Using targeted attack strategy allows us to include the randomness of the target label sampling. We choose Jester dataset as it generally takes few queries to attack Jester dataset, thussavingtesting time. GEO-TRAP can employ different kinds of geometric transformations in theTRANS-WARP function. Thisisdemonstrated bythefactthatGEO-TRAP'sgradients generally have larger cosine similarity with the ground truth gradients. Wedenote the probability score associated with this label aspy(x).

When compared to the image classification models, black-box adversarial attacks against video classification models have been largely understudied. This could be possible because, with video, the temporal dimension poses significant additional challenges in gradient estimation. Query-efficient black-box attacks rely on effectively estimated gradients towards maximizing the probability of misclassifying the target video. In this work, we demonstrate that such effective gradients can be searched for by parameterizing the temporal structure of the search space with geometric transformations. GEO-TRAP employs standard geometric transformation operations to reduce the search space for effective gradients into searching for a small group of parameters that define these operations.