Inferensys

Glossary

Boundary Attack

A decision-based black-box adversarial attack that starts from a large adversarial perturbation and iteratively reduces its magnitude while staying on the adversarial side of the decision boundary.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
DECISION-BASED ADVERSARIAL ATTACK

What is Boundary Attack?

A boundary attack is a black-box adversarial technique that operates solely on the final decision of a target model, starting from a large perturbation and iteratively reducing its magnitude while remaining on the adversarial side of the decision boundary.

A boundary attack is a decision-based black-box adversarial attack that requires only the hard-label output of a model. Unlike gradient-based methods, it does not rely on confidence scores or model internals. The attack initializes with a sample already classified as adversarial—often a large, random perturbation—and then performs a random walk along the decision boundary. It iteratively proposes small steps toward the original target input, accepting moves that keep the sample adversarial while reducing the L2 distance to the original, effectively finding the minimal perturbation needed to cross the boundary.

The core mechanism involves sampling perturbations from a proposal distribution, typically a Gaussian distribution orthogonal to the direction of the original input. A step is accepted only if the perturbed sample remains adversarial and is closer to the target. To escape local minima, the algorithm adjusts its step size dynamically and occasionally tests perpendicular perturbations that move along the boundary without reducing distance. This makes boundary attacks particularly effective against models that only expose a predicted class label, such as cloud-based ML-as-a-Service APIs, where gradient information is entirely inaccessible.

Decision-Based Black-Box Adversarial Strategy

Key Characteristics of Boundary Attacks

Boundary attacks exploit only the final model decision to craft adversarial examples, starting from a large perturbation and iteratively reducing its magnitude while remaining on the adversarial side of the decision boundary.

01

Decision-Based Query Model

Unlike gradient-based attacks, boundary attacks require zero access to model internals or confidence scores. The attacker only observes the hard-label output—the final classification decision. This makes it effective against black-box deployments where only API predictions are exposed. The attack probes the decision boundary by testing whether perturbed inputs remain adversarial, requiring no knowledge of architecture, parameters, or training data.

02

Rejection Sampling Mechanism

The core algorithm uses rejection sampling to iteratively shrink the perturbation:

  • Start with a sample that is already adversarial (often pure noise or an unrelated image)
  • Propose a perturbation toward the original target input
  • If the proposal remains adversarial, accept it; otherwise, reject and try again
  • Gradually reduce the step size to converge toward the decision boundary This random walk along the boundary finds minimal adversarial perturbations without gradient information.
03

Convergence Properties

Boundary attacks exhibit asymptotic convergence to the minimum adversarial perturbation. The attack progressively reduces the L2 distance between the adversarial example and the original input. Key characteristics:

  • Initial progress is rapid when far from the boundary
  • Convergence slows exponentially near the boundary
  • Requires thousands to millions of queries for tight convergence
  • Performance depends on the proposal distribution and step size schedule
04

Comparison to Score-Based Attacks

Boundary attacks operate under stricter threat models than score-based methods:

  • Score-based: Attacker receives class probabilities or logits, enabling gradient estimation
  • Decision-based: Attacker receives only the predicted class label
  • Boundary attacks are more query-intensive but apply to a wider range of real-world systems
  • They bypass defenses that mask confidence scores while still returning hard labels
  • Often used as a baseline for evaluating the robustness of production APIs
05

Defensive Countermeasures

Defending against boundary attacks requires strategies beyond gradient obfuscation:

  • Query rate limiting: Restrict the number of API calls per user or session
  • Randomized smoothing: Certify robustness within a provable radius, making boundary convergence impossible
  • Adversarial training with decision-based attacks: Augment training data with boundary attack examples
  • Input reconstruction detection: Monitor for inputs that appear to be iteratively refined
  • Hard-label distillation: Train models to be robust specifically against decision-based queries
06

Real-World Applicability

Boundary attacks are particularly dangerous for publicly accessible ML APIs:

  • Cloud vision services that return only class labels
  • Content moderation systems with binary flag outputs
  • Authentication bypass scenarios where only accept/reject decisions leak
  • Brendel et al. (2018) demonstrated successful attacks on Clarifai and Google Cloud Vision
  • The attack requires no insider knowledge, making it a realistic threat model for external adversaries probing production systems
DECISION-BASED THREAT COMPARISON

Boundary Attack vs. Other Black-Box Attacks

A comparative analysis of the Boundary Attack against other prominent black-box adversarial attack methodologies based on threat model, query efficiency, and operational constraints.

FeatureBoundary AttackScore-Based AttackTransfer Attack

Threat Model

Decision-Based

Score-Based

Transfer-Based

Required Output

Hard-label class only

Confidence scores/logits

None (surrogate model)

Gradient Access

Query Efficiency

High (thousands of queries)

Moderate (hundreds of queries)

Zero (offline transfer)

Perturbation Magnitude

Minimal (converges to boundary)

Varies (optimization-dependent)

Varies (surrogate-dependent)

Stealth (Query Volume)

Low (high query count)

Moderate

High (no target queries)

Defense Evasion

Bypasses gradient masking

Vulnerable to gradient masking

Vulnerable to ensemble defenses

BOUNDARY ATTACK

Frequently Asked Questions

A decision-based black-box attack that starts from a large adversarial perturbation and iteratively reduces its magnitude while staying on the adversarial side of the decision boundary.

A Boundary Attack is a decision-based black-box adversarial attack that requires only the final hard-label prediction of a model to generate adversarial examples. Unlike gradient-based methods, it operates without access to model internals or confidence scores. The attack begins with a large, already-adversarial sample—often random noise or an unrelated image—and iteratively reduces its perturbation magnitude while performing a random walk along the decision boundary. At each step, the algorithm proposes a small perturbation from a suitable distribution, projects it onto a hypersphere centered on the target, and only accepts moves that keep the sample misclassified. This process gradually shrinks the distance to the original input while maintaining adversariality, effectively finding a minimal perturbation that crosses the boundary.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.