PISA: Pixel skipping-based attentional black-box adversarial attack

The studies on black-box and evolutionary algorithm-based adversarial attacks have become increasingly popular due to the intractable acquisition of the structural knowledge of deep neural networks (DNNs). However, the performance of these emerging attacks is negatively impacted when fooling DNNs tailored for high-resolution images. One of the explanations is that they usually focus on attacking the entire im-age, regardless of its spatial semantic information, and thereby encounter the notorious curse of dimen-sionality. To this end, we propose a pixel skipping and evolutionary algorithm-based attentional black-box adversarial attack, termed PISA. In PISA, only one of every two neighboring pixels in the salient region is recognized as the target by leveraging the attention map and pixel skipping, such that the dimen-sion of the black-box attack reduces. After that, PISA allows the embedding of an arbitrary multiobjective evolutionary algorithm, which is employed to traverse the reduced pixels and finally generates effective perturbations that are imperceptible by human vision. Extensive experimental results have demonstrated that the proposed PISA is more competitive in attacking high-resolution images than existing black-box and evolutionary algorithm-based attacks. (c) 2022 Elsevier Ltd. All rights reserved.