Improved black-box attack based on query and perturbation distribution

Adversarial examples cause the deep neural network prediction error, which is a great threat to the deep neural network. How to generate more natural adversarial examples and improve the robustness of deep neural networks has received attention. In this paper, we propose an improved black-box attack (IBBA) algorithm based on query and perturbation distribution. This algorithm only needs the top-1 label of the attacked model to generate the adversarial examples. Based on the existing black-box attacks, we optimize the performance of the algorithm from two aspects: query distribution and perturbation distribution. In the aspect of query distribution, we adopt different strategies for nontargeted attack and targeted attack; in the aspect of perturbation distribution, we choose different low-frequency noise according to the difference between the targeted attack and nontargeted attack. The experimental results on ImageNet show that the proposed algorithm is better than the existing algorithms in low query number, and the targeted attack is better in each specified query number.