Query-limited black-box attacks to classifiers

In this paper, we study black-box attacks on machine learning classifiers where the adversary has a limited opportunity to interact with the model via queries. Queries to the machine learning model are expensive for the adversary, because each query poses some risk of detection, and attackers pay a service per query. Previous works in black-box attack did report the query number used in their attack procedure, however, none of these works explicitly set minimizing query number as a major objective. Specifically, we consider the problem of attacking machine learning classifiers subject to budget of feature modification cost with minimum number of queries where each query returns only a class and confidence score. We found that the number of queries can be reduced to around 30% of the random modification on average, and even less (< 10%) when feature modification cost budget is small.