Random transformations to improve mitigation of query-based black-box attacks

Download PDF
Open Webpage

Ziad Tariq Muhammad Ali, R. Muhammad Atif Azad, Muhammad Ajmal Azad, James Holyhead, Iain Rice, Ali Shariq Imran

Published: 01 Mar 2025, Last Modified: 12 Nov 2025Expert Systems with ApplicationsEveryoneRevisionsCC BY-SA 4.0
Abstract: Highlights•Proposed randomised transformations outperformed the best-known randomised defences against state-of-the-art black-box adversarial attack.•Randomised transformations are shown to be more effective at mitigating query-based black-box attacks than noise-based defences.•The experiments are conducted on three popular computer vision datasets using adversarially trained models.•The defences are tested under an exceptionally strong adversary with up to a 500,000 query budget.•Proposed randomised transformations can also blunt high-confidence adversarial examples.