Query-Efficient Target-Agnostic Black-Box Attack

Raha Moraffah, Huan Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Adversarial attacks have recently been proposed to scrutinize the security of deep neural networks. Most blackbox adversarial attacks, which have partial access to the target through queries, are target-specific; e.g., they require a well-trained surrogate that accurately mimics a given target. In contrast, target-agnostic black-box attacks are developed to attack any target; e.g., they learn a generalized surrogate that can adapt to any target via fine-tuning on samples queried from the target. Despite their success, current state-of-the-art target-agnostic attacks require tremendous fine-tuning steps and consequently an immense number of queries to the target to generate successful attacks. The high query complexity of these attacks makes them easily detectable and thus defendable. We propose a novel query-efficient target-agnostic attack that trains a generalized surrogate network to output the adversarial directions iv.r.t. the inputs and equip it with an effective fine-tuning strategy that only fine-tunes the surrogate when it fails to provide useful directions to generate the attacks. Particularly, we show that to effectively adapt to any target and generate successful attacks, it is sufficient to fine-tune the surrogate with informative samples that help the surrogate get out of the failure mode with additional information on the target's local behavior. Extensive experiments on CIFAR10 and CIFAR-100 datasets demonstrate that the proposed target-agnostic approach can generate highly successful attacks for any target network with very few fine-tuning steps and thus significantly smaller number of queries (reduced by several order of magnitudes) compared to the state-of-the-art baselines.

Original languageEnglish (US)
Title of host publicationProceedings - 22nd IEEE International Conference on Data Mining, ICDM 2022
EditorsXingquan Zhu, Sanjay Ranka, My T. Thai, Takashi Washio, Xindong Wu
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages10
ISBN (Electronic)9781665450997
StatePublished - 2022
Externally publishedYes
Event22nd IEEE International Conference on Data Mining, ICDM 2022 - Orlando, United States
Duration: Nov 28 2022Dec 1 2022

Publication series

NameProceedings - IEEE International Conference on Data Mining, ICDM
ISSN (Print)1550-4786


Conference22nd IEEE International Conference on Data Mining, ICDM 2022
Country/TerritoryUnited States


  • Black-Box Attack
  • DNN
  • DNN Security.
  • Meta-learning
  • Output Diversifying Sampling
  • Surrogate
  • Target-agnostic Attack
  • Transferability-based Attack

ASJC Scopus subject areas

  • Engineering(all)


Dive into the research topics of 'Query-Efficient Target-Agnostic Black-Box Attack'. Together they form a unique fingerprint.

Cite this