Perception-Driven Imperceptible Adversarial Attack Against Decision-Based Black-Box Models

Adversarial examples (AEs) pose significant threats to deep neural networks (DNNs), as they can deceive models into making wrong predictions through craftily-designed perturbations. The emergence of decision-based attacks, which rely solely on the top-1 decision label, further increases risks for real-world black-box models. Currently, the prevailing practice for generating AEs in the decision-based setting involves penalizing adversarial perturbations with the $\ell _{p}$ -norm. However, this approach often overlooks the human perception of adversarial perturbations in real-world scenarios. To tackle this issue, we propose a novel and efficient Imperceptible Decision-based Black-box Attack (IDBA). Our method prioritizes optimizing the perception-related distribution of perturbations, rather than solely focusing on the $\ell _{p}$ -norm. Specifically, IDBA analyzes the perceptual preferences of both models and the human vision system, selectively perturbing components that influence model decisions yet remain imperceptible to human eyes. Extensive experiments demonstrate that IDBA outperforms the state-of-the-art methods in terms of invisibility and query efficiency. Notably, IDBA achieves a high Feature SIMilarity (FSIM) score of 0.92 with only 4,800 queries, while simultaneously reducing the Learned Perceptual Image Patch Similarity (LPIPS) to 0.12, showcasing its ability to remain imperceptible.