Abstract

Unlike the white-box counterparts that are widely studied and readily\naccessible, adversarial examples in black-box settings are generally more\nHerculean on account of the difficulty of estimating gradients. Many methods\nachieve the task by issuing numerous queries to target classification systems,\nwhich makes the whole procedure costly and suspicious to the systems. In this\npaper, we aim at reducing the query complexity of black-box attacks in this\ncategory. We propose to exploit gradients of a few reference models which\narguably span some promising search subspaces. Experimental results show that,\nin comparison with the state-of-the-arts, our method can gain up to 2x and 4x\nreductions in the requisite mean and medium numbers of queries with much lower\nfailure rates even if the reference models are trained on a small and\ninadequate dataset disjoint to the one for training the victim model. Code and\nmodels for reproducing our results will be made publicly available.\n