An Efficient Two-Stage Black-Box Sparse Adversarial Attack Method Based on Intelligent Optimization

Sparse adversarial attacks have attracted increasing attention due to the advantage of low attack costs by limiting the number of modified pixels. However, some sparse attacks assume full access to information from deep neural networks (DNNs), often necessitating a large number of queries, making them impractical. Other methods only constrain the number of perturbed pixels, regardless of the size of the individual perturbation to each pixel, resulting in easily detectable in vision. To overcome these issues, we propose a two-stage black-box sparse attack approach that efficiently generates adversarial examples with small distortions. The proposed method first employs sparse attacks to generate an initial improved perturbation vector that meets the confidence score threshold, using Genetic Algorithm (GA). Subsequently, the size of the initial sparse perturbation vector is optimized to identify the final adversarial example with smaller perturbations through the application of Particle Swarm Optimization (PSO). The experimental results demonstrate that our method can achieve attack success rates comparable to the state-of-the-art black-box sparse attack method within the same budget while introducing more imperceptible distortions. This holds for untargeted and targeted attacks on CIFAR-10 classifiers trained conventionally and adversarially.