What problem does this paper attempt to address?

The main problem that this paper attempts to solve is to improve the effectiveness and efficiency of adversarial attacks in a black - box environment, especially for image classifiers based on deep neural networks. Specifically, the paper points out two main flaws in current black - box iterative attack methods: 1. **Monotonicity problem**: Existing iterative attack methods usually monotonically increase noise in the direction of gradient ascent, which leads to a lack of diversity and adaptability in the generated iterative trajectories and makes it difficult to effectively cross the decision boundaries of the target model. 2. **Redundant noise problem**: Although adversarial attacks can be easily achieved by increasing the amount of noise, there is currently a lack of effective mechanisms to reduce redundant noise, thus affecting the effectiveness and efficiency of the attacks. To overcome these flaws, the paper proposes the **Curls & Whey** black - box attack method, which mainly consists of the following two parts: ### 1. Curls iteration Curls iteration makes the iterative trajectories more diverse and transferable by combining the gradient ascent and gradient descent directions. The specific steps are as follows: - Initial step: First, update the original image once in the direction of gradient descent. - Dynamic adjustment: Dynamically adjust the update direction according to the value of the loss function of the target model. If the loss value of the current adversarial sample on the target model is lower than that in the previous step, continue to update in the direction of gradient descent; otherwise, switch to the direction of gradient ascent. - Binary search: After each iteration, use binary search to find a smaller noise perturbation between the original image and the found adversarial sample. ### 2. Whey optimization Whey optimization further reduces redundant noise by taking advantage of the robustness of adversarial perturbations. The specific steps are as follows: - Group squeezing: Group the adversarial noise according to pixel values and gradually reduce the noise in each group. - Random squeezing: Randomly squeeze each pixel to gradually reduce redundant noise. ### Experimental results The paper conducted extensive experiments on the ImageNet and Tiny - ImageNet datasets to verify the effectiveness of the Curls & Whey method. The experimental results show that: - **Noise magnitude reduction**: The Curls & Whey method significantly reduces the noise magnitude of adversarial samples under the ℓ2 norm, reducing it by 20% - 30% compared to other methods, and even reaching 40% in some cases. - **Stronger transferability**: The generated adversarial samples have higher transferability and can effectively attack ensemble models and adversarially trained models. - **Targeted attacks**: When extended to the targeted attack scenario, the Curls & Whey method significantly reduces the difficulty of targeted attacks. ### Summary The Curls & Whey method proposed in the paper significantly improves the effectiveness and efficiency of adversarial attacks in a black - box environment by improving the diversity of iterative trajectories and reducing redundant noise. This method not only performs well in non - targeted attacks but also achieves significant improvements in targeted attacks.