GSBA$^K$: $top$-$K$ Geometric Score-based Black-box Attack

We sincerely appreciate for your thoughtful comments. Below, we provide responses to each of the points raised.

C1. Ablation study and experiments in the Appendix provide valuable insights, the paper lacks of theoretical analysis.

Thank you for recognizing the value of our ablation study and experiments presented in the Appendix. We acknowledge that our paper lacks a theoretical analysis of gradient estimation for $top$-$K$ attacks. However, we would like to emphasize that our work is the first to propose $top$-$K$ untargeted and targeted attacks in the challenging black-box setting. Through comprehensive experiments, we demonstrate the effectiveness of our proposed gradient estimation approach in guiding $top$-$K$ attacks. Furthermore, as you noted, the ablation study and the experiments presented in Appendix offer significant insights into the rationale behind our gradient estimation choices. While we agree that a theoretical analysis in the $top$-$K$ setting is important, it presents substantial challenges and is left for future exploration.

C2. How does the ASR of GSBA$^K$ compare to QuadAttacK?

The QuadAttack is a white-box attack that assumes full access to the target model for crafting adversarial examples. In contrast, our proposed method, GSBA$^K$, operates as a black-box attack, relying solely on querying the target model for class-wise prediction probabilities. Since these two approaches fundamentally differ in their assumptions and access levels, a direct comparison is not meaningful. Nevertheless, having the access to the target model, QuadAttacK is expected to outperform our black-box approach.

C3. The notation $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i}$ is not clear. Why $\mathbf x_{b_n}, c, \mathbf z_i$ appear in the subscript?

We appreciate your question for clarification regarding the notation $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i}$. This notation is used to describe the impact of querying a boundary point $\mathbf x_{b_n}$ with added noise $\mathbf z_i$ on a specific target class $c \in \mathcal{Y}_K^{(t)}$.

Specifically:

• $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = 1$ indicates that the query $\mathbf x_{b_n} + \mathbf z_i$ either (1) results in an adversarial query that increases the confidence for the target class $c$, or (2) is non-adversarial and decreases the confidence for $c$.

• $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = 0$ indicates the opposite: either the query is adversarial but decreases the confidence for $c$, or it is non-adversarial while increasing the confidence for $c$.

The subscripts $\mathbf x_{b_n}, c, \mathbf z_i$ are included in the notation to concisely capture the relationship between the boundary point $\mathbf x_{b_n}$, the added noise $\mathbf z_i$, and the target class $c$. This shorthand allows us to efficiently represent the impact of the perturbed query $\mathbf x_{b_n} + \mathbf z_i$ on the confidence for the target class $c$. We hope that our explanation helps dispel the confusion; however, if you have a better suggestion on the notations and writing, we will appreciate if you let us know.

Q1. How the proposed gradient estimation consistently points towards the narrow adversarial region corresponding to the $K$ target classes?

The proposed gradient estimation within the non-adversarial region helps to find the narrow targeted adversarial region by iteratively estimating gradient and moving the benign input image towards the estimated gradient direction. The goal of the adversary is to estimate gradient direction that maximizes the minimum confidence among the $K$ target classes. This is achieved using Eq. (12), which estimates the gradient leveraging the decision function $\phi_{\mathbf x'\_{b_0}}(\mathbf z_i)$ from Eq. (10). This indicator function indicates whether the query $\mathbf x'_{b_0} + \mathbf z_i$ increases the minimum confidence among the target classes.

For improved gradient estimation, Eq. (12) assigns weights to $\mathbf z_i$ based on their impact on each of the target classes. For instance, consider the prediction probabilities with the target classes from the target classifier for $\mathbf x'_{b_0}$ as $\lbrace..., 0.12,0.13,0.1,...\rbrace$. Assume, $\mathbf z_1$ changes the prediction probabilities of the target classes as $\lbrace..., 0.13,0.14,0.11,...\rbrace$, while $\mathbf z_2$ modifies these to $\lbrace..., 0.11,0.12,0.11,...\rbrace$.

While both $\mathbf z_1$ and $\mathbf z_2$ enhance the minimum confidence among the target classes (i.e., $\phi_{\mathbf x'_{b_0}}(\mathbf z_i)=1$ for both), $\mathbf z_1$ has a greater impact as it improves confidence across all target classes.

According to Eq. (12), the weight associated with a $\mathbf z_i$, for a query $\mathbf x'\_{b_0} + \mathbf z_i$ in the non-adversarial region, in estimating gradient is $\big( \sum_{c\in \mathcal{Y}_K^{(t)}} \chi\_{x'\_{b_0}, c, \mathbf z_i } \big)$ $\big( \sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_i } \big)$.

For these examples, form Eq. (11), $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_1}\rbrace_{c=1}^C = \lbrace..., 1,1,1,...\rbrace$ and $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_2}\rbrace_{c=1}^C = \lbrace..., 0,0,1,...\rbrace$, while $\sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_1 } = 0.3$ and $\sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_2 } = 0.1$. Consequently, while the weight associated with $\mathbf z_1$ is $3\*0.3$, and it is with $\mathbf z_2$ is $1\*0.1$. Hence, our proposed method estimate better gradient direction towards the targeted adversarial region by weighing $\mathbf z_i$ according to its impact on the number of target classes. By iteratively finding the direction that enhances the minimum confidence among the target classes along with increasing the confidence of all the target classes, our proposed method effectively finds the narrow adversarial region.

Q2. Why there are two versions of gradient estimation?

We appreciate you to seeking a simplified overview explaining why there are two versions of gradient estimation. As the type of queries around a decision boundary point is different than the queries inside the non-adversarial region, we choose two different versions of gradient estimation. In case of the queries around the decision boundary point, the queries can be either in adversarial region or non-adversarial region. In gradient estimation on the decision boundary, this information plays an important role. However, when we estimate the gradient inside the non-adversarial region, targeting the adversarial region, all the queries fall within the non-adversarial region. Thus, for the targeted attack, for example, we use a different decision function, as in Eq. (10), that split the image space into two regions: $\phi_{\mathbf x'\_{b_0}}(\mathbf z_i)=1$ indicates the region of queries that ensure increased in the minimum confidence among the target class and $\phi_{\mathbf x'\_{b_0}}(\mathbf z_i)=-1$ indicates the rest of the image space. As the decision function in estimating the gradient on the boundary point and the decision function in estimating the gradient within the non-adversarial region are different, we use two different versions of gradient estimations.

Thank you for your question. Yes, our $top$-$K$ targeted adversarial attack crafts adversarial examples by changing the $top$-$K$ predictions of benign images with a predefined set of target labels regardless of the order of the target labels. The attack is considered successful if the $top$-$K$ predictions of perturbed images contain all the target labels. For more details on benign inputs and corresponding various $top$-$K$ adversarial examples, please refer to Appendix G of our original submission. That said, preserving the order of target labels within the top-K predictions in a black-box setting is a more challenging task and represents an interesting avenue for future research.

We sincerely apologize for the typo in our previous explanation. You are correct in pointing out the issue with the provided examples. Specifically: $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_1}\rbrace_{c=1}^C = \lbrace..., 1,1,1,...\rbrace$ and $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_2}\rbrace_{c=1}^C = \lbrace..., 0,0,1,...\rbrace$. We have revised and corrected our response to address this error. Please let us know if you have any additional concerns.

As the discussion period has been extended, I revisited this paper and found that there is no substantial difference between the proposed $GSBA^K$ and CGBA, except for the top-K setting. Therefore, the novelty appears to be limited. Specifically, Algorithm 1 in this paper closely resembles that of CGBA: both utilize the same query number for gradient estimation, adopt a similar binary search approach, and employ the same method for identifying the boundary point on the semicircular path. Could you clarify the key differences between the two methods?

Thank you for highlighting the strengths of our paper and providing constructive feedbacks. As suggested, we will revise the manuscript to avoid lengthy expressions, improving clarity and readability in the revised version. Below, we address your questions in detail.

Q1. Do you have an explanation of the observation $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$?

Thank you for asking an explanation of the observation $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$. Recall that for a target class $c \in \mathcal{Y}_K^{(t)}$, the indicator function,

$\zeta\_{\mathbf x_{b_n}, c, \mathbf z_i} = 1$ indicates that the query $\mathcal x_{b_n} + \mathcal z_i$, near the boundary point $\mathcal x_{b_n}$, is adversarial with an increased confidence in the target class $c$ or the query $\mathcal x_{b_n} + \mathcal z_i$ is non-adversarial with a decreased confidence in $c$. Moreover, the claim $\zeta_{\mathcal x_{b_n}, c, \mathcal z_i} = \zeta_{\mathcal x_{b_n}, c, -\mathcal z_i}$ demonstrates that if the query $\mathcal x_{b_n} + \mathcal z_i$ is adversarial and increases confidence in $c$, the query with inverting $\mathbf z_i$, i.e., $\mathbf x_{b_n} - \mathbf z_i$, will be non-adversarial with decreased confidence in $c$ with a very high probability, and vice versa. This intuition arises from the observation that if an added vector/noise $\mathbf z_i$ with a point $\mathbf x$ in image space increases the confidence on a particular class $c$, i.e., $P_c(\mathbf x+\mathbf z_i) - P_c(\mathbf x)>0$, subtracting $\mathbf z_i$ from $\mathbf x$ is likely to decrease the confidence on class $c$, i.e., $P_c(\mathbf x-\mathbf z_i) - P_c(\mathbf x)<0$. Additionally, it is highly probable that queries around a boundary point $\mathbf x_{b_n}$ admit $\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i) = -\mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)$, which indicates that for a query $\mathbf x_{b_n}+\mathbf z_i$, $\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i)=1 \implies \mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)=-1$, and vice versa. Intuitively, for a boundary point, if we know that moving in a given direction will result in entering the adversarial region, taking the opposite direction will likely have the opposite effect for most boundary types. To justify this intuition, we sample 1,000 noises from the Gaussian distribution and estimate the probability of $\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i) = -\mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)$ using the following equation:

$\Pr (\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i) = - \mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)) = {1 \over 1000} {\sum\_{i=1}^{1000}} \mathbf{\bar 1} (\mathbf{1}( \mathbf x\_{b_n} +\mathbf z_i) = - \mathbf{1}( \mathbf x\_{b_n} -\mathbf z_i))$

where $\mathbf{\bar 1}()$ return 1 if $\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i) = -\mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)$ satisfies, 0 otherwise, and $\mathbf z_i \sim \mathcal{N}(0, \sigma^2)$. The experimental results for different $top$-$K$ targeted attack settings are given below that demonstrates that more than 98% times $\mathbf{1}(\mathbf x_{b_n}+\mathbf z_i) = -\mathbf{1}(\mathbf x_{b_n}-\mathbf z_i)$ satisfies.

Likewise, to justify this claim $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$, we sample 1,000 noises from the Gaussian distribution and estimate the probability of $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ using the following equation:

$\Pr (\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}) = {1 \over 1000 \cdot |\mathcal{Y}_K^{(t)}|} {\sum\_{i=1}^{1000}} {\sum\_{c \in \mathcal{Y}_K^{(t)}}} \mathbf{\underline 1} (\zeta\_{\mathbf x\_{b_0}, c, \mathbf z_i} = \zeta\_{\mathbf x\_{b_0}, c, -\mathbf z_i})$

where $\mathbf{\underline 1}()$ return 1 if $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ satisfies, 0 otherwise. The experimental results for different $top$-$K$ targeted attack settings are given below that demonstrates that about 97% time $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ satisfies.

Table 1: Experimental results to demonstrate the probability of $\mathbf{1}(\mathbf x_{b_n} + \mathbf z_i) = -\mathbf{1}(\mathbf x_{b_n} - \mathbf z_i)$ and $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$.

Q2.1. What would be the impact of larger $K$ on ASR?

In response to your query, we conduct attacks with higher values of $K$ to evaluate its impact on ASR. As shown in Table 2, we report the ASR against ResNet50 for targeted attacks, where the $top$-$K$ predicted labels are replaced by the target classes. Table 3 presents the ASR for untargeted attacks on 100 ImageNet images, where the $top$-$K$ predicted labels of benign inputs are replaced by arbitrary labels. Furthermore, Table 4 illustrates the ASR variation for attacks on Inception-V3 using 100 images from the PASCAL VOC2012 dataset. From these results, we observe that ASR decreases as $K$ increases, with a sharper decline for targeted attacks. This trend suggests that the proposed black-box attack, which lacks knowledge of the target model, becomes ineffective as $K$ approaches the extreme of $K = N/2$ under the perturbation constraint.

Table 2: ASR against ResNet50 on 100 ImageNet images for different $top$-$K$ targeted attack with a perturbation threshold $r_{th}=20$.

Table 3: ASR(%) against ResNet50 on 100 ImageNet images for different $top$-$K$ untargeted attack with a perturbation threshold $r_{th}=20$, where the $top$-$K$ predicted label of the source images are replaced by the any $K$ labels among the rest.

Table 4: ASR(%) against Inception-V3 on 100 PASCAL VOC images for different $top$-$K$ targeted attack considering best target classes with a perturbation threshold $r_{th}=20$.

Q2.2. What is the number of classes in each dataset?

For our experiments, we utilize two datasets: ImageNet, which contains 1,000 classes, and PASCAL VOC 2012, which includes 20 classes. We will specify this more clearly in our revised version.

We sincerely appreciate your thorough review and the many insightful comments you provided. We will incorporate your suggestion to present Section 4.2 before Section 4.1 and discuss relevant papers in our revised version. Below, we address your comments in detail.

C1. Are there any concrete evidence for the claim $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$?

We appreciate you for seeking evidence for the claim $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$. As we mentioned that experimentally, with a high probability, it is observed that $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$, we provide some experimental evidences for the claim. Recall that for a target class $c \in \mathcal{Y}_K^{(t)}$, the indicator function,

$\zeta\_{\mathbf x_{b_n}, c, \mathbf z_i} = 1$ indicates that the query $\mathcal x_{b_n} + \mathcal z_i$, near the boundary point $\mathcal x_{b_n}$, is adversarial with an increased confidence in the target class $c$ or the query $\mathcal x_{b_n} + \mathcal z_i$ is non-adversarial with a decreased confidence in $c$. Moreover, the claim $\zeta_{\mathcal x_{b_n}, c, \mathcal z_i} = \zeta_{\mathcal x_{b_n}, c, -\mathcal z_i}$ demonstrates that if the query $\mathcal x_{b_n} + \mathcal z_i$ is adversarial and increases confidence in $c$, the query with inverting $\mathbf z_i$, i.e., $\mathbf x_{b_n} - \mathbf z_i$, will be non-adversarial with decreased confidence in $c$ with a very high probability, and vice versa. To justify the claim $\zeta_{\mathbf x_{b_n}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_n}, c, -\mathbf z_i}$, we sample 1,000 noises from the Gaussian distribution and estimate the probability of $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ using the following equation:

$\Pr (\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}) = {1 \over 1000 \cdot |\mathcal{Y}_K^{(t)}|} {\sum\_{i=1}^{1000}} {\sum\_{c \in \mathcal{Y}_K^{(t)}}} \mathbf{\underline 1} (\zeta\_{\mathbf x\_{b_0}, c, \mathbf z_i} = \zeta\_{\mathbf x\_{b_0}, c, -\mathbf z_i})$

where $\mathbf{\underline 1}()$ return 1 if $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ satisfies, 0 otherwise. The experimental results for different $top$-$K$ targeted attack settings are given below that demonstrates that about 97% time $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$ satisfies.

Table 1: Experimental results to demonstrate the probability of $\zeta_{\mathbf x_{b_0}, c, \mathbf z_i} = \zeta_{\mathbf x_{b_0}, c, -\mathbf z_i}$.

C2. Would it be better if we replace Eq. (5) with relative change, i.e., $w_{\mathbf x_{b_n}, c, \mathbf z_i} = \big(P_c(\mathbf x_{b_n}+\mathbf z_i) - P_c(\mathbf x_{b_n})\big)/P_c(\mathbf x_{b_n})?$

Thanks for suggesting that the relative change might work better. To observe whether the suggesting change works better or not, we compare it with our proposed method under the same setting as used in depicting Fig. 7 in Appendix. The obtained $\ell_2$-norm of perturbation of 100 images against ResNet50 for targeted attack with different query budgets is given in the following table. From this table, our proposed method still performs better than the suggested change in most of the cases.

Table 2: Mean $\ell_2$-norm of perturbation of the proposed method and proposed method by considering relative change.

Q3. For DCT, what percentage of low frequency components were selected? How does the performance vary with a different number of components?

For an image with dimension $C_h\times W \times H$ and with a dimension reduction factor $f$ to sample low-frequency noise, the dimension of the low frequency noise, we consider, is $C_h\times \frac{W}{f} \times \frac{H}{f}$. Hence, if the dimension of an image is $3 \times 224 \times 224$, the dimension of the low frequency space with dimension reduction factor $f=4$ would be 9408. This corresponds to selecting 6.25% of the frequency components for our experiments. We choose dimension reduction factor as $f=4$ for all our experiments following [1,2]. The median $\ell_2$-norm of perturbations for different query budgets and different dimension reduction factor for targeted $top$-2 attack on 100 images are given bellow that conforms with the finding in [1] even for $top$-2 attacks.

Table 7: Median $\ell_2$-norm of perturbations (lower is better) for different query budgets and different dimension reduction factors for targeted attack on 100 ImageNet images against ResNet50.

[1] Reza, Md Farhamdur, et al. ”Cgba: curvature-aware geometric black-box attack.” Proceedings of the IEEE/CVF International Conference on Computer Vision. 2023.

[2] Li, Huichen, et al. "Qeba: Query-efficient boundary-based blackbox attack." Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020.

Q4. Is there any any correlation of the prediction among the classes?

You have rightly pointed out that labels are often correlated, and the attack success rate (ASR) can vary depending on the target class. As shown in Table 2 of the paper, we observe a higher ASR for $top$-$2$ targeted attacks when using the best target samples. However, when comparing ASR between randomly chosen targets and the worst targets (i.e., the two classes with the lowest prediction probabilities), the ASR is actually higher for the worst targets in the top-2 targeted attack scenario. One possible explanation is that the worst target classes, having similar prediction probabilities, may be closer to each other in the feature space. As a result, increasing the confidence for one target class may inadvertently boost the confidence for its neighbor, leading to a higher ASR. In contrast, randomly chosen target classes are less likely to be correlated and might lie farther apart in the feature space, making them harder to attack.

C6, Q1. What would be the impact of larger $K$ on ASR?

In response to your query, we conduct attacks with higher values of $K$ to evaluate its impact on ASR. As shown in Table 4, we report the ASR against ResNet50 for targeted attacks, where the $top$-$K$ predicted labels are replaced by the target classes. Table 5 presents the ASR for untargeted attacks on 100 ImageNet images, where the $top$-$K$ predicted labels of benign inputs are replaced by arbitrary labels. Furthermore, Table 6 illustrates the ASR variation for attacks on Inception-V3 using 100 images from the PASCAL VOC2012 dataset. From these results, we observe that ASR decreases as $K$ increases, with a sharper decline for targeted attacks. This trend suggests that the proposed black-box attack, which lacks knowledge of the target model, becomes ineffective as $K$ approaches the extreme of $K = N/2$ under the perturbation constraint, where $N$ is the number of labels in the dataset. Given that the ImageNet dataset includes 1,000 classification labels, we anticipate observing a similar trend in attacking models trained on the OpenImages dataset, given the comparable scale and diversity of their label distributions.

Table 4: ASR against ResNet50 on 100 ImageNet images for different $top$-$K$ targeted attack with a perturbation threshold $r_{th}=20$.

Table 5: ASR(%) against ResNet50 on 100 ImageNet images for different $top$-$K$ untargeted attack with a perturbation threshold $r_{th}=20$, where the $top$-$K$ predicted label of the source images are replaced by the any $K$ labels among the rest.

Table 6: ASR(%) against Inception-V3 on 100 PASCAL VOC images for different $top$-$K$ targeted attack considering best target classes with a perturbation threshold $r_{th}=20$.

Q2. How the target labels are selected for targeted attack setting for ImageNet experiments?

In the ImageNet experiments, the $K$ target labels for a benign input image are determined as follows: we randomly select a target image whose true label differs from that of the benign input image. The $top$-$K$ target labels are then set as the $top$-$K$ predicted labels of the selected target image. In the main paper, we briefly discuss it in lines 455-457.

C3. Does Eq. (12) weigh two directions/vectors equally even if one would overall hurt the performance of majority of classes as compared to the other?

Thanks for deeply thinking about the proposed method by considering some numerical values of probabilities to justify the effectiveness of the proposed method. Recall that in Eq. (12), the weight associated with a $\mathbf z_i$, for a query $\mathbf x'_{b_0} + \mathbf z_i$ in the non-adversarial region,

in estimating gradient is $\big( \sum_{c\in \mathcal{Y}_K^{(t)}} \chi\_{x'\_{b_0}, c, \mathbf z_i } \big)$ $\big( \sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_i } \big)$.

For the given examples, form Eq. (11), $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_1}\rbrace_{c=1}^C = \lbrace..., 0,0,1,...\rbrace$ and $\lbrace\chi\_{\mathbf x'\_{b_0}, c, \mathbf z_2}\rbrace_{c=1}^C = \lbrace..., 1,1,1,...\rbrace$, while $\sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_1 } = 0.3$ and $\sum\_{c\in \mathcal{Y}_K^{(t)}} w\_{x'\_{b_0}, c, \mathbf z_i } \chi\_{x'\_{b_0}, c, \mathbf z_2 } = 0.3$. Consequently, while the weight associated with $\mathbf z_1$ is $1\*0.3$, and it is $3\*0.3$ for $\mathbf z_2$. Hence, we can conclude that our method weigh more that enhances predictions on more target classes and vice versa.

C4. Does finding the next boundary point require a larger change in the prediction probability?

Finding the next boundary point mainly depends on how accurately the gradient on the boundary point is estimated. To achieve this, the weight of a noise $\mathbf z_i$ is determined by evaluating its impact on the number of target classes when applied to the query $\mathbf x_{b_n} + \mathbf z_i$. As described in Eq. (7), gradient estimation at the boundary point $\mathbf x_{b_n}$ involves assigning weights based on the query's impact on the number of target classes (via Eq. (6)) and aggregating the changes in prediction probabilities for these classes using Eq. (5). In essence, both the change in prediction probabilities and the number of target classes positively affected by $\mathbf z_i$ play a significant role. Therefore, it is not accurate to assert that a larger change in prediction probability is always required to locate the next boundary point. Nevertheless, we are not sure if we fully understand the points you raised. Please further clarify if applicable, and we will be happy to further address the remaining concerns.

C5, Q2. How many random experiments are performed for the random target class setting in the experiments with PASCAL VOC2012 images? Is there any influence of choosing specific target classes on the performance?

In demonstrating Table 2 in the main paper, we take 100 samples and randomly choose the target labels. Then for a given perturbation threshold $r_{th}$ and query budget, we determine the ASR as in Table 2 in the main paper. As you suggested, we perform additional three experiments by changing the random seed and obtain the mean and standard deviation of ASR for $K=2$. The results are demonstrated in the following table. From this table, there are some deviation as the attack success largely depends on the target classes that are chosen for attack. We will add this result and relevant discussion in the revision.

Table 3: Mean $\pm$ Std Dev of ASR for 100 VOC images with two true label for $top$-$2$ targeted attack setting for four experiments. The target classes are chosen randomly.

According to the Table 2 in the main paper, the attack success rate largely depends on the target classes we choose. If the target classes are the best class, the classes with highest confidence among the classes other than the true labels, it is easier to attack than the randomly chosen target or worst target classes.

Dear reviewer LM2j,

Thank you for your time and valuable feedback on our paper. In our response, we have carefully addressed all of your comments and questions. Please let us know if you require further clarification. We appreciate your insights and look forward to your continued feedback.

Thank you to the authors for their detailed responses. While most of my concerns have been addressed, some questions remain, as noted in my responses. One key limitation is that targeting larger target sizes (K) leads to significantly lower success rates (as shown in response to C6). Clearly highlighting this limitation would help motivate future work in this area.

Response to C4:

Assume that we have an initial point $x_s$ and using the given algorithm, we can compute a point $x_{b_n}$ on the decision boundary. Assume that we are considering top-3 targeted attack and we have the following predicted probabilities by the model:

$P(x_{b_n}) = [0.3, 0.3, 0.3, 0.01,….]$

To find the subsequent boundary point $x_{b_{n+1}}$, Eq (11) (in the revised version) requires that the next boundary point that we try to find, should have increased confidence in the target classes. This is because of the weight: $w_{x_{b_n}, c, z_i} = P_c(x_{b_n}+z_i) - P_c(x_{b_n}) >0$

At the boundary point $x_{b_n}$, assume that now we find a vector $z_i$ such that $\\|x_{b_n} +z_i - x_s\\|\_2 < \\|x_{b_n} - x_s\\|\_2$ i.e., the new boundary point based on $z_i$ has smaller L2 distortion as compared to the initial point found on the boundary. Assume that the model predicts the class probabilities as:

$P(x_{b_n} + z_i) = [0.28, 0.28, 0.28, 0.016,….]$

Note that $(x_{b_n} + z_i)$ still leads to a successful attack as the top-3 classes are our desired classes but with lower confidence as compared to $x_{b_n}$. However, using Eq (11), $\mathbb{1}(x_{b_n} + z_i) = 1$ and the weights $w_{x_{b_n}, c, z_i}$ would all be -1 for the target classes. Hence, $\zeta_{x_{b_n},c,z_i} = 0$ for all target classes and therefore $z_i$ would not contribute to compute the gradient in Eq(12).

I strongly think that this is the key reason that the proposed method doesn't perform well for small L2 norms and it would be great if it is actually addressed or talked about in the paper.

Response to C6 - Q1 and Q3:

Please mention this in the main paper and include these results in the appendix to make the limitations clear. For Q3, please include the attack success rates as well.

Thank you for your insightful comments and valuable suggestions. As recommended, we will reorder the sections, presenting Section 4.2 before Section 4.1 in the revised version. Below, we provide detailed responses to the questions you raised.

Q1. Does reweighing the sampled points to form a more accurate gradient estimation require more sampled points?

You correctly pointed out that our proposed gradient estimation technique, as described in Eq. (7), filters out certain sample points during gradient estimation, even when these points are assigned non-zero weights. However, our method specifically filters out anomalous sample points—those are adversarial yet exhibit a reduction in the confidence of all target classes, or vice versa.

The benefits of excluding such anomalous queries are demonstrated in Fig. 7 in the Appendix. Filtering out these queries significantly enhances performance. For example, when comparing Approach 1 and Approach 6 in the top-1 setting, where the weights associated with $\mathbf z_i$ are $\lbrace -1,1\rbrace$ for Approach 1 and $\lbrace-1,0,1\rbrace$ for Approach 6, the latter shows notable improvement by assigning a weight of 0 to anomalous queries, as illustrated in Fig. 7(a). This highlights that excluding anomalous queries mitigates their negative impact on gradient estimation, thereby improving overall performance.

Regarding the need for more sample points, our proposed method maintains a fixed number of queries for gradient estimation, irrespective of the presence of anomalous queries. Therefore, the approach does not consider additional samples when it filters out any. In other words, this reweighing approach effectively improves the quality of gradient estimation without the need to increase the number of queries.

Q2. Why is the number of query points set to $\lfloor I_0\sqrt{n+1} \rfloor$ ?

Consistent with existing geometric decision-based black-box attack methods [1, 2], we set the number of queries at the $n$-th iteration to $\lfloor {I_0\sqrt{n+1}} \rfloor$. These approaches incrementally increase the number of queries with each iteration to enable more accurate gradient estimation. By improving the gradient estimation, these methods effectively identify better directions to further reduce the perturbation magnitude.

[1] Chen, Jianbo, Michael I. Jordan, and Martin J. Wainwright. "Hopskipjumpattack: A query-efficient decision-based attack." 2020 ieee symposium on security and privacy (sp). IEEE, 2020.

[2] Reza, Md Farhamdur, et al. "Cgba: curvature-aware geometric black-box attack." Proceedings of the IEEE/CVF International Conference on Computer Vision. 2023.

Dear reviewer 8mHS,

Thank you for your time and valuable feedback on our paper. In our response, we have carefully addressed all of your comments and questions. Please let us know if you require further clarification. We appreciate your insights and look forward to your continued feedback.