A geometry-inspired decision-based attack

Deep neural networks have recently achieved tremen-dous success in image classification. Recent studies havehowever shown that they are easily misled into incorrectclassification decisions by adversarial examples. Adver-saries can even craft attacks by querying the model in black-box settings, where no information about the model is re-leased except its final decision. Such decision-based at-tacks usually require lots of queries, while real-world imagerecognition systems might actually restrict the number ofqueries. In this paper, we propose qFool, a novel decision-based attack algorithm that can generate adversarial exam-ples using a small number of queries. The qFool method candrastically reduce the number of queries compared to pre-vious decision-based attacks while reaching the same qual-ity of adversarial examples. We also enhance our methodby constraining adversarial perturbations in low-frequencysubspace, which can make qFool even more computation-ally efficient. Altogether, we manage to fool commercialimage recognition systems with a small number of queries,which demonstrates the actual effectiveness of our new al-gorithm in practice.