Towards Consistent and Efficient Decision-based Attacks

Henning Duwe, Holger Hoos, Anna Münz; Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV) Workshops, 2026, pp. 212-221

Deep neural networks have revolutionised computer vision with their powerful capabilities. However, they remain vulnerable to adversarial attacks, which seek to find small perturbations to input images that mislead them into making incorrect predictions. Traditional attacks often rely on gradient information, which is typically unavailable to attackers in real-world scenarios. To address this, black-box adversarial attacks have been developed that do not depend on full access to the network. In this study, we focused on the most challenging black-box setting, decision-based attacks, where the target model only returns output labels. While previous approaches for this setting exist, they either perform inconsistently across different networks, or are resource-intensive concerning running time. To address this, we developed a variant of the Covariance Matrix Adaptation Evolutionary Strategy (CMA-ES) with a selective query approach that enables optimisation for 80% more generations with the same query budget. Furthermore, we utilised state-of-the-art automated algorithm configuration techniques to optimise our attack and achieve a success rate of 100% using an initial search strategy. We compared our novel Decision-based Attack via CMA-ES (DACES) against various well-known attacks, demonstrating the best average performance in creating minimal adversarial perturbations across several network architectures for ImageNet and CIFAR-100. Notably, DACES is more than three times as fast with respect to running time than any other attack on ImageNet, making it particularly applicable to real-world settings.