This work addresses the problem of imperceptible adversarial attacks against deep neural networks (DNNs). We propose AdvAD, a novel attack framework that formulates adversarial perturbation as a parameter-free, nonparametric diffusion process—requiring no generative models or auxiliary neural networks—and iteratively optimizes perturbations solely via target-model gradients. Our key contribution is the first theoretical formalization of adversarial attacks as gradient-driven nonparametric diffusion, coupled with AdvAD-X, a rigorous verification framework designed to assess asymptotic attack performance. Evaluated on ImageNet-compatible datasets against four mainstream DNN architectures, AdvAD achieves a 99.9% average attack success rate, with an exceptionally low ℓ₂ perturbation norm of 1.34, a high PSNR of 49.74, and an SSIM of 0.9971—demonstrating substantial improvements in both stealthiness and efficacy over prior methods.

Imperceptible adversarial attacks aim to fool DNNs by adding imperceptible perturbation to the input data. Previous methods typically improve the imperceptibility of attacks by integrating common attack paradigms with specifically designed perception-based losses or the capabilities of generative models. In this paper, we propose Adversarial Attacks in Diffusion (AdvAD), a novel modeling framework distinct from existing attack paradigms. AdvAD innovatively conceptualizes attacking as a non-parametric diffusion process by theoretically exploring basic modeling approach rather than using the denoising or generation abilities of regular diffusion models requiring neural networks. At each step, much subtler yet effective adversarial guidance is crafted using only the attacked model without any additional network, which gradually leads the end of diffusion process from the original image to a desired imperceptible adversarial example. Grounded in a solid theoretical foundation of the proposed non-parametric diffusion process, AdvAD achieves high attack efficacy and imperceptibility with intrinsically lower overall perturbation strength. Additionally, an enhanced version AdvAD-X is proposed to evaluate the extreme of our novel framework under an ideal scenario. Extensive experiments demonstrate the effectiveness of the proposed AdvAD and AdvAD-X. Compared with state-of-the-art imperceptible attacks, AdvAD achieves an average of 99.9$%$ (+17.3$%$) ASR with 1.34 (-0.97) $l_2$ distance, 49.74 (+4.76) PSNR and 0.9971 (+0.0043) SSIM against four prevalent DNNs with three different architectures on the ImageNet-compatible dataset. Code is available at https://github.com/XianguiKang/AdvAD.