{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,19]],"date-time":"2026-01-19T10:07:30Z","timestamp":1768817250687,"version":"3.49.0"},"reference-count":68,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,3,7]],"date-time":"2025-03-07T00:00:00Z","timestamp":1741305600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,5,31]]},"abstract":"\n We investigate the vulnerability of inputs in an adversarial setting and demonstrate that certain samples are more susceptible to adversarial perturbations compared to others. Specifically, we employ a simple yet effective approach to quantify the adversarial vulnerability of inputs, which relies on the\n clipped<\/jats:italic>\n gradients of the loss with respect to the input. Our observations indicate that inputs with a low percentage of zero gradient components tend to be more vulnerable to attacks. These findings are supported by a theoretical explanation on a linear model and empirical evidence on deep neural networks. Across all datasets we tested, we find that inputs with the lowest zero gradient percentage, on average, exhibit 34.5% more susceptibility to adversarial attacks than randomly selected inputs. Additionally, we demonstrate that the zero gradient percentage, as a metric, transfers across different model architectures. Finally, we propose a novel black-box attack pipeline that enhances the efficiency of conventional query-based black-box attacks and show that input pre-filtering based on Zero Gradient Percentage can boost the attack success rates, particularly under low perturbation levels. On average, across all datasets we test, our approach outperforms the conventional shadow model-based and query-based black-box attack pipelines by 44.9% and 30.4%, respectively.\n <\/jats:p>","DOI":"10.1145\/3716384","type":"journal-article","created":{"date-parts":[[2025,2,6]],"date-time":"2025-02-06T07:33:37Z","timestamp":1738827217000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Quantifying and Exploiting Adversarial Vulnerability: Gradient-Based Input Pre-Filtering for Enhanced Performance in Black-Box Attacks"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7081-2958","authenticated-orcid":false,"given":"Naveen","family":"Karunanayake","sequence":"first","affiliation":[{"name":"The University of Sydney School of Computer Science, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-6558-6514","authenticated-orcid":false,"given":"Bhanuka","family":"Silva","sequence":"additional","affiliation":[{"name":"The University of Sydney School of Computer Science, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-0479-1767","authenticated-orcid":false,"given":"Yasod","family":"Ginige","sequence":"additional","affiliation":[{"name":"The University of Sydney School of Computer Science, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5485-5595","authenticated-orcid":false,"given":"Suranga","family":"Seneviratne","sequence":"additional","affiliation":[{"name":"The University of Sydney School of Computer Science, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8102-2572","authenticated-orcid":false,"given":"Sanjay","family":"Chawla","sequence":"additional","affiliation":[{"name":"Qatar Computing Research Institute, Doha, Qatar"}]}],"member":"320","published-online":{"date-parts":[[2025,3,7]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_29"},{"key":"e_1_3_2_3_2","unstructured":"Anish Athalye Nicholas Carlini and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv:1802.00420. Retrieved from https:\/\/arxiv.org\/abs\/1802.00420"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.3390\/info10040122"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01258-8_10"},{"key":"e_1_3_2_6_2","article-title":"A survey of black-box adversarial attacks on computer vision models","author":"Bhambri Siddhant","year":"2019","unstructured":"Siddhant Bhambri, Sumanyu Muku, Avinash Tulasi, and Arun Balaji Buduru. 2019. A survey of black-box adversarial attacks on computer vision models. arXiv:1912.01667. Retrieved from https:\/\/arxiv.org\/abs\/1912.01667","journal-title":"arXiv:1912.01667"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.04.014"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_3_2_10_2","unstructured":"Minhao Cheng Thong Le Pin-Yu Chen Jinfeng Yi Huan Zhang and Cho-Jui Hsieh. 2018. Query-efficient hard-label black-box attack: An optimization-based approach. arXiv:1807.04457. Retrieved from https:\/\/arxiv.org\/abs\/1807.04457"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2009.05.016"},{"key":"e_1_3_2_12_2","unstructured":"Francesco Croce Maksym Andriushchenko Naman D. Singh Nicolas Flammarion and Matthias Hein. 2020. Sparse-RS: A versatile framework for query-efficient sparse black-box adversarial attacks. arXiv:2006.12834. Retrieved from https:\/\/arxiv.org\/abs\/2006.12834"},{"key":"e_1_3_2_13_2","volume-title":"Proceedings of the 37th International Conference on Machine Learning (ICML\u201920)","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce and Matthias Hein. 2020. Minimally distorted adversarial examples with a fast adaptive boundary attack. In Proceedings of the 37th International Conference on Machine Learning (ICML\u201920). JMLR.org, Article 205, 10 pages."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.5555\/3524938.3525144"},{"issue":"6","key":"e_1_3_2_15_2","doi-asserted-by":"crossref","DOI":"10.1109\/MSP.2012.2211477","article-title":"The MNIST database of handwritten digit images for machine learning research","volume":"29","author":"Deng Li","year":"2012","unstructured":"Li Deng. 2012. The MNIST database of handwritten digit images for machine learning research. IEEE Sign. Process. Mag. 29, 6 (2012).","journal-title":"IEEE Sign. Process. Mag."},{"key":"e_1_3_2_16_2","article-title":"Bert: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin Jacob","year":"2018","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv:1810.04805. Retrieved from https:\/\/arxiv.org\/abs\/1810.04805","journal-title":"arXiv:1810.04805"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2021.107102"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_2_20_2","unstructured":"Dheeru Dua and Casey Graff. 2017. UCI Machine Learning Repository. Retrieved from http:\/\/archive.ics.uci.edu\/ml"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_22_2","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow Ian J.","year":"2014","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv:1412.6572. Retrieved from https:\/\/arxiv.org\/abs\/1412.6572","journal-title":"arXiv:1412.6572"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.300"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2022.108824"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13347-023-00606-x"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.compag.2020.105507"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01426"},{"key":"e_1_3_2_29_2","unstructured":"Alex Krizhevsky Vinod Nair and Geoffrey Hinton. 2009. CIFAR-10 (Canadian Institute for Advanced Research). Retrieved from http:\/\/www.cs.toronto.edu\/kriz\/cifar.html"},{"key":"e_1_3_2_30_2","article-title":"Adversarial machine learning at scale","author":"Kurakin Alexey","year":"2016","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial machine learning at scale. arXiv:1611.01236. Retrieved from https:\/\/arxiv.org\/abs\/1611.01236","journal-title":"arXiv:1611.01236"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1201\/9781351251389-8"},{"key":"e_1_3_2_32_2","article-title":"Bert-attack: Adversarial attack against bert using bert","author":"Li Linyang","year":"2020","unstructured":"Linyang Li, Ruotian Ma, Qipeng Guo, Xiangyang Xue, and Xipeng Qiu. 2020. Bert-attack: Adversarial attack against bert using bert. arXiv:2004.09984. Retrieved from https:\/\/arxiv.org\/abs\/2004.09984","journal-title":"arXiv:2004.09984"},{"key":"e_1_3_2_33_2","article-title":"Hard adversarial example mining for improving robust fairness","author":"Lin Chenhao","year":"2023","unstructured":"Chenhao Lin, Xiang Ji, Yulong Yang, Qian Li, Chao Shen, Run Wang, and Liming Fang. 2023. Hard adversarial example mining for improving robust fairness. arXiv:2308.01823. Retrieved from https:\/\/arxiv.org\/abs\/2308.01823","journal-title":"arXiv:2308.01823"},{"key":"e_1_3_2_34_2","article-title":"Delving into transferable adversarial examples and black-box attacks","author":"Liu Yanpei","year":"2016","unstructured":"Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2016. Delving into transferable adversarial examples and black-box attacks. arXiv:1611.02770. Retrieved from https:\/\/arxiv.org\/abs\/1611.02770","journal-title":"arXiv:1611.02770"},{"key":"e_1_3_2_35_2","article-title":"Jailbreaking chatgpt via prompt engineering: An empirical study","author":"Liu Yi","year":"2023","unstructured":"Yi Liu, Gelei Deng, Zhengzi Xu, Yuekang Li, Yaowen Zheng, Ying Zhang, Lida Zhao, Tianwei Zhang, and Yang Liu. 2023. Jailbreaking chatgpt via prompt engineering: An empirical study. arXiv:2305.13860. Retrieved from https:\/\/arxiv.org\/abs\/2305.13860","journal-title":"arXiv:2305.13860"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01166"},{"key":"e_1_3_2_37_2","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083. Retrieved from https:\/\/arxiv.orb\/abs\/1706.06083","journal-title":"arXiv:1706.06083"},{"key":"e_1_3_2_38_2","article-title":"Efficient estimation of word representations in vector space","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv:1301.3781. Retrieved from https:\/\/arxiv.org\/abs\/1301.3781","journal-title":"arXiv:1301.3781"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-821229-5.00011-2"},{"key":"e_1_3_2_42_2","volume-title":"NIPS Workshop on Deep Learning and Unsupervised Feature Learning","author":"Netzer Yuval","year":"2011","unstructured":"Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu, and Andrew Y. Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning."},{"key":"e_1_3_2_43_2","volume-title":"Proceedings of the ACM ASIA Conference on Computer and Communications Security (CCS\u201917)","author":"Papernot Nicolas","unstructured":"Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In Proceedings of the ACM ASIA Conference on Computer and Communications Security (CCS\u201917)."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/D14-1162"},{"key":"e_1_3_2_46_2","article-title":"Visual adversarial examples jailbreak large language models","author":"Qi Xiangyu","year":"2023","unstructured":"Xiangyu Qi, Kaixuan Huang, Ashwinee Panda, Mengdi Wang, and Prateek Mittal. 2023. Visual adversarial examples jailbreak large language models. arXiv:2306.13213. Retrieved from https:\/\/arxiv.org\/abs\/2306.13213","journal-title":"arXiv:2306.13213"},{"key":"e_1_3_2_47_2","unstructured":"Alec Radford Karthik Narasimhan Tim Salimans Ilya Sutskever et\u00a0al. 2018. Improving language understanding by generative pre-training."},{"key":"e_1_3_2_48_2","article-title":"Identifying adversarially attackable and robust samples","author":"Raina Vyas","year":"2023","unstructured":"Vyas Raina and Mark Gales. 2023. Identifying adversarially attackable and robust samples. arXiv:2301.12896. Retrieved from https:\/\/arxiv.org\/abs\/2301.12896","journal-title":"arXiv:2301.12896"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.23919\/ACC.2017.7963716"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P19-1103"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00668"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01333"},{"key":"e_1_3_2_55_2","article-title":"Principle-driven self-alignment of language models from scratch with minimal human supervision","author":"Sun Zhiqing","year":"2023","unstructured":"Zhiqing Sun, Yikang Shen, Qinhong Zhou, Hongxin Zhang, Zhenfang Chen, David Cox, Yiming Yang, and Chuang Gan. 2023. Principle-driven self-alignment of language models from scratch with minimal human supervision. arXiv:2305.03047. Retrieved from https:\/\/arxiv.org\/abs\/2305.03047","journal-title":"arXiv:2305.03047"},{"key":"e_1_3_2_56_2","first-page":"1327","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920)","author":"Suya Fnu","year":"2020","unstructured":"Fnu Suya, Jianfeng Chi, David Evans, and Yuan Tian. 2020. Hybrid batch attacks: Finding black-box adversarial examples with limited queries. In Proceedings of the 29th USENIX Security Symposium (USENIX Security\u201920). 1327\u20131344."},{"key":"e_1_3_2_57_2","volume-title":"Proceedings of the NATO Big Data and Artificial Intelligence for Military Decision Making Specialists\u2019 Meeting","volume":"1","author":"Svenmarck Peter","year":"2018","unstructured":"Peter Svenmarck, Linus Luotsinen, Mattias Nilsson, and Johan Schubert. 2018. Possibilities and challenges for artificial intelligence in military applications. In Proceedings of the NATO Big Data and Artificial Intelligence for Military Decision Making Specialists\u2019 Meeting 1 (2018)."},{"key":"e_1_3_2_58_2","article-title":"Intriguing properties of neural networks","author":"Szegedy Christian","year":"2013","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv:1312.6199. Retrieved from https:\/\/arxiv.org\/abs\/1312.6199","journal-title":"arXiv:1312.6199"},{"key":"e_1_3_2_59_2","series-title":"Proceedings of Machine Learning Research","first-page":"6105","volume-title":"Proceedings of the 36th International Conference on Machine Learning","volume":"97","author":"Tan Mingxing","year":"2019","unstructured":"Mingxing Tan and Quoc Le. 2019. EfficientNet: Rethinking model scaling for convolutional neural networks. In Proceedings of the 36th International Conference on Machine Learning(Proceedings of Machine Learning Research, Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). PMLR, 6105\u20136114."},{"key":"e_1_3_2_60_2","unstructured":"Ya Le and Xuan S. Yang. 2015. Tiny ImageNet Visual Recognition Challenge."},{"key":"e_1_3_2_61_2","article-title":"Exploring and exploiting decision boundary dynamics for adversarial robustness","author":"Xu Yuancheng","year":"2023","unstructured":"Yuancheng Xu, Yanchao Sun, Micah Goldblum, Tom Goldstein, and Furong Huang. 2023. Exploring and exploiting decision boundary dynamics for adversarial robustness. arXiv:2302.03015 (2023). Retrieved from https:\/\/arxiv.org\/abs\/2302.03015","journal-title":"arXiv:2302.03015"},{"key":"e_1_3_2_62_2","article-title":"Word-level textual adversarial attacking as combinatorial optimization","author":"Zang Yuan","year":"2019","unstructured":"Yuan Zang, Fanchao Qi, Chenghao Yang, Zhiyuan Liu, Meng Zhang, Qun Liu, and Maosong Sun. 2019. Word-level textual adversarial attacking as combinatorial optimization. arXiv:1910.12196. Retrieved from https:\/\/arxiv.org\/abs\/1910.12196","journal-title":"arXiv:1910.12196"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10590-1_53"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i12.17292"},{"key":"e_1_3_2_65_2","doi-asserted-by":"crossref","unstructured":"Pu Zhao Pin-Yu Chen Siyue Wang and Xue Lin. 2020. Towards query-efficient black-box adversary with zeroth-order natural gradient descent. arXiv:2002.07891. Retrieved from https:\/\/arxiv.org\/abs\/2002.07891","DOI":"10.1609\/aaai.v34i04.6173"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3036801"},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3036801"},{"key":"e_1_3_2_68_2","unstructured":"Zhe Zhou Di Tang Xiaofeng Wang Weili Han Xiangyu Liu and Kehuan Zhang. 2018. Invisible mask: Practical attacks on face recognition with infrared. arxiv:1803.04683 [cs.CR]. Retrieved from https:\/\/arxiv.org\/abs\/1803.04683"},{"key":"e_1_3_2_69_2","article-title":"Minigpt-4: Enhancing vision-language understanding with advanced large language models","author":"Zhu Deyao","year":"2023","unstructured":"Deyao Zhu, Jun Chen, Xiaoqian Shen, Xiang Li, and Mohamed Elhoseiny. 2023. Minigpt-4: Enhancing vision-language understanding with advanced large language models. arXiv:2304.10592. Retrieved from https:\/\/arxiv.org\/abs\/2304.10592","journal-title":"arXiv:2304.10592"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3716384","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3716384","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T18:43:43Z","timestamp":1750272223000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3716384"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,7]]},"references-count":68,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,5,31]]}},"alternative-id":["10.1145\/3716384"],"URL":"https:\/\/doi.org\/10.1145\/3716384","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,7]]},"assertion":[{"value":"2023-07-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-30","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-07","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}