)+\nabla_x f_t^c(x)^\top \Delta,9 across tasks; and Needle reaches fsf_s00 on toxicity, fsf_s01 on illicit promotion, and fsf_s02 on sentiment. The same paper reports that traditional NLP attacks achieve fsf_s03 transfer ASR under the zero-query setting (He et al., 29 Jan 2026).

For LLM retrieval, “Someone Hid It” measures Recall@25/50 and NDCG@25/50 drop on the ground-truth document. Table 2 reports average Recall@25 drops across four datasets. For Qwen1.5, the Recall@25 values are fsf_s04 original, fsf_s05 with GCG, fsf_s06 with PRADA, fsf_s07 with Poison-RAG, and fsf_s08 with DQ-A. For Gemma, they are fsf_s09, fsf_s10, fsf_s11, fsf_s12, and fsf_s13; for JinaAI, fsf_s14, fsf_s15, fsf_s16, fsf_s17, and fsf_s18. The paper states that on fsf_s19 of fsf_s20 victim models, DQ-A achieves the largest drop, with fsf_s21–fsf_s22 absolute loss in Recall@25 and fsf_s23–fsf_s24 in Recall@50, while Qwen3-Embedding-0.6B is robust and all attacks yield at most a fsf_s25 drop (Li et al., 30 Jan 2026).

Q-FAKER reports Attack Success Rate, query count, semantic similarity, perplexity, grammatical errors, and human or LLM-based quality judgments. On the eight AdvBench datasets, it achieves ASR/query pairs of fsf_s26 on Assassin, fsf_s27 on Enron, fsf_s28 on EDENCE, fsf_s29 on FAS, fsf_s30 on CGFake, fsf_s31 on Amazon-LB, fsf_s32 on Jigsaw, and fsf_s33 on HSOL. On Amazon-LB, the reported quality figures are USE fsf_s34, PPL fsf_s35, and fsf_s36, compared with CT-GAT at USE fsf_s37, PPL fsf_s38, and fsf_s39 (Na et al., 18 Apr 2025).

5. Stealth, evaluation, and points of disagreement

Zero-query black-box attacks are often discussed as if “stealth” were a single property, but the literature evaluates stealth differently across modalities. For ZQBA, stealth is largely perceptual: fsf_s40 for all experiments, the final SSIM is always at least fsf_s41, and the perturbation is described as “virtually invisible to humans.” The mean fsf_s42 for CIFAR-10 images on the fsf_s43–fsf_s44 scale, and the reported fsf_s45 norm is fsf_s46 on the fsf_s47–fsf_s48 scale (Costa et al., 1 Oct 2025). In ASR, stealth is acoustical: the SNR values of fsf_s49dB, fsf_s50dB, and fsf_s51dB quantify the imperceptibility–effectiveness trade-off, while the paper also notes that human listeners can still occasionally detect commands over repeated listenings (Fang et al., 2024).

In prompt- and text-based attacks, stealth is partly linguistic and partly operational. ICL-Evader emphasizes that zero-query eliminates query-based detection or throttling defenses, but the attacks themselves may insert claims, fake demonstrations, or large haystacks of benign text (He et al., 29 Jan 2026). Q-FAKER addresses linguistic quality directly through USE, PPL, fsf_s52, and pairwise naturalness judgments (Na et al., 18 Apr 2025). In object detection, stealth is not only pixel-level but also semantic: the attack must evade a context-consistency check, so a successful perturbation is one that causes misclassification while preserving a plausible joint label set (Cai et al., 2022). In retrieval, the attack can be triggered by a “few tokens” appended to public documents; the paper further raises the possibility that “similar effects may arise from benign or unintended document edits in the real world” (Li et al., 30 Jan 2026).

A second point of disagreement concerns whether zero-query attacks are necessarily lightweight. The evidence is mixed. ZQBA explicitly “does not perform iterative optimization at attack time” (Costa et al., 1 Oct 2025), whereas ZQ-Attack uses a sequential ensemble optimization algorithm over multiple surrogates (Fang et al., 2024), “Someone Hid It” uses alternating optimization and GCG (Li et al., 30 Jan 2026), and Q-FAKER requires surrogate training plus controlled generation (Na et al., 18 Apr 2025). The absence of target queries therefore does not imply absence of substantial offline optimization.

6. Defenses, limitations, and open directions

The defense landscape is heterogeneous and largely modality-specific. ZQBA discusses input purification, including denoising autoencoders and random resizing or padding; feature squeezing through small bit-depth and spatial smoothing; and adversarial training using surrogate-style maps (Costa et al., 1 Oct 2025). ICL-Evader evaluates three primitive defenses—Adversarial Demonstration, Cautionary Warning, and Random Template—and then combines them into a joint defense recipe. The reported joint outcome is Fake Claim ASRR approximately fsf_s53, Needle ASRR approximately fsf_s54, Template ASRR up to fsf_s55, and accuracy degradation at most fsf_s56 (He et al., 29 Jan 2026). By contrast, the retrieval paper states that “No off-the-shelf robust defense presently covers pre-retrieval injection; novel defenses are needed” (Li et al., 30 Jan 2026).

The limitations reported in the literature are equally varied. ZQBA is “less effective against models adversarially trained for feature-map poisoning,” and its “single-step nature makes ZQBA weaker than multi-query optimization when a query budget is available” (Costa et al., 1 Oct 2025). ZQ-Attack highlights computational cost from multiple surrogate models and notes an “imperceptibility ceiling” despite mostly inaudible perturbations (Fang et al., 2024). ICL-Evader is limited to binary classification, leaves multi-class, regression, multi-modal ICL, and formal robustness certification unexplored, and flags the need for user studies on human perceptibility of hidden formatting (He et al., 29 Jan 2026). Q-FAKER requires knowledge of the task type to train a surrogate and leaves iterative refinement and generative-LLM jailbreak transfer as future directions (Na et al., 18 Apr 2025). “Someone Hid It” specializes in hide attacks rather than boosting a document’s in-group rank and identifies surrogate choice and prompt design as further variables (Li et al., 30 Jan 2026).

A plausible implication is that zero-query black-box attacks are better understood as a regime of adversarial design rather than a single technique. The regime is defined by the elimination of target interaction, but the enabling mechanisms vary: shared convolutional representations, co-occurrence-aware multi-object plans, cross-architecture acoustic transfer, prompt-format fragility, topic-cluster geometry, and controlled text generation. The published results collectively indicate that strong failure modes can persist even when the attacker never receives target feedback, which shifts the security focus from query monitoring alone toward surrogate-aware robustness, structural defenses, and evaluation protocols that explicitly model zero-query threat assumptions (Costa et al., 1 Oct 2025, Cai et al., 2022, Fang et al., 2024, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Zero-Query Black-Box Attacks.