Space-Constrained Random Sparse Adversarial Attack

Adversarial attacks aim to deceive deep neural networks (DNNs) by introducing carefully designed perturbations. Traditional black-box methods often produce large-scale perturbations, reducing their practicality in real-world scenarios. Asa result, sparse adversarial attacks emerged to improve invisibility and effectiveness by minimizing the number of disturbed pixels, but a major challenge lies in balancing sparsity with attack success. To address this challenge, we propose a novel Space-Constrained Random Sparse Adversarial Attack (SRSA), which focuses on space most influential to the model's decision-making process. SRSA employs a weighted sampling strategy to dynamically update perturbation scores for each space, prioritizing areas with higher impact. A heuristic search algorithm is then applied to precisely target pixels within the selected space, achieving both sparsity and effectiveness. Experimental results demonstrate that SRSA outperforms state-of-theart black-box sparse adversarial attacks, such as Sparse-RS, SA-MOO, SAPF, and Homotopy Attack, on DNNs trained on ImageNet. Specifically, SRSA reduces the perturbation range and magnitude by approximately 20% compared to baseline methods. Moreover, compared to the optimal query-based black-box attack method, Square Attack, SRSA achieves a higher attack success rate while modifying 30% fewer pixels. These results demonstrate that SRSA enhances attack efficiency and effectiveness by incorporating local information into the perturbation search process.