A boundary attack is a decision-based black-box adversarial attack that requires only the hard-label output of a model. Unlike gradient-based methods, it does not rely on confidence scores or model internals. The attack initializes with a sample already classified as adversarial—often a large, random perturbation—and then performs a random walk along the decision boundary. It iteratively proposes small steps toward the original target input, accepting moves that keep the sample adversarial while reducing the L2 distance to the original, effectively finding the minimal perturbation needed to cross the boundary.
Glossary
Boundary Attack

What is Boundary Attack?
A boundary attack is a black-box adversarial technique that operates solely on the final decision of a target model, starting from a large perturbation and iteratively reducing its magnitude while remaining on the adversarial side of the decision boundary.
The core mechanism involves sampling perturbations from a proposal distribution, typically a Gaussian distribution orthogonal to the direction of the original input. A step is accepted only if the perturbed sample remains adversarial and is closer to the target. To escape local minima, the algorithm adjusts its step size dynamically and occasionally tests perpendicular perturbations that move along the boundary without reducing distance. This makes boundary attacks particularly effective against models that only expose a predicted class label, such as cloud-based ML-as-a-Service APIs, where gradient information is entirely inaccessible.
Key Characteristics of Boundary Attacks
Boundary attacks exploit only the final model decision to craft adversarial examples, starting from a large perturbation and iteratively reducing its magnitude while remaining on the adversarial side of the decision boundary.
Decision-Based Query Model
Unlike gradient-based attacks, boundary attacks require zero access to model internals or confidence scores. The attacker only observes the hard-label output—the final classification decision. This makes it effective against black-box deployments where only API predictions are exposed. The attack probes the decision boundary by testing whether perturbed inputs remain adversarial, requiring no knowledge of architecture, parameters, or training data.
Rejection Sampling Mechanism
The core algorithm uses rejection sampling to iteratively shrink the perturbation:
- Start with a sample that is already adversarial (often pure noise or an unrelated image)
- Propose a perturbation toward the original target input
- If the proposal remains adversarial, accept it; otherwise, reject and try again
- Gradually reduce the step size to converge toward the decision boundary This random walk along the boundary finds minimal adversarial perturbations without gradient information.
Convergence Properties
Boundary attacks exhibit asymptotic convergence to the minimum adversarial perturbation. The attack progressively reduces the L2 distance between the adversarial example and the original input. Key characteristics:
- Initial progress is rapid when far from the boundary
- Convergence slows exponentially near the boundary
- Requires thousands to millions of queries for tight convergence
- Performance depends on the proposal distribution and step size schedule
Comparison to Score-Based Attacks
Boundary attacks operate under stricter threat models than score-based methods:
- Score-based: Attacker receives class probabilities or logits, enabling gradient estimation
- Decision-based: Attacker receives only the predicted class label
- Boundary attacks are more query-intensive but apply to a wider range of real-world systems
- They bypass defenses that mask confidence scores while still returning hard labels
- Often used as a baseline for evaluating the robustness of production APIs
Defensive Countermeasures
Defending against boundary attacks requires strategies beyond gradient obfuscation:
- Query rate limiting: Restrict the number of API calls per user or session
- Randomized smoothing: Certify robustness within a provable radius, making boundary convergence impossible
- Adversarial training with decision-based attacks: Augment training data with boundary attack examples
- Input reconstruction detection: Monitor for inputs that appear to be iteratively refined
- Hard-label distillation: Train models to be robust specifically against decision-based queries
Real-World Applicability
Boundary attacks are particularly dangerous for publicly accessible ML APIs:
- Cloud vision services that return only class labels
- Content moderation systems with binary flag outputs
- Authentication bypass scenarios where only accept/reject decisions leak
- Brendel et al. (2018) demonstrated successful attacks on Clarifai and Google Cloud Vision
- The attack requires no insider knowledge, making it a realistic threat model for external adversaries probing production systems
Boundary Attack vs. Other Black-Box Attacks
A comparative analysis of the Boundary Attack against other prominent black-box adversarial attack methodologies based on threat model, query efficiency, and operational constraints.
| Feature | Boundary Attack | Score-Based Attack | Transfer Attack |
|---|---|---|---|
Threat Model | Decision-Based | Score-Based | Transfer-Based |
Required Output | Hard-label class only | Confidence scores/logits | None (surrogate model) |
Gradient Access | |||
Query Efficiency | High (thousands of queries) | Moderate (hundreds of queries) | Zero (offline transfer) |
Perturbation Magnitude | Minimal (converges to boundary) | Varies (optimization-dependent) | Varies (surrogate-dependent) |
Stealth (Query Volume) | Low (high query count) | Moderate | High (no target queries) |
Defense Evasion | Bypasses gradient masking | Vulnerable to gradient masking | Vulnerable to ensemble defenses |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
A decision-based black-box attack that starts from a large adversarial perturbation and iteratively reduces its magnitude while staying on the adversarial side of the decision boundary.
A Boundary Attack is a decision-based black-box adversarial attack that requires only the final hard-label prediction of a model to generate adversarial examples. Unlike gradient-based methods, it operates without access to model internals or confidence scores. The attack begins with a large, already-adversarial sample—often random noise or an unrelated image—and iteratively reduces its perturbation magnitude while performing a random walk along the decision boundary. At each step, the algorithm proposes a small perturbation from a suitable distribution, projects it onto a hypersphere centered on the target, and only accepts moves that keep the sample misclassified. This process gradually shrinks the distance to the original input while maintaining adversariality, effectively finding a minimal perturbation that crosses the boundary.
Related Terms
Master the landscape of adversarial machine learning. These concepts are essential for understanding the mechanics, defenses, and limitations of decision-based attacks like the Boundary Attack.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us