Decision-based methods have shown to be effective in black-box adversarial attacks, as they can obtain satisfactory performance and only require to access the final model prediction. Gradient estimation is a critical step in black-box adversarial attacks, as it will directly affect the query efficiency. Recent works have attempted to utilize gradient priors to facilitate score-based methods to obtain better results. However, these gradient priors still suffer from the edge gradient discrepancy issue and the successive iteration gradient direction issue, thus are difficult to simply extend to decision-based methods. In this paper, we propose a novel Decision-based Black-box Attack framework with Gradient Priors (DBA-GP), which seamlessly integrates the data-dependent gradient prior and time-dependent prior into the gradient estimation procedure. First, by leveraging the joint bilateral filter to deal with each random perturbation, DBA-GP can guarantee that the generated perturbations in edge locations are hardly smoothed, i.e., alleviating the edge gradient discrepancy, thus remaining the characteristics of the original image as much as possible. Second, by utilizing a new gradient updating strategy to automatically adjust the successive iteration gradient direction, DBA-GP can accelerate the convergence speed, thus improving the query efficiency. Extensive experiments have demonstrated that the proposed method outperforms other strong baselines significantly.

翻译：基于决策的方法在黑盒对抗攻击中已被证明有效，因为它们能够取得令人满意的性能且仅需访问模型的最终预测。梯度估计是黑盒对抗攻击中的关键步骤，因为它直接影响查询效率。近期研究尝试利用梯度先验来辅助基于分数的方法以获得更优结果。然而，这些梯度先验仍存在边缘梯度差异问题和迭代梯度方向问题，因此难以直接扩展到基于决策的方法。本文提出了一种新颖的基于梯度先验的决策型黑盒攻击框架（DBA-GP），该框架将数据相关梯度先验与时间相关梯度先验无缝集成到梯度估计过程中。首先，通过利用联合双边滤波器处理每次随机扰动，DBA-GP能够确保边缘位置的生成扰动几乎不被平滑，即缓解边缘梯度差异，从而最大限度保留原始图像的固有特征。其次，通过采用新的梯度更新策略自动调整迭代梯度方向，DBA-GP可加快收敛速度，进而提升查询效率。大量实验表明，所提方法显著优于其他强基线方法。