{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,9]],"date-time":"2026-05-09T17:18:12Z","timestamp":1778347092605,"version":"3.51.4"},"reference-count":46,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2023,1,22]],"date-time":"2023-01-22T00:00:00Z","timestamp":1674345600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&D Program of China","doi-asserted-by":"publisher","award":["2018YFC1604000"],"award-info":[{"award-number":["2018YFC1604000"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Wuhan University Specific Fund for Major School-level International Initiatives","award":["2018YFC1604000"],"award-info":[{"award-number":["2018YFC1604000"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"The research on image-classification-adversarial attacks is crucial in the realm of artificial intelligence (AI) security. Most of the image-classification-adversarial attack methods are for white-box settings, demanding target model gradients and network architectures, which is less practical when facing real-world cases. However, black-box adversarial attacks immune to the above limitations and reinforcement learning (RL) seem to be a feasible solution to explore an optimized evasion policy. Unfortunately, existing RL-based works perform worse than expected in the attack success rate. In light of these challenges, we propose an ensemble-learning-based adversarial attack (ELAA) targeting image-classification models which aggregate and optimize multiple reinforcement learning (RL) base learners, which further reveals the vulnerabilities of learning-based image-classification models. Experimental results show that the attack success rate for the ensemble model is about 35% higher than for a single model. The attack success rate of ELAA is 15% higher than those of the baseline methods.<\/jats:p>","DOI":"10.3390\/e25020215","type":"journal-article","created":{"date-parts":[[2023,1,23]],"date-time":"2023-01-23T02:27:45Z","timestamp":1674440865000},"page":"215","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["ELAA: An Ensemble-Learning-Based Adversarial Attack Targeting Image-Classification Model"],"prefix":"10.3390","volume":"25","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1710-547X","authenticated-orcid":false,"given":"Zhongwang","family":"Fu","sequence":"first","affiliation":[{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan 430001, China"},{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430001, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6079-009X","authenticated-orcid":false,"given":"Xiaohui","family":"Cui","sequence":"additional","affiliation":[{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan 430001, China"},{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430001, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,1,22]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Zhong, N., Qian, Z., and Zhang, X. (2021, January 5\u20139). Undetectable adversarial examples based on microscopical regularization. Proceedings of the 2021 IEEE International Conference on Multimedia and Expo (ICME), Shenzhen, China.","DOI":"10.1109\/ICME51207.2021.9428316"},{"key":"ref_2","unstructured":"Athalye, A., Engstrom, L., Ilyas, A., and Kwok, K. (2018, January 10\u201315). Synthesizing robust adversarial examples. Proceedings of the International Conference on Machine Learning, PMLR, Stockholm Sweden."},{"key":"ref_3","unstructured":"Wu, L., Zhu, Z., Tai, C., and Ee, W. (2018). Understanding and enhancing the transferability of adversarial examples. arXiv."},{"key":"ref_4","unstructured":"Bhambri, S., Muku, S., Tulasi, A., and Buduru, A.B. (2019). A survey of black-box adversarial attacks on computer vision models. arXiv."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Chen, X., Weng, J., Deng, X., Luo, W., Lan, Y., and Tian, Q. (2021). Feature Distillation in Deep Attention Network Against Adversarial Examples. IEEE Trans. Neural Netw. Learn. Syst.","DOI":"10.1109\/TNNLS.2021.3113342"},{"key":"ref_6","unstructured":"Inkawhich, N., Liang, K.J., Carin, L., and Chen, Y. (2020). Transferable perturbations of deep feature distributions. arXiv."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2805","DOI":"10.1109\/TNNLS.2018.2886017","article-title":"Adversarial examples: Attacks and defenses for deep learning","volume":"30","author":"Yuan","year":"2019","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"332","DOI":"10.1016\/j.neucom.2018.08.009","article-title":"Evaluation of deep neural networks for traffic sign detection systems","volume":"316","year":"2018","journal-title":"Neurocomputing"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"4980","DOI":"10.1109\/JIOT.2020.3034899","article-title":"Targeted attention attack on deep learning models in road sign recognition","volume":"8","author":"Yang","year":"2020","journal-title":"IEEE Internet Things J."},{"key":"ref_10","unstructured":"Kurakin, A., Goodfellow, I.J., and Bengio, S. (2018). Artificial Intelligence Safety and Security, Chapman and Hall\/CRC."},{"key":"ref_11","unstructured":"Lee, M., and Kolter, Z. (2019). On physical adversarial patches for object detection. arXiv."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Chen, S.T., Cornelius, C., Martin, J., and Chau, D.H.P. (2018, January 13\u201317). Shapeshifter: Robust physical adversarial attack on faster r-cnn object detector. Proceedings of the Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Bilbao, Spain.","DOI":"10.1007\/978-3-030-10925-7_4"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Zolfi, A., Kravchik, M., Elovici, Y., and Shabtai, A. (2021, January 20\u201325). The translucent patch: A physical and universal attack on object detectors. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN, USA.","DOI":"10.1109\/CVPR46437.2021.01498"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Thys, S., Van Ranst, W., and Goedem\u00e9, T. (2019, January 15\u201320). Fooling automated surveillance cameras: Adversarial patches to attack person detection. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition Workshops, Long Beach, CA, USA.","DOI":"10.1109\/CVPRW.2019.00012"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Xiao, Z., Gao, X., Fu, C., Dong, Y., Gao, W., Zhang, X., Zhou, J., and Zhu, J. (2021, January 20\u201325). Improving transferability of adversarial patches on face recognition with generative models. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN, USA.","DOI":"10.1109\/CVPR46437.2021.01167"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Mingxing, D., Li, K., Xie, L., Tian, Q., and Xiao, B. (2021, January 20\u201324). Towards multiple black-boxes attack via adversarial example generation network. Proceedings of the 29th ACM International Conference on Multimedia, Virtual Event, China.","DOI":"10.1145\/3474085.3475542"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"9536","DOI":"10.1109\/TPAMI.2021.3126733","article-title":"Query-Efficient Black-box Adversarial Attacks Guided by a Transfer-based Prior","volume":"44","author":"Dong","year":"2022","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Co, K.T., Mu\u00f1oz-Gonz\u00e1lez, L., de Maupeou, S., and Lupu, E.C. (2019, January 11\u201315). Procedural noise adversarial examples for black-box attacks on deep convolutional networks. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK.","DOI":"10.1145\/3319535.3345660"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Jia, S., Song, Y., Ma, C., and Yang, X. (2021, January 20\u201325). Iou attack: Towards temporally coherent black-box adversarial attack for visual object tracking. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN, USA.","DOI":"10.1109\/CVPR46437.2021.00664"},{"key":"ref_20","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2013). Intriguing properties of neural networks. arXiv."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Baluja, S., and Fischer, I. (2018, January 4\u20136). Learning to attack: Adversarial transformation networks. Proceedings of the AAAI Conference on Artificial Intelligence, New Orleans, LA, USA.","DOI":"10.1609\/aaai.v32i1.11672"},{"key":"ref_22","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv."},{"key":"ref_23","unstructured":"Huang, Z., and Zhang, T. (2019). Black-box adversarial attack with transferable model-based embedding. arXiv."},{"key":"ref_24","unstructured":"Laidlaw, C., and Feizi, S. (2019, January 8\u201314). Functional adversarial attacks. Proceedings of the 33rd Conference on Neural Information Processing Systems (NeurIPS 2019), Vancouver, BC, Canada."},{"key":"ref_25","unstructured":"Ma, X., Li, B., Wang, Y., Erfani, S.M., Wijewickrema, S., Schoenebeck, G., Song, D., Houle, M.E., and Bailey, J. (2018). Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., and Hsieh, C.J. (2017, January 3). Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, Dallas, TX, USA.","DOI":"10.1145\/3128572.3140448"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2017, January 22\u201326). Towards evaluating the robustness of neural networks. Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2017.49"},{"key":"ref_28","first-page":"949","article-title":"Natural evolution strategies","volume":"15","author":"Wierstra","year":"2014","journal-title":"J. Mach. Learn. Res."},{"key":"ref_29","unstructured":"Salimans, T., Ho, J., Chen, X., Sidor, S., and Sutskever, I. (2017). Evolution strategies as a scalable alternative to reinforcement learning. arXiv."},{"key":"ref_30","unstructured":"Ilyas, A., Engstrom, L., Athalye, A., and Lin, J. (2018, January 10\u201315). Black-box adversarial attacks with limited queries and information. Proceedings of the International Conference on Machine Learning, PMLR, Stockholm, Sweden."},{"key":"ref_31","unstructured":"Li, Y., Li, L., Wang, L., Zhang, T., and Gong, B. (2019, January 9\u201315). Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. Proceedings of the International Conference on Machine Learning, PMLR, Long Beach, CA, USA."},{"key":"ref_32","unstructured":"Ilyas, A., Engstrom, L., and Madry, A. (2018). Prior convictions: Black-box adversarial attacks with bandits and priors. arXiv."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., and Swami, A. (2017, January 2\u20136). Practical black-box attacks against machine learning. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates.","DOI":"10.1145\/3052973.3053009"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"107184","DOI":"10.1016\/j.patcog.2019.107184","article-title":"Ensemble adversarial black-box attacks against deep learning systems","volume":"101","author":"Hang","year":"2020","journal-title":"Pattern Recognit."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Tsingenopoulos, I., Preuveneers, D., and Joosen, W. (2019, January 17\u201319). AutoAttacker: A reinforcement learning approach for black-box adversarial attacks. Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Stockholm, Sweden.","DOI":"10.1109\/EuroSPW.2019.00032"},{"key":"ref_36","unstructured":"Perolat, J., Malinowski, M., Piot, B., and Pietquin, O. (2018). Playing the game of universal adversarial perturbations. arXiv."},{"key":"ref_37","unstructured":"Wang, Z., Wang, Y., and Wang, Y. (2021). Fooling Adversarial Training with Inducing Noise. arXiv."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Wang, X., Yang, Y., Deng, Y., and He, K. (2021, January 2\u20139). Adversarial training with fast gradient projection method against synonym substitution based text attacks. Proceedings of the AAAI Conference on Artificial Intelligence, Virtual.","DOI":"10.1609\/aaai.v35i16.17648"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"104021","DOI":"10.1016\/j.engappai.2020.104021","article-title":"Learning adversarial attack policies through multi-objective reinforcement learning","volume":"96","author":"Majadas","year":"2020","journal-title":"Eng. Appl. Artif. Intell."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Sun, Y., Wang, S., Tang, X., Hsieh, T.Y., and Honavar, V. (2020, January 20\u201324). Adversarial attacks on graph neural networks via node injections: A hierarchical reinforcement learning approach. Proceedings of the Web Conference 2020, Taipei, Taiwan.","DOI":"10.1145\/3366423.3380149"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Yang, C., Kortylewski, A., Xie, C., Cao, Y., and Yuille, A. (2020, January 23\u201328). Patchattack: A black-box texture-based attack with reinforcement learning. Proceedings of the European Conference on Computer Vision, Glasgow, UK.","DOI":"10.1007\/978-3-030-58574-7_41"},{"key":"ref_42","unstructured":"Sarkar, S., Mousavi, S., Babu, A.R., Gundecha, V., Ghorbanpour, S., and Shmakov, A.K. (2022, January 9). Measuring Robustness with Black-Box Adversarial Attack using Reinforcement Learning. Proceedings of the NeurIPS ML Safety Workshop, Virtual."},{"key":"ref_43","unstructured":"Chaubey, A., Agrawal, N., Barnwal, K., Guliani, K.K., and Mehta, P. (2020). Universal adversarial perturbations: A survey. arXiv."},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1007\/BF00058655","article-title":"Bagging predictors","volume":"24","author":"Breiman","year":"1996","journal-title":"Mach. Learn."},{"key":"ref_45","unstructured":"Chaudhuri, K., and Salakhutdinov, R. (2019, January 9\u201315). Simple Black-box Adversarial Attacks. Proceedings of the 36th International Conference on Machine Learning, PMLR, Long Beach, CA, USA."},{"key":"ref_46","unstructured":"Tu, C.C., Ting, P., Chen, P.Y., Liu, S., Zhang, H., Yi, J., Hsieh, C.J., and Cheng, S.M. (February, January 27). Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. Proceedings of the AAAI Conference on Artificial Intelligence, Honolulu, HI, USA."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/25\/2\/215\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:13:15Z","timestamp":1760119995000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/25\/2\/215"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,22]]},"references-count":46,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,2]]}},"alternative-id":["e25020215"],"URL":"https:\/\/doi.org\/10.3390\/e25020215","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,22]]}}}