What problem does this paper attempt to address?

The problem that this paper attempts to solve is to reduce the number of queries required to generate adversarial samples in decision - based attacks (DBA), while maintaining or improving the quality of adversarial samples. Specifically, traditional DBA methods require a large number of queries to generate effective adversarial samples, which is inefficient and time - consuming in practical applications. This paper proposes a method based on Bayesian Optimization (BO), namely BO - DBA, aiming to reduce the number of queries by optimizing the perturbation direction and minimize the distortion of the perturbation, thereby improving the efficiency and effectiveness of the attack. ### Key points: 1. **Background and motivation**: - Decision - based attacks (DBA) are a method of attacking deep neural networks (DNNs). Attackers generate adversarial samples only by observing the output labels of the model, without knowing the specific structure or parameters of the model. - Existing DBA methods usually require thousands of queries to generate effective adversarial samples, which is very inefficient in practical applications. - Bayesian Optimization (BO) has shown the potential to reduce the number of queries in score - based attacks (SBA), but applying BO in DBA is challenging because DBA can only obtain output labels rather than probability scores. 2. **Method innovation**: - A new DBA method - BO - DBA is proposed. This method minimizes the distortion of the perturbation by searching for the perturbation direction and transforming the problem into a BO problem. - Different from the traditional zero - order optimization - based DBA methods, BO - DBA uses Bayesian Optimization to optimize the perturbation direction, thereby significantly reducing the number of queries required to generate adversarial samples. 3. **Experimental results**: - The experimental results show that on the pre - trained ImageNet classifier, BO - DBA can converge within 200 queries, while existing DBA techniques require more than 15,000 queries to achieve the same perturbation distortion. - BO - DBA is not only superior to existing DBA methods in query efficiency, but also performs well in attack success rate and perturbation quality, and even exceeds the BO - based SBA method in some aspects. ### Formula explanation: - **Perturbation direction and distance**: \[ \theta=\frac{S(\delta')}{|S(\delta')|} \] \[ g'(\delta') = \arg\min_{\Delta>0}(h_b(x_0+\Delta\theta)=1) \] where \(\theta\) is the normalized perturbation direction, and \(g'(\delta')\) represents the distance from the input \(x_0\) to the nearest adversarial sample along the direction \(\theta\). - **Optimization problem**: \[ \min_{\delta'}g'(\delta') \] The objective of this optimization problem is to find the direction \(\delta'\) that minimizes the perturbation distortion. ### Conclusion: By introducing Bayesian Optimization technology, this paper successfully solves the problem of excessive queries in decision - based attacks and improves the efficiency and quality of generating adversarial samples. This method provides new ideas and tools for future adversarial attack research.